On Fri, 6 Oct 2023, Andrew C Aitchison via mailop wrote:
On Thu, 5 Oct 2023, Bernardo Reino via mailop wrote:
On Thu, 5 Oct 2023, Slavko via mailop wrote:
Dňa 2. 10. o 18:34 Brandon Long via mailop napísal(a):
I've raised a bug to take a look, this looks like a too broad dkim
replay
rule.
I am not sure if that is the same, but in last two days i see these
bounces from github's DMARC rua address for my DMARC reports:
** Message blocked **
Your message to dm...@github.com has been blocked. See technical
details below for more information.
The response was:
Message bounced due to organizational settings.
The latest one contains in message/delivery-status (if that helps):
Reporting-MTA: dns; googlemail.com
Received-From-MTA: dns; prvs=064225bada=dmarc_rp...@slavino.sk
Arrival-Date: Wed, 04 Oct 2023 18:21:05 -0700 (PDT)
X-Original-Message-ID: <84e154c2366c2...@primex.skk>
Final-Recipient: rfc822; dm...@github.com
Action: failed
Status: 4.4.2
Diagnostic-Code: smtp; Message bounced due to organizational
settings.
Last-Attempt-Date: Wed, 04 Oct 2023 18:21:06 -0700 (PDT)
I have the same issue. Unfortunately there's a lot of servers which
request DMARC reports, but then outright reject them (or use an invalid
address).
My list of no_dmarc_reporting_domains.txt (in RSPAMD) keeps growing,
slowly.
I trust that you are applying RFC 7489 section 7.1. where appropriate.
If the domain for dmarc reports is not the same as the requesting domain,
you must check that the report domain is willing to accept these reports.
This is unrelated, but yes, I believe DMARC considers that when deciding
when/whom to send the reports.
In this case,
$ dig +short TXT _dmarc.github.com
"v=DMARC1; p=reject; pct=100; rua=mailto:dm...@github.com";
so reports for "github.com" are sent to a @github.com address, so it's not an
"external destination" in the sense of RFC7489 [*]
It just so happens that the MX for github.com is google, but that should not
have any impact -- aside from the fact that google seems to apply
"organizational settings" or policies that effectively prevent the report from
being delivered, but whether this is google's fault or (in this case) github's
is something that I, as a sender, cannot know..
[*] for an example of a big server not doing this (i.e. not publishing the
proper records) see gmx.net, where e.g. gmx.net says that reports should go to
dmarcrep...@gmx.net, but the corresponding _report._dmarc TXT record is nowhere
to be found._______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
