Microsoft O365 labels nanog potential fraud?
Carl Byington
carl at five-ten-sg.com
Thu Mar 30 06:28:18 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Thu, 2017-03-30 at 15:21 +1100, Mark Andrews wrote:
> Well you should be checking the correct TXT record for SPF.
> dig marketo-email.box.com txt +short
> "v=spf1 ip4:192.28.147.168 ip4:192.28.147.169 -all"
Hm, a closer reading of rfc7489 sheds some light on this:
Would dmarc-spf consider marketo-email.box.com to be 'aligned' with the
from header email.box.com domain? It is neither a child nor parent of
email.box.com.
The _dmarc txt record for email.box.com has no aspf: tag, so we should
be operating in spf/dkim relaxed alignment mode.
rfc7489, when discussing relaxed identifier alignment, says the
"Organizational Domain" of the identifiers must match. But there is no
explicit example of that. Instead, the examples talk about one of the
identifiers being a parent of the other identifier.
The envelope from marketo-email.box.com and the 2822 header from
email.box.com have the same box.com organizational domain. If we ignore
the examples in rfc7489, it looks like this is NOT broken.
I am probably not the only one that wrote code matching on the
parent/child relationship of the identifiers, rather than computing the
Organizational Domains and matching those.
As Mr. Hodgson pointed out, box.com has very recently started sending
mail with multiple dkim signatures, header.d=email.box.com and 2822
header from = email.box.com.
Now off to fix my code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAljcpTkACgkQL6j7milTFsHROACfYDmp1Vv7kUwWZQ9m1YCgSB+C
y9kAnitNWUvORSQNgOv5AsyUL35Y8Yhc
=CDq3
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list