←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 10 comments | 25 Mar 25 08:14 UTC | HN request time: 0.73s | source | bottom
1. riobard ◴[25 Mar 25 11:17 UTC] No.43469919[source]
The point of SPF/DKIM/DMARC is to bind emails to domains, so no more spoofing. It is naive to expect authentication alone can reduce spams.
replies(4): >>43469940 #>>43470124 #>>43470532 #>>43470789 #
2. jeroenhd ◴[25 Mar 25 11:22 UTC] No.43469940[source]
To be fair, SPF saves mail.ru and outlook.com users from five, maybe six spam emails per month coming from my domain, based on DMARC reports. If those numbers scale to include every domain on the internet, that's a huge amount of spam being filtered out very easily and very early.

You'd think spammers would've learned to avoid SPF domains at the very least but they haven't, so despite SPF/DMARC/DKIM failing to get anyone out the spam folder, the technology is still catching spam bots.

3. fukawi2 ◴[25 Mar 25 11:51 UTC] No.43470124[source]
Finally, a comment that understands the concepts instead of insolently ranting about how useless it is.
replies(1): >>43470743 #
4. danaris ◴[25 Mar 25 12:46 UTC] No.43470532[source]
While it may or may not reduce spam, it has definitely (based on my personal experience) reduced the amount of spoofed phishing emails and backscatter spam emails to nearly nothing.

In the early-to-mid '10s, before SPF/DKIM/DMARC became the law of the email land, one had to be much, much more careful with phishing emails, checking the wording, the logos, etc, because 9 out of 10 of them appeared to come from the actual domain the email purported to be from. In the past several years (I honestly don't know exactly when the change happened; I don't get a huge amount of phishing emails), it's shifted so that the first thing to check is the sender address. Usually that turns out to be some nonsense string @gmail.com or some long garbled domain.

5. zeeZ ◴[25 Mar 25 13:08 UTC] No.43470743[source]
It feels similar to people conflating green https check marks in browsers and trustworthiness.
replies(1): >>43473801 #
6. dizhn ◴[25 Mar 25 13:13 UTC] No.43470789[source]
All of these technologies are basically DOA because of how fickle they are and for lack of support across the board. Most policies are set to not to deny.

DMARC is nice though. It won't stop spam. It won't stop spoofing. But you will know that someone somewhere is spamming people using your domain name. How awesome. :)

replies(1): >>43471929 #
7. toast0 ◴[25 Mar 25 14:41 UTC] No.43471929[source]
I never found the DMARC reports actionable, so I quickly turned them off. What do you do with the information?

Of course, even with hard fail spf and dmarc, I still see some bounces from spam where some server accepted the mail to deliver it elsewhere and the next server denies it, so the first server sends me a bounce.

replies(1): >>43473794 #
8. riobard ◴[25 Mar 25 17:32 UTC] No.43473794{3}[source]
DMARC reports are for you to be sure that you configured SPF/DKIM correctly, not asking you to do something with the spoofing senders (which you can do absolutely nothing about).
replies(1): >>43474744 #
9. riobard ◴[25 Mar 25 17:32 UTC] No.43473801{3}[source]
exactly!
10. toast0 ◴[25 Mar 25 19:14 UTC] No.43474744{4}[source]
Yeah, so have reports when you start, but once you get things set up correctly, turn off the reports. If you break things later, you should find out quickly when mail is refused, and you can turn on reports again, if you need to.