On 6/5/2023 7:41 PM, Benny Pedersen via mailop wrote:
Mark Alley via mailop skrev den 2023-06-06 02:17:
O365 customers can mitigate this by ensuring they sign DKIM and remove
the O365 include where feasible (only possible if O365 is not a
domain's last hop), or by signing DKIM and making the
Mark Alley via mailop skrev den 2023-06-06 02:17:
Last time it was reported to Microsoft, IIRC the individual got the
response, "it's working as expected" as to the vulnerability that
allows aligned SPF mail to be forwarded without SRS from any tenant.
Realistically, DMARC and BIMI are working
Last time it was reported to Microsoft, IIRC the individual got the
response, "it's working as expected" as to the vulnerability that allows
aligned SPF mail to be forwarded without SRS from any tenant.
Realistically, DMARC and BIMI are working as expected in this scenario.
Email was (re)sent
How long until Google, Yahoo, others stop accepting that forwarded
mail from Microsoft, is another way to frame that.
Good to see it getting some attention. I'll be curious to see who
addresses it and how.
Cheers,
Al Iverson
On Mon, Jun 5, 2023 at 3:01 PM Alex Liu via mailop wrote:
>
> Looks
Looks like the bad guys are exploiting Outlook's forwarding feature to
bypass BIMI.
https://twitter.com/chrisplummer/status/1664075886545575941
We reported this issue in April:
https://www.sysnet.ucsd.edu/~voelker/pubs/forwarding-eurosp23.pdf
--
Regards,
*Enze "**Alex" **Liu*
PhD Student
Thanks for the feedback, I've forwarded it to the maintainers.
Note that the mxtoolbox does not use the same libraries for evaluation as
Gmail itself, so the bugs in each are mostly independent. I wouldn't be
surprised at that, since validation is not usually
the same as evaluation, one might be
> Based on the all the replies it looks like this tool has several bugs
and its output can be ignored.
I'd say it's a good reality check of sorts, standards saying "MAY" but
some implementations saying "MUST". Understandably better
implementations are... better, but it's not too far-fetched
On 03.06.2023 at 00:34 John Levine via mailop wrote:
> If you mean the DMARC record for johnlevine.com, it's valid, but is also a
> stress test for DNS and DMARC software. Looks like it caught another one. It
> has a valid DNSSEC signature too, for people who care about that.
> If you mean the