Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

2023-06-06 Thread Mark Alley via mailop
Update on this - it appears that Google will now be restricting BIMI display to specifically DKIM authenticated mail. Link below, see the update on the article. https://www.scmagazine.com/news/email-security/gmail-spoofing-google-priority-1-probe "This issue stems from a third-party security

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

2023-06-06 Thread Benny Pedersen via mailop
John Levine via mailop skrev den 2023-06-06 11:45: It appears that Al Iverson via mailop said: How long until Google, Yahoo, others stop accepting that forwarded mail from Microsoft, is another way to frame that. The problem is that you can't tell it's forwarded, since it comes from the same

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

2023-06-06 Thread John Levine via mailop
It appears that Al Iverson via mailop said: >How long until Google, Yahoo, others stop accepting that forwarded >mail from Microsoft, is another way to frame that. The problem is that you can't tell it's forwarded, since it comes from the same servers that sent real mail for the forged domains.

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

2023-06-05 Thread Mark Alley via mailop
On 6/5/2023 7:41 PM, Benny Pedersen via mailop wrote: Mark Alley via mailop skrev den 2023-06-06 02:17: O365 customers can mitigate this by ensuring they sign DKIM and remove the O365 include where feasible (only possible if O365 is not a domain's last hop), or by signing DKIM and making the

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

2023-06-05 Thread Benny Pedersen via mailop
Mark Alley via mailop skrev den 2023-06-06 02:17: Last time it was reported to Microsoft, IIRC the individual got the response, "it's working as expected" as to the vulnerability that allows aligned SPF mail to be forwarded without SRS from any tenant. Realistically, DMARC and BIMI are working

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

2023-06-05 Thread Mark Alley via mailop
Last time it was reported to Microsoft, IIRC the individual got the response, "it's working as expected" as to the vulnerability that allows aligned SPF mail to be forwarded without SRS from any tenant. Realistically, DMARC and BIMI are working as expected in this scenario. Email was (re)sent

Re: [mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

2023-06-05 Thread Al Iverson via mailop
How long until Google, Yahoo, others stop accepting that forwarded mail from Microsoft, is another way to frame that. Good to see it getting some attention. I'll be curious to see who addresses it and how. Cheers, Al Iverson On Mon, Jun 5, 2023 at 3:01 PM Alex Liu via mailop wrote: > > Looks

[mailop] When Will Outlook Rollout SRS for All of Their Email Servers? (For the sake of bimi)

2023-06-05 Thread Alex Liu via mailop
Looks like the bad guys are exploiting Outlook's forwarding feature to bypass BIMI. https://twitter.com/chrisplummer/status/1664075886545575941 We reported this issue in April: https://www.sysnet.ucsd.edu/~voelker/pubs/forwarding-eurosp23.pdf -- Regards, *Enze "**Alex" **Liu* PhD Student