Hi everyone, I'm currently giving DMARC a try and I'm wondering how to use it within my setup. The domains that are hosted on my exim4u based installation all use mail.foo.tld as their imap and smtp server. That is because I require my customers to use SSL/TLS connections and this way I only have to manage one central certificate. All domains have their SPF records and hostname.foo.tld has a valid DKIM record. So far so good. But: DMARC (as far as I understand the whole process) seems to check each _domain_'s DKIM, right? And the way exim4u works (again: as far as I understand it) it's the server's DKIM that used to sign outgoing mail. I signed up for dmarcian.com's DMARC reports -a service that collects and analyzes your DMARC reports- and it tells me that all domains (but foo.tld) lack DKIM signature. I've set the DMARC policy to "none" for every domain so that shouldn't be a major problem for now. Still I'm wondering if there's a way to setup exim4u to sign mails using the domain's DKIM, not the server's. Has anyone experience using DMARC? With or without exim4u? Am I missing something? Any tips or hints are highly appreciated. thanks, Mika
Hi, If you send an email from any of your domain but foo.tld to a gmail account and have a look at the message header received in the gmail account, does the header report DKIM success such as: Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@anybutfoo.tld; spf=pass (google.com: domain of joe(a)anybutfoo.tld designates 92.132.12.72 as permitted sender) Thomas On Tue, 17 May 2016 10:21:57 +0200 Kreuder <mk(a)singular.de> wrote:
Hi everyone,
I'm currently giving DMARC a try and I'm wondering how to use it within my setup.
The domains that are hosted on my exim4u based installation all use mail.foo.tld as their imap and smtp server. That is because I require my customers to use SSL/TLS connections and this way I only have to manage one central certificate.
All domains have their SPF records and hostname.foo.tld has a valid DKIM record. So far so good.
But: DMARC (as far as I understand the whole process) seems to check each _domain_'s DKIM, right? And the way exim4u works (again: as far as I understand it) it's the server's DKIM that used to sign outgoing mail.
I signed up for dmarcian.com's DMARC reports -a service that collects and analyzes your DMARC reports- and it tells me that all domains (but foo.tld) lack DKIM signature.
I've set the DMARC policy to "none" for every domain so that shouldn't be a major problem for now. Still I'm wondering if there's a way to setup exim4u to sign mails using the domain's DKIM, not the server's.
Has anyone experience using DMARC? With or without exim4u? Am I missing something? Any tips or hints are highly appreciated.
thanks, Mika
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
On 17.05.16 23:14 Thomas Carrie [via Exim4U General Discussion] wrote:
Hi,
If you send an email from any of your domain but foo.tld to a gmail account and have a look at the message header received in the gmail account, does the header report DKIM success such as:
Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@anybutfoo.tld; spf=pass (google.com: domain of [hidden email] </user/SendEmail.jtp?type=node&node=4023739&i=0> designates 92.132.12.72 as permitted sender)
Thomas
Hi, it says: Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@hostname.foo.tld; spf=pass (google.com: domain of user(a)domain.tld designates 2a01:xxx:xxx:xxx::2 as permitted sender) smtp.mailfrom=user(a)domain.tld; dmarc=pass (p=NONE dis=NONE) header.from=domain.tld It's more or less the result I expected. My (potential) problem is that DMARC seems to compare domain.tld's DKIM and therefore reports for all domains (but foo.tld): "No DMARC reports received yet which confirm DKIM signing." I'm not 100% sure this is an exim4u question at all so I appologize if I'm barking up the wrong tree. Just tell me to bugger off and bother another list. Just thought with exim(4u) sending the mails it might be a configuration thing. Not? How do you guys handle DMARC? I can't imagine everyone is using one SSL certificate per domain. thanks, Mika
On Tue, 17 May 2016 10:21:57 +0200 Kreuder <[hidden email] </user/SendEmail.jtp?type=node&node=4023739&i=1>> wrote:
Hi everyone,
I'm currently giving DMARC a try and I'm wondering how to use it within my setup.
The domains that are hosted on my exim4u based installation all use mail.foo.tld as their imap and smtp server. That is because I require my customers to use SSL/TLS connections and this way I only have to manage one central certificate.
All domains have their SPF records and hostname.foo.tld has a valid DKIM record. So far so good.
But: DMARC (as far as I understand the whole process) seems to check each _domain_'s DKIM, right? And the way exim4u works (again: as far as I understand it) it's the server's DKIM that used to sign outgoing mail.
I signed up for dmarcian.com's DMARC reports -a service that collects and analyzes your DMARC reports- and it tells me that all domains (but foo.tld) lack DKIM signature.
I've set the DMARC policy to "none" for every domain so that shouldn't be a major problem for now. Still I'm wondering if there's a way to setup exim4u to sign mails using the domain's DKIM, not the server's.
Has anyone experience using DMARC? With or without exim4u? Am I missing something? Any tips or hints are highly appreciated.
thanks, Mika
_______________________________________________ users mailing list [hidden email] </user/SendEmail.jtp?type=node&node=4023739&i=2> https://exim4u.org/mailman/listinfo/users
_______________________________________________ users mailing list [hidden email] </user/SendEmail.jtp?type=node&node=4023739&i=3> https://exim4u.org/mailman/listinfo/users
------------------------------------------------------------------------ If you reply to this email, your message will be added to the discussion below: http://users.exim4u.org/Exim4u-and-DMARC-tp4023738p4023739.html To unsubscribe from Exim4U General Discussion, click here <http://users.exim4u.org/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=1762531&code=bWtAc2luZ3VsYXIuZGV8MTc2MjUzMXwxODU5NzMyMjI=>. NAML <http://users.exim4u.org/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
I am using one cert; mx records for all domains point to the one mail server. While I am interested in DMARC I am not currently utilizing it. I would be interested in what you find out. -----Original Message----- From: users [mailto:users-bounces(a)exim4u.org] On Behalf Of Kreuder Sent: Wednesday, May 18, 2016 1:47 AM To: users(a)exim4u.org Subject: Re: [Exim4U] Exim4u and DMARC On 17.05.16 23:14 Thomas Carrie [via Exim4U General Discussion] wrote:
Hi,
If you send an email from any of your domain but foo.tld to a gmail account and have a look at the message header received in the gmail account, does the header report DKIM success such as:
Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@anybutfoo.tld; spf=pass (google.com: domain of [hidden email] </user/SendEmail.jtp?type=node&node=4023739&i=0> designates 92.132.12.72 as permitted sender)
Thomas
Hi, it says: Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@hostname.foo.tld; spf=pass (google.com: domain of user(a)domain.tld designates 2a01:xxx:xxx:xxx::2 as permitted sender) smtp.mailfrom=user(a)domain.tld; dmarc=pass (p=NONE dis=NONE) header.from=domain.tld It's more or less the result I expected. My (potential) problem is that DMARC seems to compare domain.tld's DKIM and therefore reports for all domains (but foo.tld): "No DMARC reports received yet which confirm DKIM signing." I'm not 100% sure this is an exim4u question at all so I appologize if I'm barking up the wrong tree. Just tell me to bugger off and bother another list. Just thought with exim(4u) sending the mails it might be a configuration thing. Not? How do you guys handle DMARC? I can't imagine everyone is using one SSL certificate per domain. thanks, Mika
On Tue, 17 May 2016 10:21:57 +0200 Kreuder <[hidden email] </user/SendEmail.jtp?type=node&node=4023739&i=1>> wrote:
Hi everyone,
I'm currently giving DMARC a try and I'm wondering how to use it within my setup.
The domains that are hosted on my exim4u based installation all use mail.foo.tld as their imap and smtp server. That is because I require my customers to use SSL/TLS connections and this way I only have to manage one central certificate.
All domains have their SPF records and hostname.foo.tld has a valid DKIM record. So far so good.
But: DMARC (as far as I understand the whole process) seems to check each _domain_'s DKIM, right? And the way exim4u works (again: as far as I understand it) it's the server's DKIM that used to sign outgoing mail.
I signed up for dmarcian.com's DMARC reports -a service that collects and analyzes your DMARC reports- and it tells me that all domains (but foo.tld) lack DKIM signature.
I've set the DMARC policy to "none" for every domain so that shouldn't be a major problem for now. Still I'm wondering if there's a way to setup exim4u to sign mails using the domain's DKIM, not the server's.
Has anyone experience using DMARC? With or without exim4u? Am I missing something? Any tips or hints are highly appreciated.
thanks, Mika
_______________________________________________ users mailing list [hidden email] </user/SendEmail.jtp?type=node&node=4023739&i=2> https://exim4u.org/mailman/listinfo/users
_______________________________________________ users mailing list [hidden email] </user/SendEmail.jtp?type=node&node=4023739&i=3> https://exim4u.org/mailman/listinfo/users
------------------------------------------------------------------------ If you reply to this email, your message will be added to the discussion below: http://users.exim4u.org/Exim4u-and-DMARC-tp4023738p4023739.html To unsubscribe from Exim4U General Discussion, click here <http://users.exim4u.org/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=1762531&code=bWtAc2luZ3VsYXIuZGV8MTc2MjUzMXwxODU5NzMyMjI=>. NAML <http://users.exim4u.org/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
_______________________________________________ users mailing list users(a)exim4u.org https://exim4u.org/mailman/listinfo/users
On 05/18/2016 04:46 AM, Kreuder wrote:
I'm not 100% sure this is an exim4u question at all so I appologize if I'm barking up the wrong tree. Just tell me to bugger off and bother another list.
Just thought with exim(4u) sending the mails it might be a configuration thing. Not?
How do you guys handle DMARC? I can't imagine everyone is using one SSL certificate per domain.
Hi Mika, Using the Exim4U list for this DMARC discussion is totally appropriate so no worries about that. Sorry that you haven't yet found the solution to your problem though. Hopefully, you will soon figure this out and tell the rest of us how to do it. On my servers I am currently using DKIM and SPF and I have used DomainKeys in the past. However, I have not yet tried to use DMARC which is supposed to be based on a combination of SPF and DKIM. So, I am not going to be any help here either. You might consider posting your question to the dmarc-discuss list at lists.dmarc.org or the exim-users list at exim.org. I will be interested to hear your eventual resolution. Thanks, Gordon
participants (4)
-
Gordon Dickens -
Helmut Fritz -
Kreuder -
Thomas Carrié