Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

DMARC and Exim

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


ojhowe at gmail

Jan 31, 2012, 1:32 AM

Post #1 of 9 (623 views)
Permalink
DMARC and Exim
Hi,

Does anyone have any experience of using DMARC?

See http://dmarc.org/overview.html

and

http://www.returnpath.net/blog/intheknow/2012/01/return-path-joins-with-gmail-aol-yahoo-and-microsoft-to-found-dmarc-org-to-help-safeguard-consumers-brands-and-isps-from-phishing/
and http://returnpath.net/commercialsender/domainassurance/dmarc/

It looks like it is some kind of DNS record that checks if a domain
has SPF and DKIM. If so, I guess a filter could be added to my inbound
SMTP servers so that messages are actioned according to the DMARC
policy (quarentine, reject etc) returned by the sender domains DNS
record.

Thanks,

Oliver

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at lists

Jan 31, 2012, 2:32 AM

Post #2 of 9 (610 views)
Permalink
Re: DMARC and Exim [In reply to]
On 31/01/12 09:32, Oliver Howe wrote:

> Does anyone have any experience of using DMARC?

Nope.

> See http://dmarc.org/overview.html

Looks interesting.

> http://www.returnpath.net/blog/intheknow/2012/01/return-path-joins-with-gmail-aol-yahoo-and-microsoft-to-found-dmarc-org-to-help-safeguard-consumers-brands-and-isps-from-phishing/
> and http://returnpath.net/commercialsender/domainassurance/dmarc/
>
> It looks like it is some kind of DNS record that checks if a domain
> has SPF and DKIM. If so, I guess a filter could be added to my inbound
> SMTP servers so that messages are actioned according to the DMARC
> policy (quarentine, reject etc) returned by the sender domains DNS
> record.

My SPF record already states that *all* email from my domain must come
from a certain server, and the ADSP record for my domain already states
that *all* email from my domain must have a valid DKIM signature:

mike [at] alf:~$ dig +short txt grepular.com
"v=spf1 include:spf.grepular.com -all"
mike [at] alf:~$ dig +short txt _adsp._domainkey.grepular.com
"dkim=all"
mike [at] alf:~$

--
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachments: signature.asc (0.58 KB)


marc at perkel

Feb 3, 2012, 11:11 AM

Post #3 of 9 (573 views)
Permalink
Re: DMARC and Exim [In reply to]
Just a quick question. SPF breaks email forwarding. Does DMARC get
around this limitation?

On 1/31/2012 1:32 AM, Oliver Howe wrote:
> Hi,
>
> Does anyone have any experience of using DMARC?
>
> See http://dmarc.org/overview.html
>
> and
>
> http://www.returnpath.net/blog/intheknow/2012/01/return-path-joins-with-gmail-aol-yahoo-and-microsoft-to-found-dmarc-org-to-help-safeguard-consumers-brands-and-isps-from-phishing/
> and http://returnpath.net/commercialsender/domainassurance/dmarc/
>
> It looks like it is some kind of DNS record that checks if a domain
> has SPF and DKIM. If so, I guess a filter could be added to my inbound
> SMTP servers so that messages are actioned according to the DMARC
> policy (quarentine, reject etc) returned by the sender domains DNS
> record.
>
> Thanks,
>
> Oliver
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Feb 3, 2012, 7:30 PM

Post #4 of 9 (586 views)
Permalink
Re: DMARC and Exim [In reply to]
On 2012-02-03 at 11:11 -0800, Marc Perkel wrote:
> Just a quick question. SPF breaks email forwarding. Does DMARC get
> around this limitation?

DMARC is based on DKIM, which is unrelated to SPF.

The problem with DKIM is mailing-lists; any verifier needs to account
for those and decide what to do about broken signatures in the event
that it looks as though a list has been in the way. The one DMARC
verifier I've seen responses from accounts for that.

DMARC is an alternative to ADSP. It allows for an organisation domain,
which can have a default policy for all sub-domains, with some
heuristics to find the organisational domain (much as web-browsers use
for cutting off cross-domain cookies, using the same list of delegating
domains). DMARC allows for non-enforcing notifications.

If you spend the time to read the website and specification you'll learn
how to construct the TXT record for DNS, and the name to publish it
under, to let you get reports back from mail providers about the mail
they see that purports to be from you.

I go into some of the unforeseen ramifications at:
http://bridge.grumpy-troll.org/2012/02/how-private-is-your-mailing-list.html

--
https://twitter.com/syscomet

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dwmw2 at infradead

Feb 6, 2012, 7:58 AM

Post #5 of 9 (550 views)
Permalink
Re: DMARC and Exim [In reply to]
On Fri, 2012-02-03 at 11:11 -0800, Marc Perkel wrote:
> Just a quick question. SPF breaks email forwarding. Does DMARC get
> around this limitation?

AFAICT it makes it worse, by applying SPF rules to the From: header
instead of just the reverse-path.

And there's no way to advertise a DMARC record that says "ignore any SPF
records and apply *only* DKIM".

DMARC just looks like another train-wreck to me.

--
dwmw2


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


msk at cloudmark

Feb 6, 2012, 2:25 PM

Post #6 of 9 (544 views)
Permalink
Re: DMARC and Exim [In reply to]
> -----Original Message-----
> From: exim-users-bounces+msk=cloudmark.com [at] exim [mailto:exim-users-bounces+msk=cloudmark.com [at] exim] On Behalf Of David Woodhouse
> Sent: Monday, February 06, 2012 7:58 AM
> To: Marc Perkel
> Cc: exim-users [at] exim; Oliver Howe
> Subject: Re: [exim] DMARC and Exim
>
> And there's no way to advertise a DMARC record that says "ignore any
> SPF records and apply *only* DKIM".

...which would mean "I advertise an SPF policy, but I know it's broken, so you should ignore that and just use DKIM." I don't think I'd trust such a person's DMARC policy either.

> DMARC just looks like another train-wreck to me.

Yes, your negative view on the dmarc-discuss list has been thoroughly presented. There's no need to pollute this list with it. People here that are interested should go over there to talk about it as it's really off-topic here.

-MSK

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


msk at cloudmark

Feb 6, 2012, 2:27 PM

Post #7 of 9 (547 views)
Permalink
Re: DMARC and Exim [In reply to]
> -----Original Message-----
> From: exim-users-bounces+msk=cloudmark.com [at] exim [mailto:exim-users-bounces+msk=cloudmark.com [at] exim] On Behalf Of Marc Perkel
> Sent: Friday, February 03, 2012 11:11 AM
> To: Oliver Howe
> Cc: exim-users [at] exim
> Subject: Re: [exim] DMARC and Exim
>
> Just a quick question. SPF breaks email forwarding. Does DMARC get
> around this limitation?

Yes, by also considering the DKIM result. See http://www.dmarc.org/draft-dmarc-base-00-01.html, or join the dmarc-discuss mailing list, for more information.

-MSK

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


msk at cloudmark

Feb 6, 2012, 2:27 PM

Post #8 of 9 (545 views)
Permalink
Re: DMARC and Exim [In reply to]
> -----Original Message-----
> From: exim-users-bounces+msk=cloudmark.com [at] exim [mailto:exim-users-bounces+msk=cloudmark.com [at] exim] On Behalf Of Phil Pennock
> Sent: Friday, February 03, 2012 7:31 PM
> To: Marc Perkel
> Cc: exim-users [at] exim; Oliver Howe
> Subject: Re: [exim] DMARC and Exim
>
> On 2012-02-03 at 11:11 -0800, Marc Perkel wrote:
> > Just a quick question. SPF breaks email forwarding. Does DMARC get
> > around this limitation?
>
> DMARC is based on DKIM, which is unrelated to SPF.

It's actually based on both.

-MSK

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dwmw2 at infradead

Feb 6, 2012, 2:41 PM

Post #9 of 9 (542 views)
Permalink
Re: DMARC and Exim [In reply to]
On Mon, 2012-02-06 at 14:25 -0800, Murray S. Kucherawy wrote:
> > And there's no way to advertise a DMARC record that says "ignore any
> > SPF records and apply *only* DKIM".
>
> ...which would mean "I advertise an SPF policy, but I know it's
> broken, so you should ignore that and just use DKIM." I don't think
> I'd trust such a person's DMARC policy either.

An SPF policy could be correct for the reverse-path, but incorrect for
the From: header and thus incorrect for DMARC, could it not?

--
dwmw2


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.