←back to thread

Understanding SPF, DKIM, and DMARC: A Simple Guide

(github.com)
443 points miles | 9 comments | 17 Jun 24 17:35 UTC | HN request time: 0s | source | bottom
1. remram ◴[17 Jun 24 23:37 UTC] No.40712477[source]
My problem with SPF (& co) is redirections.

I have email redirected from other domains into my (Gmail) inbox. For it to arrive, I use SRS, so the email is properly aligned and always makes it into my inbox. The problem is that some of that email is malicious. I have a choice of dropping those mails, and I never see a trace of it in my inbox, or forwarding them with SRS, and they look to Gmail like 100% perfectly good mails sent from my own domain (but still potentially malicious). It's annoying.

replies(2): >>40714672 #>>40716433 #
2. alt227 ◴[18 Jun 24 06:31 UTC] No.40714672[source]
> It's annoying.

This seems very much like a problem you have created for yourself.

replies(1): >>40718990 #
3. joveian ◴[18 Jun 24 11:22 UTC] No.40716433[source]
If you do SRS correctly it will not pass DMARC alignment for your domain but it will pass plain SPF which does not have the DMARC alignment check and is sometimes checked independently from DMARC. If the sender included valid DKIM it should pass DMARC for the sender's domain as long as you don't alter the signed parts of the message (unless possibly if they do something annoying like sign the absense of X-Forwarded-To). Google also wants you to use ARC, add X-Forwarded-{To, For} headers, avoid forwarding spam, and use a different IP address or domain for forwarding vs sending mail from your domain. Some email providers let you indicate that you trust particular ARC forwarders but I don't think Google uses it that way.

https://support.google.com/mail/answer/175365?hl=en

I don't know why Google want to force forwarders to do spam filtering.

replies(1): >>40719033 #
4. remram ◴[18 Jun 24 15:31 UTC] No.40718990[source]
I know, how dare I use other domains than gmail...?

Why post a comment at all, if you have no insight. It's useless and insulting.

replies(1): >>40720088 #
5. remram ◴[18 Jun 24 15:34 UTC] No.40719033[source]
You're probably right about the terminology, sorry. My problem is that a lot of legitimate senders have failing (or soft-failing) sender setups, so I can't have my forwarder just drop all that (I'm not even sure my registrar-provided forwarder has that option).

Another option would be to have another inbox on the domain and have Gmail fetch with POP/IMAP, but many domain registrars don't have that service. Or is that what most people do?

replies(1): >>40726987 #
6. alt227 ◴[18 Jun 24 17:21 UTC] No.40720088{3}[source]
Why post on a public forum if you dont want, or even get insulted by, other peoples opinions?

Its nothing to do with using domains other than gmail, its that you said you are actively relaying all mail into your gmail account and rewriting the sender as yourself, but then its annoying that spam gets marked as valid mail from your domain. Thats nobodies problem other than your own setup, and there are loads of other ways you could do it. But the way you chose to set it up is 'annoying'.

Sorry to insult you, but I feel that warrants letting you know you caused your own problem!

replies(1): >>40724215 #
7. remram ◴[19 Jun 24 02:38 UTC] No.40724215{4}[source]
If your opinion is "you suck" it's called an insult.

You could have ignored my question, you could have explained why I'm doing it wrong, hell you could have posted a random setup guide from Google and downvoted me. Instead you post this attack with no content, justification, or insight. You are being an ass. You are allowed to be, but I'm allowed to call it out.

And if you think I set my email up in a sub-optimal way, just so that I could ask for advice on HN, with the goal of pissing you off... you are delusional.

replies(1): >>40759416 #
8. joveian ◴[19 Jun 24 10:51 UTC] No.40726987{3}[source]
For receiving custom domain email long term I think the usual thing would be to have the chosen email provider manage all email for the domain (setting up MX records) and not forward long term. That would require a paid account with Google it looks like, but at the point you are paying for your domain that seems reasonable (I'm not sure how much they charge). The fetch options are usually either time limited or expensive from what I've seen. I wouldn't be surprised if registrars don't forward correctly according to Google's instructions, they just want the least expensive thing that lets them advertise email as a feature, but maybe worth complaining anyway if they don't.

For personal accounts I don't think you can convince Google to accept mail from incorrectly configured senders, you would need to use a different service if you must receive it. For business accounts they are less strict, although Google still randomly drops mail and I wouldn't personally use them for that reason and others (I think they have good suggestions for how mail should be set up, though). I'm not trying to sell you anything and haven't even tried them yet (and have some questions I haven't asked yet) but purelymail.com is one that seems promising to me in general and is inexpensive with no extra fee for custom domains (if you aren't attached to the way Google handles mail; I'm guessing the archive search and general interface will be more clunky). I'm guessing you can configure SpamAssasin to not strictly reject mail from incorrectly configured senders as long as they aren't on spam lists (they say they reject those immediately), but I'm not sure.

Thinking about it more I'm guessing Google requires forwarders to check spam due to not wanting customers to configure trusted ARC forwarders like Microsoft does and so not forwarding spam makes it easier to convince them the forwarder isn't a spammer trying to blame others for the spam (they might also compare forwarded spam with what they receive directly). If a forwarder uses ARC and can convince them they aren't spamming then Google should trust their SPF assessment if you just mean senders who only have SPF configured. But if you want to receive email from old timers who insist that email should have no way to detect spam there may be no way to do that with Google (or a number of other providers).

9. alt227 ◴[22 Jun 24 14:37 UTC] No.40759416{5}[source]
Since you seem so well versed on how the best way to not be insulting, maybe you should follow your own advice and stop insulting other people. Just a thought, but maybe if you tone down your responses and be a bit less insulting yourself then maybe karma might do you a favour.

Take a look back at the thread. This is what I posted:

> This seems very much like a problem you have created for yourself.

Thats it. Nobody said you suck, nobody insulted anything. Just pointed out that a problem you said was annoying was caused by your own doing. If you think that is an attack, and warrants calling me delusional and an ass, then you need to look very hard at your own reactions to things. You resorted to namecalling and mudslinging just a bit too quickly.