Microsoft O365 labels nanog potential fraud?

Carl Byington carl at
Thu Mar 30 06:28:18 UTC 2017

Hash: SHA512

On Thu, 2017-03-30 at 15:21 +1100, Mark Andrews wrote:
> Well you should be checking the correct TXT record for SPF.

> dig txt +short
> "v=spf1 ip4: ip4: -all"

Hm, a closer reading of rfc7489 sheds some light on this:

Would dmarc-spf consider to be 'aligned' with the
from header domain? It is neither a child nor parent of

The _dmarc txt record for has no aspf: tag, so we should
be operating in spf/dkim relaxed alignment mode.

rfc7489, when discussing relaxed identifier alignment, says the
"Organizational Domain" of the identifiers must match. But there is no
explicit example of that. Instead, the examples talk about one of the
identifiers being a parent of the other identifier.

The envelope from and the 2822 header from have the same organizational domain. If we ignore
the examples in rfc7489, it looks like this is NOT broken.

I am probably not the only one that wrote code matching on the
parent/child relationship of the identifiers, rather than computing the
Organizational Domains and matching those.

As Mr. Hodgson pointed out, has very recently started sending
mail with multiple dkim signatures, and 2822
header from =

Now off to fix my code.

Version: GnuPG v2.0.14 (GNU/Linux)


More information about the NANOG mailing list