←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 4 comments | 3/25/2025, 8:14:00 AM | HN request time: 2.063s | source
Show context
riobard ◴[3/25/2025, 11:17:00 AM] No.43469919[source]

The point of SPF/DKIM/DMARC is to bind emails to domains, so no more spoofing. It is naive to expect authentication alone can reduce spams.

replies(4): >>43469940 #>>43470124 #>>43470532 #>>43470789 #
1. dizhn ◴[3/25/2025, 1:13:00 PM] No.43470789[source]

All of these technologies are basically DOA because of how fickle they are and for lack of support across the board. Most policies are set to not to deny.

DMARC is nice though. It won't stop spam. It won't stop spoofing. But you will know that someone somewhere is spamming people using your domain name. How awesome. :)

replies(1): >>43471929 #
2. toast0 ◴[3/25/2025, 2:41:00 PM] No.43471929[source]

I never found the DMARC reports actionable, so I quickly turned them off. What do you do with the information?

Of course, even with hard fail spf and dmarc, I still see some bounces from spam where some server accepted the mail to deliver it elsewhere and the next server denies it, so the first server sends me a bounce.

replies(1): >>43473794 #
3. riobard ◴[3/25/2025, 5:32:00 PM] No.43473794[source]

DMARC reports are for you to be sure that you configured SPF/DKIM correctly, not asking you to do something with the spoofing senders (which you can do absolutely nothing about).

replies(1): >>43474744 #
4. toast0 ◴[3/25/2025, 7:14:00 PM] No.43474744{3}[source]

Yeah, so have reports when you start, but once you get things set up correctly, turn off the reports. If you break things later, you should find out quickly when mail is refused, and you can turn on reports again, if you need to.