Re: [mailop] DMARC and pure SPF
On Thu 07/Oct/2021 11:13:22 +0200 Mark Foster via mailop wrote: And that, actually, is why I choose not to do mail forwarding anymore - because I can't influence the decisions of the parties to whom my users may want to forward email. The old SMTP spec still says that a forwarded message should keep the same bounce address. Besides being broken by SPF, that practice has the drawback to reveal that the original target address is somewhat false, in case of bounce. In fact, if the forwarded-to address stops working, it is more effective to first stop forwarding to it, and thenceforth bounce directly, than to keep a chain that eventually bounces. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
Merging responses to two thread followups below: On 6/10/2021 11:54 am, Neil Jenkins via mailop wrote: On Wed, 6 Oct 2021, at 08:42, Mark Foster via mailop wrote: I think people using forwarding _know_ that SPF breaks their stuff. That is a very optimistic viewpoint about the baseline technical knowledge of users. Fair point. I should probably have said that the operators of services which make this available as a service, have to be aware of the constraints. (Surely?!) I think people who publish a -all SPF record are _outright telling you_ to refuse email that doesn't pass SPF. Perhaps, but that doesn't mean they really know what they're doing or that I have to listen to them. If you know enough to run a mail server and turn on SPF enforcement, surely you acknowledge and accept the consequences of doing so? Rejecting on SPF -all is exactly what the person who published -all is telling you to do. Sure, but they're not my customer. My customer is Joe Bloggs, who has an almuni address from his alma mater that forwards to his mailbox I host. Joe has never heard of SPF, other than as a rating for sun screen. He does know that he gets very unhappy when I reject mail sent to him that he wants to receive though. Fair enough. I actually applaud operators who can give their customers the granularity to selectively ignore SPF. But that's relatively complex and probably a bit of a load-hit, whereas checking SPF on receipt of MAIL FROM is a much lighter weight way of shedding an amount of spam. As a platform operator, I explain to my users that 'plain old forwarding' is unreliable, presents a risk, and should not be used. And to use the alumni type scenario, I have actually taken to hosting mail accounts, because a platform that I would otherwise send forwarded mail to frequently, enforces SPF. It's not my place to have that platform change their operating framework, so I've adapted. Offering alumni forwarders is really quite impractical the moment sender or recipient enables SPF. I'm in New Zealand. The New Zealand Information Security Manual actively promotes the use of SPF, DKIM and DMARC by government agencies. https://www.nzism.gcsb.govt.nz/ism-document#1792 for reference. On 6/10/2021 11:03 pm, Jaroslaw Rafa via mailop wrote: Dnia 6.10.2021 o godz. 10:42:52 Mark Foster via mailop pisze: I think people who publish a -all SPF record are _outright telling you_ to refuse email that doesn't pass SPF. And I think they are not. Rather they are just following some SPF setup guidelines they found somewhere, without knowing exactly what does it mean. I think if you're running a mail server which services anyone beyond yourself, that seems risky. "Oh, I didn't know what that function did, so I just turned it on anyway" feels like a career limiting proposition otherwise. I think if you're offering services to anyone else, you need to be up-front about your decisions and the limitations of those decisions, come what may. I feel pretty strongly about SPF and its benefits and limitations (thus why I posted here) but I respect the right for others to choose their own path. And that, actually, is why I choose not to do mail forwarding anymore - because I can't influence the decisions of the parties to whom my users may want to forward email. Mark. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
Dnia 6.10.2021 o godz. 10:42:52 Mark Foster via mailop pisze: > > I think people who publish a -all SPF record are _outright telling > you_ to refuse email that doesn't pass SPF. And I think they are not. Rather they are just following some SPF setup guidelines they found somewhere, without knowing exactly what does it mean. I second John's approach to basically ignore -all in SPF record on the receiving side, unless it is the *only* entry in that record, which means the domain does not send any mail at all. BTW. Myself I don't check SPF at all, although I publish SPF and DMARC records, only to satisfy stupid Google requirements that require this from senders (which doesn't help in anything anyway, as Google still puts my messages to recipients' Spam folder or just rejects them). -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
On Wed, 6 Oct 2021, at 08:42, Mark Foster via mailop wrote: > I think people using forwarding _know_ that SPF breaks their stuff. That is a very optimistic viewpoint about the baseline technical knowledge of users. > I think people who publish a -all SPF record are _outright telling you_ > to refuse email that doesn't pass SPF. Perhaps, but that doesn't mean they really know what they're doing or that I have to listen to them. > Rejecting on SPF -all is exactly what the person who published -all is > telling you to do. Sure, but they're not my customer. My customer is Joe Bloggs, who has an almuni address from his alma mater that forwards to his mailbox I host. Joe has never heard of SPF, other than as a rating for sun screen. He does know that he gets very unhappy when I reject mail sent to him that he wants to receive though. Neil.___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
Hi, Dňa 4 Oct 2021 23:06:53 -0400 John Levine via mailop napísal: > I think you will find that rejecting on SPF -all (other than the > special case of a bare -all meaning we send no mail) will make you > reject a lot of perfectly good mail. So don't do that. I check log for last month (30 days), i found 52 rejected messages due SPF fail, only one has valid reverse DNS and only 12 of them was trough TLS. Some IP was duplicated (44 unique). All of them are on some RBL (except one) and most of them is on more than 4 RBLs (including multiple results in composite RBLs), thus most of them will be anyway rejected later due RBLs scoring. After i switch SPF to rspamd i got only one SPF fail, which was rejected later due too many RBLs. This doesn't seem as a lot nor as legitimate mails (perhaps because my users do not use forwarders, they are not very popular in our country)... regards -- Slavko http://slavino.sk pgpncpgyuoDtM.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
It appears that Slavko via mailop said: >But joking apart, basically the 6.7 section gives answer to my question, >that SPF -all is typically ignored for p= other than none. I think you will find that rejecting on SPF -all (other than the special case of a bare -all meaning we send no mail) will make you reject a lot of perfectly good mail. So don't do that. I don't reject on DMARC failures either, but that's a separate issue. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
Hi, Dňa Mon, 4 Oct 2021 21:15:25 +0200 Alessandro Vesely via mailop napísal: > That's if exim can lookup dnswl and accept spf=fail for whitelisted > IPs. Ah, i understand now, thanks. I think about it too awkwardly ;-) regards -- Slavko http://slavino.sk pgpF0bsgW4OUX.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
On Mon 04/Oct/2021 20:31:54 +0200 Slavko via mailop wrote: Honoring SPF -all is too harsh anyway. It is very efficient because you can reject before DATA, but needs to be softened. IME, using a whitelist such as dnswl.org is enough to get rid of clowns pretending to be your domain (if you publish spf-all), while letting almost all legitimate forwarders pass. Yes, clowns:-P but i do not understand how dnswl.org can help with them. Can you please elaborate more on it? That's if exim can lookup dnswl and accept spf=fail for whitelisted IPs. It would work as if the sender domain had "?exists:%{ir}.list.dnswl.org" in its SPF record (I have it, so many forwarders are allowed.) Whitelisting for SPF is described here: https://datatracker.ietf.org/doc/html/rfc7208#appendix-D.3 If exim cannot do that, you can still apply whitelisting after DATA, if DMARC doesn't suggest a different disposition. Best Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
Hi, thanks for all answers, all was useful. Note: I am talking (asking) about incoming emails, not about my domain. Dňa Mon, 4 Oct 2021 14:15:03 +0200 Alessandro Vesely via mailop napísal: > You can consider either the union or the intersection. OK, i read suggested 6.7 and 10.1 sections of RFC7489 and my understanding of them is, that i can implement what i want :-P But joking apart, basically the 6.7 section gives answer to my question, that SPF -all is typically ignored for p= other than none. Until recently my MTA was rejecting mails based on SPF fail (eg. -all) at RCPT stage, thus before any DMARC checking. The DMARC checking is done in rspamd (with exim) and recently i decided to enable its DMARC module (including rua reports) and forcing reject/mark based on DMARC results. And i removed SPF rejecting at RCPT stage, but then i start to think about p=none. > Honoring SPF -all is too harsh anyway. It is very efficient because > you can reject before DATA, but needs to be softened. IME, using a > whitelist such as dnswl.org is enough to get rid of clowns pretending > to be your domain (if you publish spf-all), while letting almost all > legitimate forwarders pass. Yes, clowns :-P but i do not understand how dnswl.org can help with them. Can you please elaborate more on it? > DMARC filtering has to be done after DATA. At that point you can > consider the SPF result recorded in header and add them to the mix. > It also depends on what options your software offers. Courier-MTA > has a -allow option and an "allowok" SPF setting to ease such usage, > so it is convenient. Rejecting message after DATA based on rule available on RCPT seems as not very effective for me, as the DATA are transferred uselessly. And my experience shows, that some sites (not all, no most, only some) better understand rejection at RCPT stage, than at DATA stage and in second case persistently continues to sends their garbage. But anyway i am considering to do it as you suggests, as it is only one way to check the value of p= while i consider, that when domain owner wnts to fail if -something is defined, i will follow it. Finally i want to do it as this: + check SPF in exim, but do not decide on it, only fill the Authentication-Results header + leave rspamd to make decision based on DMARC quarantine|reject policy + leave rspamd to make decision based on SPF fail|softfail, if no DMARC or p=none + leave rspamd to use DKIM only for scoring message, if no DMARC Please, is it good plan? -- Slavko http://slavino.sk pgpIuZtCcB5HT.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
On Mon 04/Oct/2021 12:24:31 +0200 Slavko via mailop wrote: AFAIK, even when SPF in DMARC fails, there still can be DMARC success with DKIM and this can leads to ignore SPF -/~all. I am confused... You can consider either the union or the intersection. Honoring SPF -all is too harsh anyway. It is very efficient because you can reject before DATA, but needs to be softened. IME, using a whitelist such as dnswl.org is enough to get rid of clowns pretending to be your domain (if you publish spf-all), while letting almost all legitimate forwarders pass. DMARC filtering has to be done after DATA. At that point you can consider the SPF result recorded in header and add them to the mix. It also depends on what options your software offers. Courier-MTA has a -allow option and an "allowok" SPF setting to ease such usage, so it is convenient. HTH Ale -- ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
On 4-10-21 13:27, Dan Mahoney via mailop wrote: >> On Oct 4, 2021, at 3:24 AM, Slavko via mailop wrote: >> >> please i want to ask how to deal with pure SPF when DMARC is in use. I >> understand how to deal with SPF within DMARC checks and i do not want to >> diskuss this. >> >> But what if domain owner specify eg. -all (or ~all) and SPF check >> against SMTP.From (or EHLO) fails (or softfails) with this rule? > RFC7489 Section 10.1 makes a caveat of this very thing. If you're specifying > a dmarc policy for your domain that suggests that users who ONLY check SPF > should reject on this case, there's no good way to tell a site that uses SPF > *AND* DKIM to evaluate them separately. See also section 6.7 of that DMARC RFC.. Specifically the 5th paragraph: > DMARC-compliant Mail Receivers typically disregard any mail-handling > directive discovered as part of an authentication mechanism (e.g., > Author Domain Signing Practices (ADSP), SPF) where a DMARC record is > also discovered that specifies a policy other than "none". >> Have i (my MTA) follow this rule (respect domain owner) and reject >> (mark) mail without taking DMARC policy into account. Or have i make >> decision only based on DMARC result AND policy and ignore pure SPF >> checks at all? >> >> AFAIK, even when SPF in DMARC fails, there still can be DMARC success >> with DKIM and this can leads to ignore SPF -/~all. I am confused... > In general, if you're publishing a DKIM record, then you acknowledge that > there are cases where SPF will not be enough (relays, mailing lists, etc). > So setting -all is probably a good idea. > > That said, if you are ONLY publishing SPF records, then maybe you really want > -all. Also note that some systems (specifcially, the xs4all mail system) will simply ignore DMARC policies p=quarantine or p=reject if we never see any DKIM from your domain. IE: just using SPF will NOT cause mail to be blocked. Specifically, ever mail that comes in with aligned SPF, and without aligned DKIM, counts as a "strike against". Any mail that comes in with aligned DKIM counts as a "positive score". Any domain with too many strikes compared to positive DKIM, will go into a list of "domains that don't do DKIM properly", and will subsequently get their DMARC policy effectively forced to p=none. This is also visible in the reporting, stating an override reason of 'no blocking without DKIM". Note that this explicitly does not mean that if a spammer forges a mail message from your domain, without DKIM, that it passes the filter... the only way to get on the "ignore" list is to first send messages that validate SPF but lack DKIM. Bottom line: please do implement DKIM when you want to roll out DMARC. -- Jan-Pieter Cornet "Any sufficiently advanced incompetence is indistinguishable from malice." - Grey's Law OpenPGP_signature Description: OpenPGP digital signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] DMARC and pure SPF
> On Oct 4, 2021, at 3:24 AM, Slavko via mailop wrote: > > Signed PGP part > Hi, > > please i want to ask how to deal with pure SPF when DMARC is in use. I > understand how to deal with SPF within DMARC checks and i do not want to > diskuss this. > > But what if domain owner specify eg. -all (or ~all) and SPF check > against SMTP.From (or EHLO) fails (or softfails) with this rule? RFC7489 Section 10.1 makes a caveat of this very thing. If you're specifying a dmarc policy for your domain that suggests that users who ONLY check SPF should reject on this case, there's no good way to tell a site that uses SPF *AND* DKIM to evaluate them separately. > Have i (my MTA) follow this rule (respect domain owner) and reject > (mark) mail without taking DMARC policy into account. Or have i make > decision only based on DMARC result AND policy and ignore pure SPF > checks at all? > > AFAIK, even when SPF in DMARC fails, there still can be DMARC success > with DKIM and this can leads to ignore SPF -/~all. I am confused... In general, if you're publishing a DKIM record, then you acknowledge that there are cases where SPF will not be enough (relays, mailing lists, etc). So setting -all is probably a good idea. That said, if you are ONLY publishing SPF records, then maybe you really want -all. Note as well that some systems just use SPF as a metric (say, as part of SpamAssassin) and don't use it to reject at transaction time. Note as well that OpenDMARC at least has the ability to both do its own evaluations *or* trust a header added by an earlier milter. -Dan ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop