Microsoft O365 labels nanog potential fraud?
carl at five-ten-sg.com
Wed Mar 29 21:28:30 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 2017-03-29 at 09:24 -0700, Alan Hodgson wrote:
> So for DMARC+SPF to pass not only must the message come from a source
> authorized by the envelope sender domain, but that domain must be the
> same domain (or parent domain or subdomain) of the header From:
> For DMARC+DKIM to pass, the DKIM signature must pass and the DKIM
> signing domain must be the same domain (or parent domain or subdomain)
> of the header From: address.
> Again, DMARC requires only one or the other mechanism to pass. So
> messages forwarded intact should be OK if they have an aligned DKIM
Brad Knowles wrote:
> ...and it's easy to set things up in a way that you wind up shooting
> yourself in the foot -- and possibly with a large thermonuclear
For an example of that (unless I am misunderstanding something), we
--> Hello marketo-email.box.com [18.104.22.168], pleased to meet you
<-- MAIL FROM:<$MUNGED at marketo-email.box.com>
<-- RCPT TO: ...
dkim pass header.d=mktdns.com
rfc2822 from header = $MUNGED at email.box.com
dig _dmarc.email.box.com txt +short
"v=DMARC1; p=reject; ..."
dig email.box.com txt +short
"v=spf1 ip4:22.214.171.124 -all"
So given the dmarc reject policy, it needs to pass either spf (which
fails 126.96.36.199 != 188.8.131.52), or dkim (which fails since it
is not signed by anything related to email.box.com.
Am I missing something, or is that just broken?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the NANOG