I’ll +1 to Jethro’s comments. NCSC will give you free DMARC reporting. We’ve
done as Strathclyde and pushed services out into subdomains. The top level
domain is just us and specific suppliers used for official comms. It wasn’t too
painful in the end but we spent a lot of time in report only mode working out
who we’d be cutting off.
Cheers,
Duncan
--
The University of St Andrews is a charity registered in Scotland : No SC013532
From: mailop <mailop-boun...@mailop.org> On Behalf Of Jethro Binks via mailop
Sent: 11 January 2023 14:25
To: mailop@mailop.org
Subject: Re: [mailop] Intentionally vague SPF records.
> +1 to Mark's comments... Without discovery you'll never know if you're over
> the limits or not.
That's not the point though. It might be fine today. But at any time any one
of those providers could change a record you are including from them, and take
you over the limit, effectively a DoS on your email which is totally out of
your hands.
Don't allow yourself to be placed in that situation. Get some DMARC reporting
set up, and start working through the data to get a better idea of the scale of
the issue, and work on the senders to get them to change. In our case, we tend
to shuffle them into subdomains for the specific purpose. But yeah it can be a
lot of work over a long time, but that time won't get any shorter until you
start it 🙂.
> (it's a UK University, where there's no obligation for colleges to use IT
> services).
Your top-level Uni email domain is a central University IT resource not a
college one, so you get to define the conditions by which it is used, over time
(yes, easier said than done!).
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK
The University of Strathclyde is a charitable body, registered in Scotland,
number SC015263.
________________________________
From: mailop <mailop-boun...@mailop.org<mailto:mailop-boun...@mailop.org>> on
behalf of Matt Vernhout via mailop <mailop@mailop.org<mailto:mailop@mailop.org>>
Sent: 11 January 2023 13:55
To: mailop@mailop.org<mailto:mailop@mailop.org>
<mailop@mailop.org<mailto:mailop@mailop.org>>
Subject: Re: [mailop] Intentionally vague SPF records.
+1 to Mark's comments... Without discovery you'll never know if you're over the
limits or not.
Setup a p=none policy, and see where the mail is coming from.
You may need to update systems, or change some domains to use subdomains, or a
different MailFrom: etc... but If massive global corporations like Disney, HP,
and Oracle, can figure it out you can too.
A lot of DMARC reporting services will likely offer some kind of SPF flattening
as part of their services without extra cost.
~ MV
On Wed, Jan 11, 2023 at 8:29 AM Mark Alley via mailop
<mailop@mailop.org<mailto:mailop@mailop.org>> wrote:
What makes you think you'd go over the limit if you haven't done the discovery?
You might be surprised that you may not exceed the lookup count, as with
optimization/analysis and proper SPF design (even without flattening), the
lookup count can be quite easily managed. This sounds like a prime candidate
for your mail source discovery with DMARC
reporting<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdmarcvendors.com%2F&data=05%7C01%7Cdbb%40st-andrews.ac.uk%7Cf0936f95f76e47a48a2e08daf3e014b7%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C638090440997031636%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BJxhWYGwJ222nE0LFkNbzMlN7VK7NgxVtBtQOjHwV44%3D&reserved=0>.
Using ?all (neutral) might be best for deliverability's sake while you build
out this SPF record during discovery. This would have the same effect as your
current scenario of having no SPF record, while still allowing for positive
matches of your legitimate known mail-flow until you get to a point you move to
~all.
- Mark Alley
On 1/11/2023 7:08 AM, Simon Burke via mailop wrote:
All,
This is an odd scenario, but sadly one I find myself in.
Work is a large organisation, and currently does not have an SPF record. The
reason is that there are a large (and unknown) number of internal and external
parties that send mail on our domain, as well as sub-domains.
So, even if we do determine who sends email on the domain, we would then have
an issue with max lookups and record length.
I know we can use an SPF flattening service. However that either has a cost.
Or, although we can develop something in house, there's a 'bought not built'
ethos being pushed by management.
As an out the box idea, what would the potential impact be of having an SPF
record stating just:
"V=spf1 a mx +all"
How bad of an idea would this be? If we also had a DMARC record set to either
quarantine or reject.
Regards,
Simon
_______________________________________________
mailop mailing list
mailop@mailop.org<mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist.mailop.org%2Flistinfo%2Fmailop&data=05%7C01%7Cdbb%40st-andrews.ac.uk%7Cf0936f95f76e47a48a2e08daf3e014b7%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C638090440997031636%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PSfwiDQ2kzqQXrESbMQnsPbyFFaieEt8Y17c5yc4fFc%3D&reserved=0>
_______________________________________________
mailop mailing list
mailop@mailop.org<mailto:mailop@mailop.org>
https://list.mailop.org/listinfo/mailop<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist.mailop.org%2Flistinfo%2Fmailop&data=05%7C01%7Cdbb%40st-andrews.ac.uk%7Cf0936f95f76e47a48a2e08daf3e014b7%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C638090440997031636%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PSfwiDQ2kzqQXrESbMQnsPbyFFaieEt8Y17c5yc4fFc%3D&reserved=0>
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
