undefined | Better HN

0 pointsmgcunha8y ago0 comments

Neither DKIM nor SPF provide domain owners with a verifiable disposition policy and monitoring. You should deploy SPF, DKIM and DMARC together. At that point either SPF or DKIM may pass but if the passing SPF/DKIM domain(s) don't match the DMARC domain the message isn't authenticated. Unlike SPF, DMARC will load its policy using the From: header, and thus ensure alignment between envelope-From and From: header (for SPF), or DKIM domain and From: header.

0 comments

ahje8y ago

DMARC could solve this problem, but it would break a lot of things reliant on forwards. When Yahoo set their DMARC policy to reject, there was quite a stir about it: https://www.ietf.org/mail-archive/web/ietf/current/msg87153....

In this particular case, it seems the major issue is that spammers got access to 69.64.35.11, which is included in telus.com's SPF record. In the end, this will hurt deliverability for legitimate emails sent with telus.com in the return path, and I suspect telus.com's customer service will have some explaining to do for their customers.

massaman_yams8y ago

ARC is the new standard designed to fix the DMARC edge case with forwarding. It's relatively new, though, so adoption isn't nearly as widespread as SPF, DKIM, or DMARC.

sounds8y ago

ryan-c comments below that the 'exists:' config at Telus allows any IP to send mail.

Spammers seem to be abusing this hole.

thaumaturgy8y ago

You're right. I was thinking DMARC but wrote DKIM.

yread8y ago

it does say DMARC=fail fwiw

j / k navigate · click thread line to collapse