dmarc roulette

evil james bond cat

The zoo got a dmarc [my blog] email as stated it should have from google which reported both the ipv4 and ipv6 authentication results.

Great if your still have a clue what i am going on about but I have no idea if it used ipv4 or v6 to transport it which we have here in the zoo [my blog].  If inbound  its normally probably ipv4, and outbound from us its ipv6 if you have it.

It passed its tests in the zoo good news !, when it got to google then things went interesting as it failed those.

At least dmarc [including spf and dkim] does work but as to specifics well lets call it a success and leave it there.

Hmm well it got there at least.

internal exim fun and ipv6

Exim has been in wars recently and got an update for a tls issue.  In the zoo exim is tolerated internally and so was not an issue as it relays email internally and then off to postfix.

I tried exim many years ago and did not like it

However ipv6 was then activated by the exim update which caused internal relay issues (my blog) so i am stuck with ipv4 doing the internal emailing until i either change mta or figure out ipv6 relaying in both exim and postfix

Exim was returned tp ipv4 action with


Which suits the zoo fine.  Ipv6 internally and no ipv4* seems a long way off.

*rfc1918 ranges.

dmarc false positives

Dmarc (my blog) is interesting and while it does not lie to  use it as a metric to say email to an inbox is delivered is an incorrect way to represent the reports you may get.

The zoo has a mail server (not hosted by google) people with dmarc records send us email.

That email is validated for dkim, spf, dmarc mx records, reverse dns, valid users and then in the spam and virus filter

So if your email passed some of the tests but not all then your email was delivered but not to a user.

dmarc reports say so much but to guarantee as a in an inbox metric your sadly delusional.

Dmarc reports can also often be confusing.

5 2a00:1450:4864:20::345
2 2a00:1450:4864:20::347
1 2a00:1450:4864:20::348
5 2a00:1450:4864:20::445
1 2a00:1450:4864:20::446
1 2a00:1450:4864:20::447

They are google servers

net6num: 2a00:1450::/29
netname: IE-GOOGLE-20091005
country: IE

Which report that the above servers are failing the spf check on the zoo’s servers  which again in correct. However assuming nothing bad is coming from those addresses and it is recording the ip as it goes means misconfiguration is an issue for google not the zoo.

50% of this picture is racist by bbc logic

The zoo’s dmarc is correct and dmarc is working correctly but to claim dmarc is a email delivered metric is a bonkers proposition if your a a spammer or email campaign professional the dmarc reports do not mean what you hope they mean.


to all the clients & or crooks at hostwinds llc

There ipv6 range is 2607:5500::/31 – ipv4 ranges worth blocking here (my blog).   Yes they have a reputation with the monkey house,

Reason for mallet-ing – (my blog) attempted relay of fake zoo email to the zoo via postfix so some thought was put in here there not being idiots but targeting specifically.

I believe this is the first range of ipv6 addresses (a lot of them) i have had to null route for nefarious reasons.

Determining genuine and crook here is hard.  Since they do not seem to subnet below /31 say a [small] /64 so it seems the /31 is safer assuming we start playing whack a mole if i block per ipv6 address.

Its kind of amazing with the small user base of ipv6 that my first block is from a usual suspect perhaps being too trusting of the address space is a mistake although spamhaus has a ipv6 list of subnets it distrusts which i am aware of.

where are the ipv6 email relay testers and sasl [password] bots

guess who this person is

Where are they, it seems only ipv4 people do them.  Sure it is early days and most people are using a big email provider and maybe ipv6 if they have a more modern mobile phone.

Its rather nice ipv6 if quiet compared to ipv4.

In fact nobody seems to use ipv6 and yes we do send and receive ipv6 mail unless your nerdy or a few specific internet behemoths .

ipv6 on postfix

Works, although it does feel a little incoherent setup wise it [] sometimes required and not required, and having access to reverse dns means i can mail google in ipv6, your experience might be different (not here) than the zoo’s

Don’t forget about spf records

Being ipv6 is very mostly silicon valley based (not amazon) i was surprised that some try and abuse ipv6 and the domain name system

Domain unknown senders[2001:41c8:51:770:fcff:ff:fe00:435c]:<secrppl*3*>:

Although we do see them trying this from ipv4 too

No damage was done and the ipv6 and ipv4 protocol matched the fake domain.

Ipv6 accounts for 25% of dns traffic and not many ipv6 mx entries so 1% of email traffic unless you email gmail all the time.

back to opendmarc reporting

Covered here and there (both my blog) with ipv6 i decided to have another go at reporting with extra hosts available with ipv6.

I kept the importer running even if reports where not being sent but with ipv6 and ipv4 mail servers dmarc reporting remains stubbornly ipv4 based.

Not all is well with dmarc reporting and auto responders with spam getting sent to dmarc inboxes and bar the big providers nobody seems to take dmarc reporting seriously.

Oh well