←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 5 comments | 25 Mar 25 08:14 UTC | HN request time: 2.192s | source
Show context
jeroenhd ◴[25 Mar 25 11:00 UTC] No.43469827[source]
For me, as someone with their own mail server, these technologies mostly serve to inform me that Russian IP addresses are still trying to send email in the name of my domain for some stupid reason.

It makes sense that people whose business is sending email know how to set up email correctly. I'm mostly surprised at how many legitimate sysadmins struggle with getting the basics correct. Surely those dozens of DMARC emails you get that your sendgrid email has been refused because of a bad SPF signature should set in motion some kind of plan to ask if maybe marketing is using them legitimately?

Automated signatures are of limited value but I rarely see rejections based on SPF and DKIM that are a mistake. Things are probably worse for big organizations but as a small email server, technical rejections are usually the right call. The only exception is mailing lists, but the dozens of people who still use those can usually figure out how to add an exception for them.

replies(6): >>43470005 #>>43470195 #>>43470668 #>>43471472 #>>43473790 #>>43482338 #
JumpCrisscross ◴[25 Mar 25 13:00 UTC] No.43470668[source]
> Russian IP addresses are still trying to send email in the name of my domain for some stupid reason

For what it's worth, I've started seeing cybersecurity insurers requiring riders and extra payments if you don't block Russian IPs.

replies(3): >>43471030 #>>43471308 #>>43477981 #
blacklion ◴[25 Mar 25 13:52 UTC] No.43471308[source]
But there are big problems with mapping from IPs to countries. My IPv6 is detected as Russian, though it is London-located tunnel exit point and I'm in the Netherlands.
replies(3): >>43471455 #>>43473650 #>>43474558 #
zelon88 ◴[25 Mar 25 14:03 UTC] No.43471455[source]
Sounds like an issue with an outdated locally hosted IP2 Location database.
replies(2): >>43471969 #>>43479796 #
1. blacklion ◴[25 Mar 25 14:44 UTC] No.43471969[source]
Google thinks it is in Russia too. And Cloudflare thinks the same.
replies(2): >>43472261 #>>43472712 #
2. liveoneggs ◴[25 Mar 25 15:08 UTC] No.43472261[source]
maybe you actually have a MITM proxy stealing all of your traffic and keystrokes
replies(1): >>43482083 #
3. carlhjerpe ◴[25 Mar 25 15:47 UTC] No.43472712[source]
If it's Hurricane Electrics tunnel I've had similiar issues, I think they use Russian blocks for their IPv6 tunnel since the abuse potential is so high and they don't want to deal with it so they just bundle all their shit with Russia and move on.
replies(1): >>43482065 #
4. blacklion ◴[26 Mar 25 13:28 UTC] No.43482065[source]
Yep, it is HE tunnel. Nice to know that I'm not alone.
5. blacklion ◴[26 Mar 25 13:29 UTC] No.43482083[source]
MITM for HTTPS? I don't think so!