[AusNOG] [DKIM Failure] Re: Anyone knowledgeable from Mimecast here who can contact me off list?
Christopher Scholfield
CScholfield at heartland.com.au
Tue Oct 19 13:50:09 EST 2021
This is exactly what happened. Out of our three includes, two of them have another include within themselves. The other one has six. Apparently this has pushed our include amount to 12.
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Ross Fawcett
Sent: Tuesday, 19 October 2021 1:44 PM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] [DKIM Failure] Re: Anyone knowledgeable from Mimecast here who can contact me off list?
EXTERNAL SENDER: This email originated from outside of Heartland Motor Group. Do not click links or open attachments unless you recognize the sender and know the content is safe. If unsure please forward the email to IT support.
We see it fairly often, as companies take on multiple cloud services which need to send on behalf of their email domain. They all expect you to include their SPF, and they may have a few of their own includes, multiply this a few times with different services and you easily hit the limit.
- Ross
From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> On Behalf Of Noel Butler
Sent: Tuesday, 19 October 2021 10:34 AM
To: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: Re: [AusNOG] [DKIM Failure] Re: Anyone knowledgeable from Mimecast here who can contact me off list?
Ahhh, so it does indeed count through them all, that would explain the extra lookups, first time I've ever heard of someone being rejected because of it, but, until OP lets us know what the reject was for, we wont know.
On 19/10/2021 12:23, Two Fat Monkeys - Dirk Bermingham wrote:
Whilst we're living on the edge here....
To quote the RFC:
"SPF implementations MUST limit the number of mechanisms and modifiers
that do DNS lookups to at most 10 per SPF check, including any
lookups caused by the use of the "include" mechanism or the
"redirect" modifier. If this number is exceeded during a check, a
PermError MUST be returned. The "include", "a", "mx", "ptr", and
"exists" mechanisms as well as the "redirect" modifier do count
against this limit. The "all", "ip4", and "ip6" mechanisms do not
require DNS lookups and therefore do not count against this limit.
The "exp" modifier does not count against this limit because the DNS
lookup to fetch the explanation string occurs after the SPF record
has been evaluated."
Chris' SPF was even more borked earlier... Those includes need to be trimmed a bit further to comply...
DB
From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> On Behalf Of Noel Butler
Sent: Tuesday, 19 October 2021 1:11 PM
To: ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
Subject: [DKIM Failure] Re: [AusNOG] Anyone knowledgeable from Mimecast here who can contact me off list?
Andrew,
This is likely off topic for this list, but anyway, since I live on the edge...
By my count there is only 3 not 10 mechanism lookups (and show me an implementation that actually stops at 10), I'm not so sure they should be counting the includes includes/a/aaaa's either, only the include itself, as includes are typically out of your control (it has been a very long time since I read that RFC so may be wrong)
Anyway, if that was the issue, it would have surfaced long before now surely.
If I was a betting man, I'd say DNS caching is the cause, if I was a betting man, I'd also be betting someone didnt drop a TTL when preparing for the change, so will have to wait till records refresh.
Of course all this is assumption because OP never posted the actual error message.
Cheers
On 19/10/2021 09:07, Andrew Oakeley wrote:
Hi,
If I was you; I would start by fixing your SPF.
This will show you the errors
https://mxtoolbox.com/SuperTool.aspx?action=spf%3aheartland.com.au&run=toolpage<https://us-east-2.protection.sophos.com?d=pstmrk.it&u=aHR0cHM6Ly9jbGljay5wc3RtcmsuaXQvMnMvbXh0b29sYm94LmNvbSUyRlN1cGVyVG9vbC5hc3B4JTNGYWN0aW9uJTNEc3BmJTI1M2FoZWFydGxhbmQuY29tLmF1JTI2cnVuJTNEdG9vbHBhZ2UvcklaOUJTWU4vT0hCVi9DTTlDRUlYVTRK&i=NWU1YzM2ODkzNGQyYmQwZDllNjk2Yjc4&t=TExsOFo0dEFJbk5CRElrUlIyWDFrN2UxbFk3eXE4MEg1bTFQSTRUUGcyRT0=&h=03a893cd94d14a2dbbc138bfda4c7ffc>
Andrew
From: AusNOG <ausnog-bounces at lists.ausnog.net<mailto:ausnog-bounces at lists.ausnog.net>> On Behalf Of Christopher Scholfield
Sent: Tuesday, 19 October 2021 7:04 AM
To: 'AusNOG Mailing List' <ausnog at ausnog.net<mailto:ausnog at ausnog.net>>
Subject: [AusNOG] Anyone knowledgeable from Mimecast here who can contact me off list?
Yesterday we changed mail filters, Mimecast is the only email provider that has been rejecting our emails due to SPF problems for the last 20 odd hours. Mimecast technical support has told me their customers who aren't getting our emails need to contact them so their tech support can explain how to bypass their mail filters for our mail server.
I'd rather work with someone at Mimecast to resolve the cause of the problem.
ophos.com._nspf.vali
--
Regards,
Noel Butlerimplimentation
This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog<https://us-east-2.protection.sophos.com?d=ausnog.net&u=aHR0cDovL2xpc3RzLmF1c25vZy5uZXQvbWFpbG1hbi9saXN0aW5mby9hdXNub2c=&i=NWU1YzM2ODkzNGQyYmQwZDllNjk2Yjc4&t=MjVEUWd2UGM1YjN1SVlOd2o5dGZLR3J1bFFYamRGOS9aQzZlOWc4ZlhjMD0=&h=03a893cd94d14a2dbbc138bfda4c7ffc>
--
Regards,
Noel Butler
This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.
This message is intended for the addressee named and may contain confidential information.
If you are not the intended recipient, please destroy it and notify the sender. Views expressed
in this message are those of the individual sender, and are not necessarily the views of Heartland Motors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20211019/9d9d380e/attachment.html>
More information about the AusNOG
mailing list