Everybody's aware that Google will start enforcing DMARC Feb 1st, right? (opens in new tab)

(easydns.com)

35 pointsStuntPope2y ago18 comments

18 comments

Maybe I'm just paranoid but if you configure your DMARC records to receive reports via email, doesn't that open the door for malicious actors to send bogus reports, if for no other reason than just for the lulz? I realize that the only sane way to deal with these reports is via an automated service (nobody in their right mind wants to manually parse through tons of XML reports on a regular basis) but how do I stop the incoming data from being poisoned?

pul2y ago

The RFC requires SMTP servers to first verify that the destination email indeed wants to receive those reports. They’re opt in through a DNS record.

https://datatracker.ietf.org/doc/html/rfc7489#section-7.1

StuntPopeOP2y ago

I've been monitoring this with an eye toward creating a honeypot for DMARC abuse but so far been seeing zero messages come in.

Either the spammers haven't figured it out yet, or they realize it's a waste of time since all the messages are either mechanically processed or ignored.

brightball2y ago

Yes it does.

donmcronald2y ago

I think the end goal here is to push stuff like BIMI so big tech can start charging another large annual fee to all businesses that want their email delivered.

frizlab2y ago

Yeah I inquired on how to setup BIMI for my company and was appalled by the price of this! We did not do it, it was too expensive.

brightball2y ago

BIMI is nothing more than a carrot to get the marketing department on board with DMARC and to give the people who sold EVSSL something else to convince companies to waste money on.

sbuk2y ago

For a change, I don't think the issue is big tech. The certificate issuers and authorities seem to see BIMI as a cash grab.

nerdjon2y ago

I am confused about what exactly this means if we just have a personal domain for my professional emails. Which are just a couple a day at a max (really depends on if I am looking for a new job or not).

Does this make having email accounts like this viable anymore? Am I at risk of my emails not getting where I expect them too, particularly important if I am looking for a new job?

I use Amazon WorkMail so will need to see if that has done what is necessary, but still worried what exactly this will mean.

Edit: Is there a tool to validate that things are setup how we need it to be?

brightball2y ago

Everything I have read to this point is that it will only affect you if you're sending > 5,000 message / day. Admittedly, there's no excuse for not having DMARC setup at that scale at this point as it's been a decade.

But as far as the policy, it doesn't have to be enforced. For most people, this just means that they'll need to a quick DNS entry to their domain for an unenforced policy.

Example...

TXT _dmarc.example.com "v=DMARC1; p=none;"

I did a 3 part DMARC writeup a while back if you're curious to learn more. It's not hard to setup. In fact, the smaller you are, the easier it is.

https://www.brightball.com/tag/dmarc-guide

sbuk2y ago

I'd add that DKIM is relitively simple to configue and, along with SPF, is a worthwhile endovour. It's considered as basic hygiene by spam filters.

StuntPopeOP2y ago

You'll still be able to to run personal email from your domain - I'd add SPF and a minimal DMARC and you'll be fine.

sbuk2y ago

> Edit: Is there a tool to validate that things are setup how we need it to be?

There are plenty, but mxtoolbox.com is your friend for most things email related.

taskforcegemini2y ago

The DMARC requirement only applies to senders who send at least 5000 e-mails per day to gmail-recipients.

I'm not a fan of DMARC. SPF and DKIM already do their job well enough. Then people add DMARC with "p=none" just to tick their "have DMARC" box. Even google suggests a policy of "none" is ok, but doesn't mention that this means SPF and DKIM will be ignored.

pul2y ago

SPF and DKIM are not enough to harden email. Email can still be spoofed through a loophole in both specs.

See https://www.nslookup.io/learning/dmarc-a-practical-guide/

taskforcegemini2y ago

which loophole? I didn't see it mentioned in the article.

and this quote is not correct:

> Note that an email doesn't need to pass both DKIM and SPF. Just one is enough to validate an email.

Unless it was said in regards to DMARC, it usually depends on the mailfilter of the receiver. If it was said in regards to DMARC then it's just another point why DMARC is bad.

johnea2y ago

That 5000 email/day limit should prevent most small business/personal servers from being affected...

brightball2y ago

Just that you must have a DMARC record in place. Doesn’t have to be enforced yet.

That is a logical next step down the road though and IMO long overdue.

j / k navigate · click thread line to collapse

18 comments

kmoser2y ago

pul2y ago

The RFC requires SMTP servers to first verify that the destination email indeed wants to receive those reports. They’re opt in through a DNS record.

https://datatracker.ietf.org/doc/html/rfc7489#section-7.1

StuntPopeOP2y ago

I've been monitoring this with an eye toward creating a honeypot for DMARC abuse but so far been seeing zero messages come in.

Either the spammers haven't figured it out yet, or they realize it's a waste of time since all the messages are either mechanically processed or ignored.

brightball2y ago

Yes it does.

donmcronald2y ago

I think the end goal here is to push stuff like BIMI so big tech can start charging another large annual fee to all businesses that want their email delivered.

frizlab2y ago

Yeah I inquired on how to setup BIMI for my company and was appalled by the price of this! We did not do it, it was too expensive.

brightball2y ago

BIMI is nothing more than a carrot to get the marketing department on board with DMARC and to give the people who sold EVSSL something else to convince companies to waste money on.

sbuk2y ago

For a change, I don't think the issue is big tech. The certificate issuers and authorities seem to see BIMI as a cash grab.

nerdjon2y ago

Does this make having email accounts like this viable anymore? Am I at risk of my emails not getting where I expect them too, particularly important if I am looking for a new job?

I use Amazon WorkMail so will need to see if that has done what is necessary, but still worried what exactly this will mean.

Edit: Is there a tool to validate that things are setup how we need it to be?

brightball2y ago

But as far as the policy, it doesn't have to be enforced. For most people, this just means that they'll need to a quick DNS entry to their domain for an unenforced policy.

Example...

TXT _dmarc.example.com "v=DMARC1; p=none;"

I did a 3 part DMARC writeup a while back if you're curious to learn more. It's not hard to setup. In fact, the smaller you are, the easier it is.

https://www.brightball.com/tag/dmarc-guide

sbuk2y ago

I'd add that DKIM is relitively simple to configue and, along with SPF, is a worthwhile endovour. It's considered as basic hygiene by spam filters.

StuntPopeOP2y ago

You'll still be able to to run personal email from your domain - I'd add SPF and a minimal DMARC and you'll be fine.

sbuk2y ago

> Edit: Is there a tool to validate that things are setup how we need it to be?

There are plenty, but mxtoolbox.com is your friend for most things email related.

taskforcegemini2y ago

The DMARC requirement only applies to senders who send at least 5000 e-mails per day to gmail-recipients.

pul2y ago

SPF and DKIM are not enough to harden email. Email can still be spoofed through a loophole in both specs.

See https://www.nslookup.io/learning/dmarc-a-practical-guide/

taskforcegemini2y ago

which loophole? I didn't see it mentioned in the article.

and this quote is not correct:

> Note that an email doesn't need to pass both DKIM and SPF. Just one is enough to validate an email.

Unless it was said in regards to DMARC, it usually depends on the mailfilter of the receiver. If it was said in regards to DMARC then it's just another point why DMARC is bad.

johnea2y ago

That 5000 email/day limit should prevent most small business/personal servers from being affected...

brightball2y ago

Just that you must have a DMARC record in place. Doesn’t have to be enforced yet.

That is a logical next step down the road though and IMO long overdue.

j / k navigate · click thread line to collapse