1. Your DMARC record is quite long, and goes over the 255 byte limit, which, depending on the implem

1. Your DMARC record is quite long, and goes over the 255 byte limit, which, depending on the implementation, MAY be able to break the parsing of the record.

;; ANSWER SECTION:
_dmarc.rydercragie.com. 300     IN      TXT     "v=DMARC1; p=reject; sp=reject; rua=mailto:ac916a4e488c43058046889432174d68@dmarc-reports.cloudflare.net,mailto:n8dvgnuk@ag.eu.dmarcadvisor.com,mailto:DMARC+RUA@RyderCragie.com; ruf=mailto:ac916a4e488c43058046889432174d68@dmarc-reports.cloudflare.net,mailt" "o:n8dvgnuk@fr.eu.dmarcadvisor.com,mailto:DMARC+RUF@RyderCragie.com; fo=0:1:d:s; pct=100; adkim=s; aspf=s"

;; ANSWER SECTION:
_dmarc.rydercragie.com. 300     IN      TXT     "v=DMARC1; p=reject; sp=reject; rua=mailto:ac916a4e488c43058046889432174d68@dmarc-reports.cloudflare.net,mailto:n8dvgnuk@ag.eu.dmarcadvisor.com,mailto:DMARC+RUA@RyderCragie.com; ruf=mailto:ac916a4e488c43058046889432174d68@dmarc-reports.cloudflare.net,mailt" "o:n8dvgnuk@fr.eu.dmarcadvisor.com,mailto:DMARC+RUF@RyderCragie.com; fo=0:1:d:s; pct=100; adkim=s; aspf=s"

;; ANSWER SECTION:
_dmarc.rydercragie.com. 300     IN      TXT     "v=DMARC1; p=reject; sp=reject; rua=mailto:ac916a4e488c43058046889432174d68@dmarc-reports.cloudflare.net,mailto:n8dvgnuk@ag.eu.dmarcadvisor.com,mailto:DMARC+RUA@RyderCragie.com; ruf=mailto:ac916a4e488c43058046889432174d68@dmarc-reports.cloudflare.net,mailt" "o:n8dvgnuk@fr.eu.dmarcadvisor.com,mailto:DMARC+RUF@RyderCragie.com; fo=0:1:d:s; pct=100; adkim=s; aspf=s"

;; ANSWER SECTION:
_dmarc.rydercragie.com. 300     IN      TXT     "v=DMARC1; p=reject; sp=reject; rua=mailto:ac916a4e488c43058046889432174d68@dmarc-reports.cloudflare.net,mailto:n8dvgnuk@ag.eu.dmarcadvisor.com,mailto:DMARC+RUA@RyderCragie.com; ruf=mailto:ac916a4e488c43058046889432174d68@dmarc-reports.cloudflare.net,mailt" "o:n8dvgnuk@fr.eu.dmarcadvisor.com,mailto:DMARC+RUF@RyderCragie.com; fo=0:1:d:s; pct=100; adkim=s; aspf=s"

For

without sense for details: It splits within the RUF tag, between Cloudflare and DMARC Advisor.

Such length (and splitting) have been known to cause trouble with some implementations.

2. Your DMARC record does not have

np=reject;

np=reject;

np=reject;

np=reject;, however, proper implementations should fall back to

p=

p=

p=

p= for both

sp=

sp=

sp=

sp= and

np=

np=

np=

np=, if they are omitted.
np? -> https://discord.com/channels/595317990191398933/812577823599755274/1214278578842107995

3. Your

mail

mail

mail

mail is a CNAME, although I highly doubt it, depending on the implementation, a potentially badly coded implementation could maybe be thinking that it should follow the CNAME for the DMARC record.

DarkDeviLOP•3/5/24, 7:30 PM

Re. first things first, they are also written in the order of how I would be looking at them.

DarkDeviLOP•3/5/24, 7:31 PM

I am also under the impression that Cloudflare doesn't parse RUF, so yeah, removing that could take a bit off the DMARC record, although, I don't think it will be enough.

DarkDeviLOP•3/5/24, 7:32 PM

Still splitting, now here:
.com; f" "o=0:1:d:s; pct=100; adkim=s; aspf=s".com; f" "o=0:1:d:s; pct=100; adkim=s; aspf=s"

DarkDeviLOP•3/5/24, 7:32 PM

Can you add forwarders within your Zoho?

DarkDeviLOP•3/5/24, 7:33 PM

If so, remove DMARC Advisor, and make Zoho forward from your DMARC+RUA and DMARC+RUF to DMARC Advisor.

DarkDeviLOP•3/5/24, 7:33 PM

(How Zoho works that way, whether it will both deliver to you AND forward, or only just forward, ... is a different story though)

Original message was deleted

DarkDeviLOP•3/5/24, 7:57 PM

According to the specs, 0 indicates the default, 1 should literally be the same as "d:s", so replacing it with 1 should literally be doing it all.

Original message was deleted

DarkDeviLOP•3/5/24, 7:57 PM

pct is indeed 100 if omitted, so that can be removed as well.

DarkDeviLOP•3/5/24, 7:59 PM

And re. sp/np: Some people likes to explicitly be specifying such things (e.g. having them all, even though things should fall back).

DarkDeviLOP•3/5/24, 7:59 PM

You can leave p=reject;p=reject;, but remove the others (sp/np), if you wish.

DarkDeviLOP•3/5/24, 8:00 PM

Thing is just, you don't know what kind of broken implementations you may see out there.

DDarkDeviL 1. Your DMARC record is quite long, and goes over the 255 byte limit, which, dep...

DarkDeviLOP•3/5/24, 8:03 PM

np? -> https://discord.com/channels/595317990191398933/812577823599755274/1214278578842107995

DarkDeviLOP•3/5/24, 8:04 PM

DNS code 3 (NXDOMAIN).

DarkDeviLOP•3/5/24, 8:05 PM

p=reject;p=reject; alone, if you don't care about being explicit.

DarkDeviLOP•3/5/24, 8:05 PM

Otherwise p=reject; sp=reject; np=reject;p=reject; sp=reject; np=reject;.

DarkDeviLOP•3/5/24, 8:06 PM

The

p=

p=

should be enough according to the specs.

DarkDeviLOP•3/5/24, 8:06 PM

Exactly.

DarkDeviLOP•3/5/24, 8:11 PM

adkim/aspf has nothing to do with the p/sp/np policies and their fallback.

DarkDeviLOP•3/5/24, 8:12 PM

All they control is whether the alignment to the original domain must be exact, or can be a sub-domain thereof.

DarkDeviLOP•3/5/24, 8:12 PM

The default is r, relaxed.

DarkDeviLOP•3/5/24, 8:12 PM

If you want them to remain strict, yes, then you need to keep them.

DarkDeviLOP•3/5/24, 8:14 PM

If you look at the <policy_published></policy_published> sections from the DMARC reports you receive, you will see what the other end claims to see your current DMARC record as.

DarkDeviLOP•3/5/24, 8:21 PM

That is one sent by Google, right?

DarkDeviLOP•3/5/24, 8:22 PM

Yep, there you see it.

DarkDeviLOP•3/5/24, 8:22 PM

Google lists "

np=

np=

", but not fo=fo=.

DarkDeviLOP•3/5/24, 8:22 PM

Microsoft lists "fo=fo=", but not

np=

np=

DarkDeviLOP•3/5/24, 8:23 PM

Point is here the implementations as mentioned above.

DarkDeviLOP•3/5/24, 8:23 PM

Two different implementations doesn't necessarily do the same.

DarkDeviLOP•3/5/24, 8:23 PM

DarkDeviLOP•3/5/24, 8:23 PM

DarkDeviLOP•3/5/24, 8:24 PM

Not necessarily.

DarkDeviLOP•3/5/24, 8:24 PM

Google said since the beginning they wouldn't do RUF reporting.

DarkDeviLOP•3/5/24, 8:24 PM

FO= is only relevant for RUF, so therefore it makes no sense for them to list it, as they do not care about it / act on it anyway.

DarkDeviLOP•3/5/24, 8:25 PM

Microsoft's implementation could eventually be so old that they (actualy: the implementation) don't even know about

np=

np=

yet.

DarkDeviLOP•3/5/24, 8:25 PM

But all this is just guessing.

DarkDeviLOP•3/5/24, 8:26 PM

If you would like to know for sure, you would need to reach out to one of their engineers and hope they're able to clarify...

DarkDeviLOP•3/5/24, 8:27 PM

Specifications is one story, but how things are actually being implemented, can be a completely different story...

DarkDeviLOP•3/5/24, 8:28 PM

Works fine if you're following them.

DarkDeviLOP•3/5/24, 8:29 PM

Same with CNAME DMARC.

DarkDeviLOP•3/5/24, 8:29 PM

_dmarc.example.org_dmarc.example.org CNAME _dmarc.example.com_dmarc.example.com
_dmarc.example.net_dmarc.example.net CNAME _dmarc.example.com_dmarc.example.com
_dmarc.example.eu_dmarc.example.eu CNAME _dmarc.example.com_dmarc.example.com

DarkDeviLOP•3/5/24, 8:29 PM

Now, just switch your DMARC on _dmarc.example.com_dmarc.example.com.

DarkDeviLOP•3/5/24, 8:30 PM

There are things that allow CNAME, and things that disallow CNAME.

DarkDeviLOP•3/5/24, 8:30 PM

Even for things that disallow CNAME as per the standards, they may still work because some implementations doesn't care to check it.

DarkDeviLOP•3/5/24, 8:35 PM

To mention another example:
example.comexample.com MX mail.example.netmail.example.net
mail.example.netmail.example.net CNAME inbound.mx.example.orginbound.mx.example.org
inbound.mx.example.orginbound.mx.example.org A 192.0.2.25192.0.2.25
inbound.mx.example.orginbound.mx.example.org AAAA 2001:db8:25:25:25:25:25:252001:db8:25:25:25:25:25:25

Having mail.example.netmail.example.net as a CNAME in that set up isn't allowed, because it is used as a MX record, ... but it will be quite implementation specific whether they actually work (or not).

DarkDeviLOP•3/5/24, 8:36 PM

In other words: Such MX -> CNAME may work flawlessly if you're sending from MS / Outlook, but not others, such as e.g. Google.

DarkDeviLOP•3/5/24, 8:36 PM

... because of two different implementations.

Original message was deleted

DarkDeviLOP•3/5/24, 8:37 PM

That 255 byte limit comes from DNS, not from Cloudflare.

DarkDeviLOP•3/5/24, 8:39 PM

These two should be the same:
abc.example.netabc.example.net TXT "alfabravocharlie""alfabravocharlie"
abc.example.netabc.example.net TXT "alfa" "bravo" "charlie""alfa" "bravo" "charlie"

DarkDeviLOP•3/5/24, 8:40 PM

The latter one if you're starting the third of 3 x 255, but whether your implementation (or the DNS implementation your application uses) are concentrating the strings properly, before your application is proceeding with it's use of it, is the problem.

DarkDeviLOP•3/5/24, 8:43 PM

You can't do anything about it.

1. Your DMARC record is quite long, and goes over the 255 byte limit, which, depending on the implem

Similar Threads

Similar Threads

Similar Threads