[dmarc-discuss] GMail rua report error?

Franck Martin fmartin at linkedin.com
Wed Feb 1 14:43:28 PST 2012 

Steve,

I think you need to analyze these reports and point to the bug. It is certainly possible there is a bug, but also this is the first time anyone can get a report on how their emails are seen (and I mean all their emails and more including fake ones) by a receiver. It brings a few surprises.

We are all still learning as we go.

From: Steve Henderson <steve.henderson at communicatorcorp.com<mailto:steve.henderson at communicatorcorp.com>>
Date: Wed, 1 Feb 2012 22:10:25 +0000
To: Monica Chew <mmc at googlers.com<mailto:mmc at googlers.com>>
Cc: "dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>" <dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>>
Subject: Re: [dmarc-discuss] GMail rua report error?

Thanks Monica, I had thought of that, and others had suggested the same thing – as well as and domain spoofing, but I am an ESP, sending millions of emails per day.
DKIM is passed for every single record, without exception, so I can’t see spoofing being the answer.
An ESP we have stats and tracking averages which show that forward rates are normally sub-1%, but I am getting 20 times more failures reported than successes, this would be a forwarding rate 2000 times higher than average!!

I can’t see any valid scenario which could result in those figures.

Steve

From: Monica Chew [mailto:mmc at googlers.com]
Sent: 01 February 2012 18:13
To: Steve Henderson
Cc:
Subject: Re: [dmarc-discuss] GMail rua report error?

Hi Steve,

I work on Gmail spam. First, thanks for publishing a DMARC record! It's very exciting that records are being discovered as intended and producing reports, and better yet that people are trying to make sense of them :)

In the two examples you cite, the messages were forwarded. You can tell this because

<reason> <type>forwarded</type> <comment/> </reason>

appears in the XML. We report this because sometimes forwarding affects reporting, as in your case, or DMARC disposition. So, someone that your domain is sending to, is forwarding through hotmail to their gmail account. The complete enumeration of this field is on page 57 of http://www.dmarc.org/draft-dmarc-base-00-01.txt.

Hope that helps,
Monica

On Wed, Feb 1, 2012 at 9:01 AM, Steve Henderson <steve.henderson at communicatorcorp.com<mailto:steve.henderson at communicatorcorp.com>> wrote:
Hi there,
I have implemented DMARC domain authentication for one of my sending domains (communicatoremail.com<http://communicatoremail.com>) and have started to receive reports from Gmail.

I believe there is a reporting error because 95% of the records in the report are emails which do not originate from my IP ranges. I could accept a couple of spoofed domain attempts, but not 95% of the file.
How do I progress the investigation of this?

Many thanks,
Steve Henderson


My _DMARC record is at _dmarc.communicatoremail.com<http://dmarc.communicatoremail.com> and is:
        "v=DMARC1; p=none; rua=mailto:steve.henderson at communicatorcorp.com<mailto:steve.henderson at communicatorcorp.com>; ruf=mailto:steve.henderson at communicatorcorp.com<mailto:steve.henderson at communicatorcorp.com>; rf=afrf; pct=1;"

This following examples are from the rua (aggregate report).

Example 1  - Hotmail source IP (65.55.90.13) and sending domain in spf test, with my domain in DKIM test
-<record> -<row> <source_ip>65.55.90.13</source_ip> <count>1</count> -<policy_evaluated> <disposition>none</disposition> -<reason> <type>forwarded</type> <comment/> </reason> -<reason> <type>sampled_out</type> <comment/> </reason> </policy_evaluated> </row> -<identities> <header_from>communicatoremail.com<http://communicatoremail.com></header_from> </identities> -<auth_results> -<dkim> <domain>communicatoremail.com<http://communicatoremail.com></domain> <result>pass</result> <human_result/> </dkim> -<spf> <domain>live.co.uk<http://live.co.uk></domain> <result>pass</result> </spf> </auth_results> </record>

Example 2 – everything tested against communicatoremail.com<http://communicatoremail.com> domain, but sending IP is wrong:
-<record> -<row> <source_ip>72.34.34.37</source_ip> <count>1</count> -<policy_evaluated> <disposition>none</disposition> -<reason> <type>forwarded</type> <comment/> </reason> -<reason> <type>sampled_out</type> <comment/> </reason> </policy_evaluated> </row> -<identities> <header_from>communicatoremail.com<http://communicatoremail.com></header_from> </identities> -<auth_results> -<dkim> <domain>communicatoremail.com<http://communicatoremail.com></domain> <result>pass</result> <human_result/> </dkim> -<spf> <domain>communicatoremail.com<http://communicatoremail.com></domain> <result>hardfail</result> </spf> </auth_results> </record>

Example 3 – everything passes, and originates from my IP ranges:
-<record> -<row> <source_ip>62.216.252.191</source_ip> <count>1</count> -<policy_evaluated> <disposition>none</disposition> -<reason> <type>sampled_out</type> <comment/> </reason> </policy_evaluated> </row> -<identities> <header_from>communicatoremail.com<http://communicatoremail.com></header_from> </identities> -<auth_results> -<dkim> <domain>communicatoremail.com<http://communicatoremail.com></domain> <result>pass</result> <human_result/> </dkim> -<spf> <domain>communicatoremail.com<http://communicatoremail.com></domain> <result>pass</result> </spf> </auth_results> </record>

Example Message Header
Delivered-To: steve.toonarmy at gmail.com<mailto:steve.toonarmy at gmail.com>
Received: by 10.227.159.79 with SMTP id i15cs184986wbx;
        Wed, 1 Feb 2012 01:53:45 -0800 (PST)
Received: by 10.14.99.198 with SMTP id x46mr493293eef.92.1328090025122;
        Wed, 01 Feb 2012 01:53:45 -0800 (PST)
Return-Path: <development at communicatoremail.com<mailto:development at communicatoremail.com>>
Received: from t00.communicatoremail.com<http://t00.communicatoremail.com> (t00.communicatoremail.com<http://t00.communicatoremail.com>. [62.216.253.220])
        by mx.google.com<http://mx.google.com> with ESMTP id y9si14506251eeh.52.2012.02.01.01.53.44;
        Wed, 01 Feb 2012 01:53:45 -0800 (PST)
Received-SPF: pass (google.com<http://google.com>: domain of development at communicatoremail.com<mailto:development at communicatoremail.com> designates 62.216.253.220 as permitted sender) client-ip=62.216.253.220;
Authentication-Results: mx.google.com<http://mx.google.com>; spf=pass (google.com<http://google.com>: domain of development at communicatoremail.com<mailto:development at communicatoremail.com> designates 62.216.253.220 as permitted sender) smtp.mail=development at communicatoremail.com<mailto:development at communicatoremail.com>; dkim=pass (test mode) header.i=development at communicatoremail.com<mailto:development at communicatoremail.com>
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=communicatoremail.com<http://communicatoremail.com>;
h=List-Unsubscribe:MIME-Version:From:To:Date:Subject:Content-Type:Message-ID; i=development at communicatoremail.com<mailto:development at communicatoremail.com>;
bh=yOEBzJDoYdpMfCYpm4Aeii/QxQE=;
b=s9ES48VlMX7lWrzZ1Q4+HZz3gekQF+XdqQy6x7gOwKbrx68iPZexqzcdvde9BpseJWqcaiVUnBOT
   BNxhjS5hkXwLhomwmLDIKMGw3LdDHkLY059crhouGIr6dZX0Ou7o23HRFVtW+Cj1/Yp5KdUGpxPP
   X2kvB+goq6Nlb1Nb98Q=


________________________________
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com
________________________________

_______________________________________________
dmarc-discuss mailing list
dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)



________________________________
This email message has been delivered safely and archived online by Mimecast.
For more information please visit http://www.mimecast.com
________________________________

_______________________________________________ dmarc-discuss mailing list dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://medusa.blackops.org/pipermail/dmarc-discuss/attachments/20120201/b9e3c6fe/attachment-0001.htm>

More information about the dmarc-discuss mailing list