Question about DMARC

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Question about DMARC

Wesley Peng-8
Greetings,

When mail is relayed through mailing list, why the DMARC policy is
possible to reject?

For example, I sent mail from [hidden email] to [hidden email]

Since mail.ru has the strictest DMARC policy, the recepients may choose
to reject this mail which is relayed by googlegroups, the reason is due
to DKIM or SPF fails.

So mailing list makes DKIM or SPF failed?

Thank you for your helps.

Regards.
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Richard Damon
On 11/21/19 9:45 PM, Wesley Peng wrote:

> Greetings,
>
> When mail is relayed through mailing list, why the DMARC policy is
> possible to reject?
>
> For example, I sent mail from [hidden email] to [hidden email]
>
> Since mail.ru has the strictest DMARC policy, the recepients may
> choose to reject this mail which is relayed by googlegroups, the
> reason is due to DKIM or SPF fails.
>
> So mailing list makes DKIM or SPF failed?
>
> Thank you for your helps.
>
> Regards.
>
The issue is that the way many mailing list work, if a person from a
domain with strict DMARC policy sends a message to the mailing list, and
it is altered in a way that makes it fail DKIM, (and it will fail SPF),
so any attempted recipient from a domain that honors the DMARC policy
will send a reject DSN to the mailing list, which may cause those
recipients to get unsubscribed due to undeliverable mail.

It would seem unfair to punish the recipient for something they didn't
do wrong, sending the reject DSN is the appropriate result. The real
error is arguably the sending of an email to a mailing list from a
domain that by its policies doesn't allow the use of that type of
mailing list.

The typical options for the mailing list are

1) Just not allow people from such domains to post to the list (the
reject option you mention)

2) Rewrite the from address from people from such a domain to be from
the domain of the list (often the list address). This is arguably
discouraged by the email RFCs, as the from address should indicate the
AUTHOR of the message, which is the original sender. It also can cause
problems with identifying who sent the message, and can corrupt peoples
address books if their program records that address as being associated
with the sender. It can also make it harder to reply just to the sender.

3) Rewrite the message by wrapping it as an attachment, with the outer
message being from the list. This has the problem that many clients
won't handle the message in a useful manner.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Wesley Peng-8
Richard Damon wrote:

> The typical options for the mailing list are
>
> 1) Just not allow people from such domains to post to the list (the
> reject option you mention)
>
> 2) Rewrite the from address from people from such a domain to be from
> the domain of the list (often the list address). This is arguably
> discouraged by the email RFCs, as the from address should indicate the
> AUTHOR of the message, which is the original sender. It also can cause
> problems with identifying who sent the message, and can corrupt peoples
> address books if their program records that address as being associated
> with the sender. It can also make it harder to reply just to the sender.
>
> 3) Rewrite the message by wrapping it as an attachment, with the outer
> message being from the list. This has the problem that many clients
> won't handle the message in a useful manner.

Thank you Richard.

The email I am using is with domain of mail.ru, which has the strictest
DMARC policy setting.

So mailing list like postfix-users doesn't deliver my message to myself
on this domain. And google groups rewrite the sender address to their
own address.

I don't know why mail.ru has this setup, this seems unfriendly.

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Richard Damon
On 11/21/19 11:21 PM, Wesley Peng wrote:

> Richard Damon wrote:
>> The typical options for the mailing list are
>>
>> 1) Just not allow people from such domains to post to the list (the
>> reject option you mention)
>>
>> 2) Rewrite the from address from people from such a domain to be from
>> the domain of the list (often the list address). This is arguably
>> discouraged by the email RFCs, as the from address should indicate the
>> AUTHOR of the message, which is the original sender. It also can cause
>> problems with identifying who sent the message, and can corrupt peoples
>> address books if their program records that address as being associated
>> with the sender. It can also make it harder to reply just to the sender.
>>
>> 3) Rewrite the message by wrapping it as an attachment, with the outer
>> message being from the list. This has the problem that many clients
>> won't handle the message in a useful manner.
>
> Thank you Richard.
>
> The email I am using is with domain of mail.ru, which has the
> strictest DMARC policy setting.
>
> So mailing list like postfix-users doesn't deliver my message to
> myself on this domain. And google groups rewrite the sender address to
> their own address.
>
> I don't know why mail.ru has this setup, this seems unfriendly.
>
> Thanks.
>
That is a question to ask them. Basically the strict DMARC policy is
designed for transactional email, where spoofing is a real danger. The
side effect of it is that addresses on such a domain really shouldn't be
used on mailing lists, or any other 3rd party senders not specifically
set up for that by the domain owner. For the proper usages of this, it
really isn't much of a problem, as the sorts of institutions that deal
with this sort of transactional mail, probably shouldn't be using that
same domain for less formal usages that tends to go with a mailing list.

The problems arise when a domain that doesn't really need that level of
protection adopts it for some reason, especially if they don't inform
their users of the implications of that decision.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Wesley Peng-8
Richard Damon wrote:

> That is a question to ask them. Basically the strict DMARC policy is
> designed for transactional email, where spoofing is a real danger. The
> side effect of it is that addresses on such a domain really shouldn't be
> used on mailing lists, or any other 3rd party senders not specifically
> set up for that by the domain owner. For the proper usages of this, it
> really isn't much of a problem, as the sorts of institutions that deal
> with this sort of transactional mail, probably shouldn't be using that
> same domain for less formal usages that tends to go with a mailing list.
>
> The problems arise when a domain that doesn't really need that level of
> protection adopts it for some reason, especially if they don't inform
> their users of the implications of that decision.

Hello Richard,

If I am wrong, please forgive me.

Many ISP/Registrars provide email forwarding, I even had a pobox.com
account which I used for 10+ years with just forwarding feature.

When a mail like mail.ru was relayed by those providers, it sounds easy
to break SPF/DKIM, so the recepients may reject the message. This is not
good practice for the sender, even for mail.ru itself.

Am I right?

regards.
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Wesley Peng-4
In reply to this post by Richard Damon


Richard Damon wrote:
>   The
> side effect of it is that addresses on such a domain really shouldn't be
> used on mailing lists,

Thanks for pointing out this. I never knew it.
Now I changed my mail to fastmail account, which I owned it for many
years. I just don't like its mobile app, it's just a web wrapper, not as
good as gmail/mail.ru etc.
After I checked I think fastmail will do well on receiving mailing list.

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

황병희-2
In reply to this post by Wesley Peng-8
> Am I right?

Yes Wesley you are right. So i don't like DMARC (with SPF).

Sincerely,

--
^고맙습니다 _地平天成_ 감사합니다_^))//
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Nick-5
In reply to this post by Wesley Peng-8
On 2019-11-22 04:21 GMT, Wesley Peng wrote:
> The email I am using is with domain of mail.ru, which has the
> strictest DMARC policy setting.
>
> So mailing list like postfix-users doesn't deliver my message to
> myself on this domain. And google groups rewrite the sender address
> to their own address.
>
> I don't know why mail.ru has this setup, this seems unfriendly.

All of your posts from mail.ru pass DMARC according to my instance of
OpenDMARC.  If mail.ru isn't returning your posts, it's probably
nothing to do with DMARC.  Perhaps you can ask them.  I also have
strict DMARC policy and no difficulty with this list.
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Dominic Raferd


On Fri, 22 Nov 2019 at 08:42, Nick <[hidden email]> wrote:
On 2019-11-22 04:21 GMT, Wesley Peng wrote:
> The email I am using is with domain of mail.ru, which has the
> strictest DMARC policy setting.
>
> So mailing list like postfix-users doesn't deliver my message to
> myself on this domain. And google groups rewrite the sender address
> to their own address.
>
> I don't know why mail.ru has this setup, this seems unfriendly.

All of your posts from mail.ru pass DMARC according to my instance of
OpenDMARC.  If mail.ru isn't returning your posts, it's probably
nothing to do with DMARC.  Perhaps you can ask them.  I also have
strict DMARC policy and no difficulty with this list.

+1
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Wesley Peng-4
In reply to this post by Nick-5
Hi

the mail I sent from mail.ru to this list got dropped, I didn’t get the message I sent.


On Fri, Nov 22, 2019, at 4:41 PM, Nick wrote:
On 2019-11-22 04:21 GMT, Wesley Peng wrote:
> The email I am using is with domain of mail.ru, which has the
> strictest DMARC policy setting.

> So mailing list like postfix-users doesn't deliver my message to
> myself on this domain. And google groups rewrite the sender address
> to their own address.

> I don't know why mail.ru has this setup, this seems unfriendly.

All of your posts from mail.ru pass DMARC according to my instance of
OpenDMARC.  If mail.ru isn't returning your posts, it's probably
nothing to do with DMARC.  Perhaps you can ask them.  I also have
strict DMARC policy and no difficulty with this list.
-- 
Nick


Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Wesley Peng-4
I meant I didn’t get it in my mail.ru inbox. The other providers may or may not reject it. Thanks.

On Fri, Nov 22, 2019, at 5:52 PM, Wesley Peng wrote:
Hi

the mail I sent from mail.ru to this list got dropped, I didn’t get the message I sent.


On Fri, Nov 22, 2019, at 4:41 PM, Nick wrote:
On 2019-11-22 04:21 GMT, Wesley Peng wrote:
> The email I am using is with domain of mail.ru, which has the
> strictest DMARC policy setting.

> So mailing list like postfix-users doesn't deliver my message to
> myself on this domain. And google groups rewrite the sender address
> to their own address.

> I don't know why mail.ru has this setup, this seems unfriendly.

All of your posts from mail.ru pass DMARC according to my instance of
OpenDMARC.  If mail.ru isn't returning your posts, it's probably
nothing to do with DMARC.  Perhaps you can ask them.  I also have
strict DMARC policy and no difficulty with this list.
-- 
Nick



Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Dominic Raferd


On Fri, 22 Nov 2019 at 09:56, Wesley Peng <[hidden email]> wrote:
I meant I didn’t get it in my mail.ru inbox. The other providers may or may not reject it. Thanks.

On Fri, Nov 22, 2019, at 5:52 PM, Wesley Peng wrote:
Hi

the mail I sent from mail.ru to this list got dropped, I didn’t get the message I sent.


On Fri, Nov 22, 2019, at 4:41 PM, Nick wrote:
On 2019-11-22 04:21 GMT, Wesley Peng wrote:
> The email I am using is with domain of mail.ru, which has the
> strictest DMARC policy setting.

> So mailing list like postfix-users doesn't deliver my message to
> myself on this domain. And google groups rewrite the sender address
> to their own address.

> I don't know why mail.ru has this setup, this seems unfriendly.

All of your posts from mail.ru pass DMARC according to my instance of
OpenDMARC.  If mail.ru isn't returning your posts, it's probably
nothing to do with DMARC.  Perhaps you can ask them.  I also have
strict DMARC policy and no difficulty with this list.

But I did, and I run opendmarc. So the issue is nothing to do with DMARC... 
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Richard Damon
In reply to this post by Wesley Peng-8
On 11/21/19 11:47 PM, Wesley Peng wrote:

> Richard Damon wrote:
>> That is a question to ask them. Basically the strict DMARC policy is
>> designed for transactional email, where spoofing is a real danger. The
>> side effect of it is that addresses on such a domain really shouldn't be
>> used on mailing lists, or any other 3rd party senders not specifically
>> set up for that by the domain owner. For the proper usages of this, it
>> really isn't much of a problem, as the sorts of institutions that deal
>> with this sort of transactional mail, probably shouldn't be using that
>> same domain for less formal usages that tends to go with a mailing list.
>>
>> The problems arise when a domain that doesn't really need that level of
>> protection adopts it for some reason, especially if they don't inform
>> their users of the implications of that decision.
>
> Hello Richard,
>
> If I am wrong, please forgive me.
>
> Many ISP/Registrars provide email forwarding, I even had a pobox.com
> account which I used for 10+ years with just forwarding feature.
>
> When a mail like mail.ru was relayed by those providers, it sounds
> easy to break SPF/DKIM, so the recepients may reject the message. This
> is not good practice for the sender, even for mail.ru itself.
>
> Am I right?
>
> regards.
>
Normal forwarding will break SPF, but not DKIM (one reason DMARC uses
both). A mail provider that uses strict settings but doesn't DKIM sign
the messages would be considered seriously broken in my experience. The
issue is that many mailing list will break DKIM by slightly modifing the
message, like adding a signal word to the subject or a footer with
information like unsubscribing instructions (this can be a legal
requirement in some jurisdictions). Note, this list does NOT do this
sort of modification, so doesn't cause that sort of problem.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Jaroslaw Rafa
In reply to this post by Wesley Peng-8
Dnia 22.11.2019 o godz. 10:45:42 Wesley Peng pisze:
>
> So mailing list makes DKIM or SPF failed?
>
> Thank you for your helps.

My opinion is that the actual problem is that people who invented SPF and/or
DMARC had wrong assumptions about how email works/should work.

They assumed email is a straight and simple one-to-one communication like
HTTP. If you send a mail from user1@xxx to user2@yyy, it goes straight from
sending server for domain xxx to receiving server for domain yyy. So the
receiving server can check if the email is coming from a "valid",
"authorized" server for domain xxx (despite the fact that there isn't - and
never was - such thing as "valid sending server" for any domain).

This concept puts mailing lists, email forwarding and similar things
completely out of scope. I would dare to say that these things simply did not
exist for inventors of SPF/DMARC. That means, they obviously knew these
things exist, but assumed they are completely unimportant and shouldn't (in
their approach) be used.

Big email providers started adopting SPF/DMARC etc. also without much
thinking about these seemingly "unimportant" use cases, and then suddenly it
turned out that we have quite a problem.

You may disagree of course, but that's just how I see it. There is a quite
old article about why SPF is wrong, but in my opinion this article didn't
date a bit: http://david.woodhou.se/why-not-spf.html
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Wesley Peng-4
In reply to this post by Richard Damon
Would this list break SPF then? Thanks 

On Fri, Nov 22, 2019, at 7:15 PM, Richard Damon wrote:
On 11/21/19 11:47 PM, Wesley Peng wrote:
> Richard Damon wrote:
>> That is a question to ask them. Basically the strict DMARC policy is
>> designed for transactional email, where spoofing is a real danger. The
>> side effect of it is that addresses on such a domain really shouldn't be
>> used on mailing lists, or any other 3rd party senders not specifically
>> set up for that by the domain owner. For the proper usages of this, it
>> really isn't much of a problem, as the sorts of institutions that deal
>> with this sort of transactional mail, probably shouldn't be using that
>> same domain for less formal usages that tends to go with a mailing list.
>>
>> The problems arise when a domain that doesn't really need that level of
>> protection adopts it for some reason, especially if they don't inform
>> their users of the implications of that decision.
>
> Hello Richard,
>
> If I am wrong, please forgive me.
>
> Many ISP/Registrars provide email forwarding, I even had a pobox.com
> account which I used for 10+ years with just forwarding feature.
>
> When a mail like mail.ru was relayed by those providers, it sounds
> easy to break SPF/DKIM, so the recepients may reject the message. This
> is not good practice for the sender, even for mail.ru itself.
>
> Am I right?
>
> regards.
>
Normal forwarding will break SPF, but not DKIM (one reason DMARC uses
both). A mail provider that uses strict settings but doesn't DKIM sign
the messages would be considered seriously broken in my experience. The
issue is that many mailing list will break DKIM by slightly modifing the
message, like adding a signal word to the subject or a footer with
information like unsubscribing instructions (this can be a legal
requirement in some jurisdictions). Note, this list does NOT do this
sort of modification, so doesn't cause that sort of problem.

-- 
Richard Damon



Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Scott Kitterman-4
No.  It's how DMARC uses SPF.

Scott K

On November 22, 2019 11:25:47 AM UTC, Wesley Peng <[hidden email]> wrote:

>Would this list break SPF then? Thanks
>
>On Fri, Nov 22, 2019, at 7:15 PM, Richard Damon wrote:
>> On 11/21/19 11:47 PM, Wesley Peng wrote:
>> > Richard Damon wrote:
>> >> That is a question to ask them. Basically the strict DMARC policy
>is
>> >> designed for transactional email, where spoofing is a real danger.
>The
>> >> side effect of it is that addresses on such a domain really
>shouldn't be
>> >> used on mailing lists, or any other 3rd party senders not
>specifically
>> >> set up for that by the domain owner. For the proper usages of
>this, it
>> >> really isn't much of a problem, as the sorts of institutions that
>deal
>> >> with this sort of transactional mail, probably shouldn't be using
>that
>> >> same domain for less formal usages that tends to go with a mailing
>list.
>> >>
>> >> The problems arise when a domain that doesn't really need that
>level of
>> >> protection adopts it for some reason, especially if they don't
>inform
>> >> their users of the implications of that decision.
>> >
>> > Hello Richard,
>> >
>> > If I am wrong, please forgive me.
>> >
>> > Many ISP/Registrars provide email forwarding, I even had a
>pobox.com
>> > account which I used for 10+ years with just forwarding feature.
>> >
>> > When a mail like mail.ru was relayed by those providers, it sounds
>> > easy to break SPF/DKIM, so the recepients may reject the message.
>This
>> > is not good practice for the sender, even for mail.ru itself.
>> >
>> > Am I right?
>> >
>> > regards.
>> >
>> Normal forwarding will break SPF, but not DKIM (one reason DMARC uses
>> both). A mail provider that uses strict settings but doesn't DKIM
>sign
>> the messages would be considered seriously broken in my experience.
>The
>> issue is that many mailing list will break DKIM by slightly modifing
>the
>> message, like adding a signal word to the subject or a footer with
>> information like unsubscribing instructions (this can be a legal
>> requirement in some jurisdictions). Note, this list does NOT do this
>> sort of modification, so doesn't cause that sort of problem.
>>
>> --
>> Richard Damon
>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Dominic Raferd
In reply to this post by Jaroslaw Rafa


On Fri, 22 Nov 2019 at 11:26, Jaroslaw Rafa <[hidden email]> wrote:
Dnia 22.11.2019 o godz. 10:45:42 Wesley Peng pisze:
>
> So mailing list makes DKIM or SPF failed?
>
> Thank you for your helps.

My opinion is that the actual problem is that people who invented SPF and/or
DMARC had wrong assumptions about how email works/should work.

They assumed email is a straight and simple one-to-one communication like
HTTP. If you send a mail from user1@xxx to user2@yyy, it goes straight from
sending server for domain xxx to receiving server for domain yyy. So the
receiving server can check if the email is coming from a "valid",
"authorized" server for domain xxx (despite the fact that there isn't - and
never was - such thing as "valid sending server" for any domain).

This concept puts mailing lists, email forwarding and similar things
completely out of scope. I would dare to say that these things simply did not
exist for inventors of SPF/DMARC. That means, they obviously knew these
things exist, but assumed they are completely unimportant and shouldn't (in
their approach) be used.

Big email providers started adopting SPF/DMARC etc. also without much
thinking about these seemingly "unimportant" use cases, and then suddenly it
turned out that we have quite a problem.

You may disagree of course, but that's just how I see it. There is a quite
old article about why SPF is wrong, but in my opinion this article didn't
date a bit: http://david.woodhou.se/why-not-spf.html

The limitations you describe affect SPF but not DMARC because DMARC can rely *either* on SPF *or* on DKIM. There are limitations on DKIM through mailing lists which depend on the mailing list settings and on which headers that the sender has chosen to sign. However sensibly-designed mailing lists (like this one) can work with DKIM-signed emails where the signed headers are not specified too aggressively, and so should still pass DMARC testing (i.e. DKIM + DKIM-alignment both pass).
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Richard Damon
In reply to this post by Jaroslaw Rafa
On 11/22/19 6:25 AM, Jaroslaw Rafa wrote:

> Dnia 22.11.2019 o godz. 10:45:42 Wesley Peng pisze:
>> So mailing list makes DKIM or SPF failed?
>>
>> Thank you for your helps.
> My opinion is that the actual problem is that people who invented SPF and/or
> DMARC had wrong assumptions about how email works/should work.
>
> They assumed email is a straight and simple one-to-one communication like
> HTTP. If you send a mail from user1@xxx to user2@yyy, it goes straight from
> sending server for domain xxx to receiving server for domain yyy. So the
> receiving server can check if the email is coming from a "valid",
> "authorized" server for domain xxx (despite the fact that there isn't - and
> never was - such thing as "valid sending server" for any domain).
>
> This concept puts mailing lists, email forwarding and similar things
> completely out of scope. I would dare to say that these things simply did not
> exist for inventors of SPF/DMARC. That means, they obviously knew these
> things exist, but assumed they are completely unimportant and shouldn't (in
> their approach) be used.
>
> Big email providers started adopting SPF/DMARC etc. also without much
> thinking about these seemingly "unimportant" use cases, and then suddenly it
> turned out that we have quite a problem.
>
> You may disagree of course, but that's just how I see it. There is a quite
> old article about why SPF is wrong, but in my opinion this article didn't
> date a bit: http://david.woodhou.se/why-not-spf.html

Base SPF works through a traditional forwarder, because the base rules
for SPF allow the message to pass based on the domain of the Sender:
header, not just the From:. A proper forwarder will add a Sender: header
for itself, to indicate that while it was not the originator of the
message, it was the last one to send it. DMARC changes the rules for
SPF, and says that the message must align with the From: header, based
on the idea that most mail readers don't show you that sender does not
equal from.

SPF works just fine as designed, because it was designed as a HELPER for
receivers, not intending to be an all encompassing solution. If I, the
receiver of the message see that the message passed SPF, AND I trust the
domain that sent the message, then I can be fairly sure that the message
is legitimate. If there is a problem with the message, because I trust
the domain, I feel I can report the issue and it will be dealt with. SPF
is designed to help with 'white-listing'. SPF helps fight spam, as I can
white list the major mail agents that do a good job filtering spam, and
then have more bandwidth to look at those for sources I don't know.

DMARC adds nothing to that ability. Anyone can create a domain with a
strict DMARC policy and send spam from it. Just passing DMARC means
nothing in regards to the spamyness of a message. What DMARC is designed
to fight is forgeries. If you setup DMARC for your domain, then people
can trust that a message that says it is from you is from you (it still
could be spam though). The 'cost' of using DMARC is that you limit what
users of that domain can do, as they can't use external re-mailers that
don't follow very specific guidelines. This works for domains that deal
with transactional emails, where forgeries can be important, it doesn't
work for more casual usage.

I would actually say that an email provider using strict DMARC is
actually a sign of a email provider with a problem. I have heard that
the reason that Yahoo at least adopted it was that they had so many
security breaches that leaked out their users address books, that a very
real problem was yahoo members getting emails claiming to be from
friends that were actually attack vectors, that they couldn't keep up
with other measures to try and block it. The adoption of DMARC for a
general email provider is basically an acknowledgement that they have
problems maintaining a safe and secure email system. IF they advertise
it as a feature, and explain what it means you can't do, then maybe it
isn't, but if they don't inform you that they are not suitable for many
mailing lists and the like, then likely THEY are the one with a problem.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Jaroslaw Rafa
In reply to this post by Dominic Raferd
Dnia 22.11.2019 o godz. 11:40:29 Dominic Raferd pisze:
>
> The limitations you describe affect SPF but not DMARC because DMARC can
> rely *either* on SPF *or* on DKIM.

But it probably depends on how the *recipient* configured DMARC checking and
the sender can't do anything about it - am I right?

Recently I was forced to set up both SPF *and* DKIM on outgoing mail (I
still don't verify SPF, DKIM nor DMARC on incoming mail and don't plan to)
because someone set up a DMARC record at my parent domain, eu.org, and
Google started using this DMARC record to verify messages coming from my
domain rafa.eu.org (which it shouldn't do because eu.org is a "public
suffix" - anybody can register their subdomain under eu.org - so my domain
"rafa.eu.org" is an "organizational domain" in terms of DMARC, ie. the
receiver should not look for DMARC records above that domain). Because I
didn't have neither SPF nor DKIM, my messages started to fail DMARC tests at
Gmail (which could be probably one of the reasons Gmail started to put my
messages to recipients' spam folders - I'm not sure because I did many
different things trying to resolve the issue and get out of spam folder, so
I'm not sure what actually helped). Configuring SPF alone didn't help -
Gmail still indicated DMARC as failed, I had to configure both SPF and DKIM
to satisfy it.

BTW, as I don't like SPF, I configured my SPF record with "?all" at the end,
which means "I have no opinion about other IP addresses sending mail for my
domain, do whatever you would otherwise do with them". I think this is the
proper way SPF should be used, if it must be used at all. The currently
omnipresent "-all" at end of SPF records is in my opinion justified in only
one case: when it's the only item SPF record specifies, ie. the domain
declares it sends no mail at all. And it's the only case when receivers
should strictly respect SPF and outright reject all mail coming from such
domains. In all other cases, if the domain sends *any* mail, that mail can
be forwarded; so "-all" doesn't make sense.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Question about DMARC

Jaroslaw Rafa
In reply to this post by Richard Damon
Dnia 22.11.2019 o godz. 07:24:03 Richard Damon pisze:
>
> Base SPF works through a traditional forwarder, because the base rules
> for SPF allow the message to pass based on the domain of the Sender:
> header, not just the From:. A proper forwarder will add a Sender: header
> for itself, to indicate that while it was not the originator of the
> message, it was the last one to send it.

AFAIK no mainstream MTA adds the "Sender:" header when forwarding mail,
either via .forward file, via /etc/aliases, virtual users table of any other
means. Postfix doesn't do it as well. You need probably to forward via
some specially crafted script to achieve this.

> SPF works just fine as designed, because it was designed as a HELPER for
> receivers, not intending to be an all encompassing solution. If I, the
> receiver of the message see that the message passed SPF, AND I trust the
> domain that sent the message, then I can be fairly sure that the message
> is legitimate.

So I guess SPF should be used in such a way that it adds the message a
"positive" score (ie. non-spam - in most spam filtering software it's
actually a negative number :)) if SPF passes, and if it fails, it's simply
ignored and other criteria are used to determine if the message is spam or
non-spam?
Yes, I would agree with such use of SPF. But in reality it is much often
used in exactly opposite way, ie. the message gets some spam score if SPF
fails, but if it passes, it's usually just zero.

> SPF is designed to help with 'white-listing'.

But it's now used mostly for blacklisting, ie. if you fail SPF check, you
are a suspected spammer. At least that's what Google and Microsoft do (and
probably a couple of other big email providers as well).

> the reason that Yahoo at least adopted it was that they had so many
> security breaches that leaked out their users address books, that a very
> real problem was yahoo members getting emails claiming to be from
> friends that were actually attack vectors, that they couldn't keep up
> with other measures to try and block it.

Yes, that is true. On a mail server which I administered a few years ago, we
had so many spam and phishing messages coming apparently from Yahoo domain
that I had to take extreme measures and reject mail from that domain
altogether. However, in the rejection message I put a link to a web page
where one could whitelist him/herself by submitting their e-mail address via
the page. A legitimate sender would - hopefully - do it and thus be able to
re-send the message. The spammer usually won't, as they don't read rejection
messages, and even if they did, they won't have time to deal with this
procedure.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
12