Most active commenters

    ←back to thread

    Understanding SPF, DKIM, and DMARC: A Simple Guide

    (github.com)
    443 points miles | 13 comments | 17 Jun 24 17:35 UTC | HN request time: 1.231s | source | bottom
    Show context
    velcrovan ◴[17 Jun 24 20:48 UTC] No.40710875[source]
    I manage IT at a mid-size business. At least once a month, I get asked to release some incoming email from quarantine that got sent there because the sender's SPF record is wrong or outdated and doesn't include all the email services they actually use. (What this really tells me is how many small businesses are out there running with no in-house IT expertise or support of any kind.)

    I don't do whitelisting. Instead, I always reach out and offer to help the other party correct their SPF record.

    It happens often enough that I wrote a script in Racket that will generate the email for me and paste it into the clipboard [1]. The email tells them exactly what they need to change, and links to docs from their current email provider (so they don't have to trust me about edits to their DNS).

    [1]: https://gist.github.com/otherjoel/6b8bf02f6db6e0c47ba6bca72e...

    replies(13): >>40710906 #>>40711407 #>>40711533 #>>40712450 #>>40712783 #>>40713178 #>>40714393 #>>40714418 #>>40715408 #>>40715983 #>>40716281 #>>40716467 #>>40716996 #
    1. deng ◴[18 Jun 24 05:50 UTC] No.40714418[source]
    > At least once a month, I get asked to release some incoming email from quarantine that got sent there because the sender's SPF record is wrong or outdated

    And at the same time, I regularly get Spam/Phishing with perfect SPF, DKIM, DMARC, etc. The domains and IPs they use might get blocked within a day, but of course, these people have no problem getting others.

    And although I have set up my MTA perfectly, my mail gets refused by MS/t-online/etc., because I don't have enough "sender reputation". In e-mail, we have an oligopoly of a few big mail providers, and in the end, they decide which mail gets delivered and which isn't, and to me it looks like they give a rat's ass about SPF and DKIM, and probably rightfully so, because most spammers are probably better at configuring MTAs than your average mail admin.

    replies(3): >>40714559 #>>40716304 #>>40716560 #
    2. taskforcegemini ◴[18 Jun 24 06:13 UTC] No.40714559[source]
    t-online uses a global whitelist, which is pretty stupid for e-mail. sometimes it helps contacting them, other times they refuse to resolve it for arbitrary reasons (not because of actual spamming)
    replies(1): >>40714655 #
    3. Leonelf ◴[18 Jun 24 06:29 UTC] No.40714655[source]
    t-online told me I needed an imprint on the website that's reachable under my domain. Seems to be some misunderstanding of German law (German commercial websites need an imprint, legally, but t-online also apply this requirement to private domains).
    replies(2): >>40715061 #>>40716329 #
    4. persnickety ◴[18 Jun 24 07:36 UTC] No.40715061{3}[source]
    Last month they unblocked me even though the website is blank.
    5. daemin ◴[18 Jun 24 11:06 UTC] No.40716304[source]
    On some level I can see it being a benefit to the big providers to only accept email from other big providers, as it would incentivise people to buy email services from them, because only email sent from the big providers would "work".
    6. zelphirkalt ◴[18 Jun 24 11:10 UTC] No.40716329{3}[source]
    It is more complicated than that. There are more criteria for when you need an imprint:

    (1) any kind of journalistic content on your site

    (2) any kind of financial gain from showing ads or making ads

    (3) organizing any kind of group of people active on German territory

    (4) running a business website

    There might be more, but those are the ones I remember from reading the paragraphs a while ago.

    And these are, of course, vague, which means that even something like "my favorite restaurants in Berlin" could be considered an ad, or any kind of comment on politics might be considered a form of journalism.

    I dislike these rules, because they basically kill German blogging scene. Not so many people want to run a blog and have every idiot on the Internet know their personal address. And few bloggers want to rent a digital office or actual office, that will send mail to them (an indirection). The German law in this respect is terrible and working against a free Internet and against freedom of voicing your opinion. It works greatly in favor for tech giants, because people resort to putting their blogging on Facebook, Instagram and other disservices. It is very anti-decentralization.

    replies(1): >>40727189 #
    7. lqet ◴[18 Jun 24 11:39 UTC] No.40716560[source]
    T-Online has a simple whitelist approach, and it is usually enough to just drop them an email. I did that back in 2014, asking for my private mail server to be added to that whitelist, and I received a positive answer within a few hours.
    replies(1): >>40716836 #
    8. deng ◴[18 Jun 24 12:10 UTC] No.40716836[source]
    Maybe that was possible 10 years go, they now require that you put up a web page for your domain with a valid German imprint (most importantly: your full contact information).
    replies(2): >>40716964 #>>40727171 #
    9. lqet ◴[18 Jun 24 12:23 UTC] No.40716964{3}[source]
    To be fair, I had that in place 10 years ago (and if you already have a mailserver, it's trivial (as in: MUCH easier than to set up a mail server) to host a small imprinted HTML page).
    10. account42 ◴[19 Jun 24 11:21 UTC] No.40727171{3}[source]
    > most importantly: your full contact information

    Note that unless T-Online has additional requirements here this doesn't need to be your home address but only a valid mail address through which you can be reached.

    replies(1): >>40746805 #
    11. account42 ◴[19 Jun 24 11:23 UTC] No.40727189{4}[source]
    > have every idiot on the Internet know their personal address

    It doesn't have to be your personal address though.

    I'm somewhat mixed about the details of the law, but requiring businesses to make it clear who you are dealing with makes sense to me.

    replies(1): >>40761189 #
    12. nier ◴[21 Jun 24 06:35 UTC] No.40746805{4}[source]
    In Germany, you might be required by law to publish your address for everyone to see.

    Original German text of the law: https://www.gesetze-im-internet.de/ddg/__5.html

    Google translation to English: https://www-gesetze--im--internet-de.translate.goog/ddg/__5....

    13. zelphirkalt ◴[22 Jun 24 18:47 UTC] No.40761189{5}[source]
    Of course, if you run a business. But then you might even have an actual physical office address for work related stuff and not have a problem giving that to random strangers on the Internet. If you are a private person simply wanting to run a blog and talk about whatever you like, then it sucks. It does not have to be your home address you are sharing, but the other options will cost you money. And no, a postbox will not be sufficient, as decided in previous court cases. It must be a "ladungsfaehige" address. There are some businesses selling services to have a virtual office, with an actual address, which then send your mail further to your actual address and notify you via e-mail and all that. Whether those are really an acceptable option when it comes to the law is a bit unclear.