←back to thread

Understanding SPF, DKIM, and DMARC: A Simple Guide

(github.com)
443 points miles | 1 comments | 17 Jun 24 17:35 UTC | HN request time: 0s | source
Show context
velcrovan ◴[17 Jun 24 20:48 UTC] No.40710875[source]
I manage IT at a mid-size business. At least once a month, I get asked to release some incoming email from quarantine that got sent there because the sender's SPF record is wrong or outdated and doesn't include all the email services they actually use. (What this really tells me is how many small businesses are out there running with no in-house IT expertise or support of any kind.)

I don't do whitelisting. Instead, I always reach out and offer to help the other party correct their SPF record.

It happens often enough that I wrote a script in Racket that will generate the email for me and paste it into the clipboard [1]. The email tells them exactly what they need to change, and links to docs from their current email provider (so they don't have to trust me about edits to their DNS).

[1]: https://gist.github.com/otherjoel/6b8bf02f6db6e0c47ba6bca72e...

replies(13): >>40710906 #>>40711407 #>>40711533 #>>40712450 #>>40712783 #>>40713178 #>>40714393 #>>40714418 #>>40715408 #>>40715983 #>>40716281 #>>40716467 #>>40716996 #
deng ◴[18 Jun 24 05:50 UTC] No.40714418[source]
> At least once a month, I get asked to release some incoming email from quarantine that got sent there because the sender's SPF record is wrong or outdated

And at the same time, I regularly get Spam/Phishing with perfect SPF, DKIM, DMARC, etc. The domains and IPs they use might get blocked within a day, but of course, these people have no problem getting others.

And although I have set up my MTA perfectly, my mail gets refused by MS/t-online/etc., because I don't have enough "sender reputation". In e-mail, we have an oligopoly of a few big mail providers, and in the end, they decide which mail gets delivered and which isn't, and to me it looks like they give a rat's ass about SPF and DKIM, and probably rightfully so, because most spammers are probably better at configuring MTAs than your average mail admin.

replies(3): >>40714559 #>>40716304 #>>40716560 #
lqet ◴[18 Jun 24 11:39 UTC] No.40716560[source]
T-Online has a simple whitelist approach, and it is usually enough to just drop them an email. I did that back in 2014, asking for my private mail server to be added to that whitelist, and I received a positive answer within a few hours.
replies(1): >>40716836 #
deng ◴[18 Jun 24 12:10 UTC] No.40716836[source]
Maybe that was possible 10 years go, they now require that you put up a web page for your domain with a valid German imprint (most importantly: your full contact information).
replies(2): >>40716964 #>>40727171 #
1. lqet ◴[18 Jun 24 12:23 UTC] No.40716964{3}[source]
To be fair, I had that in place 10 years ago (and if you already have a mailserver, it's trivial (as in: MUCH easier than to set up a mail server) to host a small imprinted HTML page).