Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

On 6/5/2023 7:41 PM, Benny Pedersen via mailop wrote: Mark Alley via mailop skrev den 2023-06-06 02:17: O365 customers can mitigate this by ensuring they sign DKIM and remove the O365 include where feasible (only possible if O365 is not a domain's last hop), or by signing DKIM and making the

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

Mark Alley via mailop skrev den 2023-06-06 02:17: Last time it was reported to Microsoft, IIRC the individual got the response, "it's working as expected" as to the vulnerability that allows aligned SPF mail to be forwarded without SRS from any tenant. Realistically, DMARC and BIMI are working

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

Last time it was reported to Microsoft, IIRC the individual got the response, "it's working as expected" as to the vulnerability that allows aligned SPF mail to be forwarded without SRS from any tenant. Realistically, DMARC and BIMI are working as expected in this scenario. Email was (re)sent

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

How long until Google, Yahoo, others stop accepting that forwarded mail from Microsoft, is another way to frame that. Good to see it getting some attention. I'll be curious to see who addresses it and how. Cheers, Al Iverson On Mon, Jun 5, 2023 at 3:01 PM Alex Liu via mailop wrote: > > Looks

[mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

Looks like the bad guys are exploiting Outlook's forwarding feature to bypass BIMI. https://twitter.com/chrisplummer/status/1664075886545575941 We reported this issue in April: https://www.sysnet.ucsd.edu/~voelker/pubs/forwarding-eurosp23.pdf -- Regards, *Enze "**Alex" **Liu* PhD Student

Re: [mailop] Google Toolbox broken?

Thanks for the feedback, I've forwarded it to the maintainers. Note that the mxtoolbox does not use the same libraries for evaluation as Gmail itself, so the bugs in each are mostly independent. I wouldn't be surprised at that, since validation is not usually the same as evaluation, one might be

Re: [mailop] Google Toolbox broken?

> Based on the all the replies it looks like this tool has several bugs and its output can be ignored. I'd say it's a good reality check of sorts, standards saying "MAY" but some implementations saying "MUST". Understandably better implementations are... better, but it's not too far-fetched

Re: [mailop] Google Toolbox broken?

On 03.06.2023 at 00:34 John Levine via mailop wrote: > If you mean the DMARC record for johnlevine.com, it's valid, but is also a > stress test for DNS and DMARC software. Looks like it caught another one. It > has a valid DNSSEC signature too, for people who care about that. > If you mean the