In this case, it's DMARC for amazon.com that matters, since that's the domain that this email is (claiming to be) from.
Conversation
This Tweet was deleted by the Tweet author. Learn more
DMARC / DKIM / SPF policy for arstechnica.com is for emails sent from arstechnica.com. It's important to set that up even if you don't use a domain for email to prevent other people from using it. The domain that matters here is amazon.com though.
1
I thought the whole reason admins chose to use G Suites is so they didn't have to do stuff like set up DMARC. Not so?
1
1
This Tweet was deleted by the Tweet author. Learn more
This is for protecting your domain from being used to send fake emails. It's relevant even if you don't use your domain to send emails, since if you don't do it, other people can use it as a fake source for emails. I don't see what it has to do with verification of received mail.
1
This isn't to configure how G Suite handles your received mail. It's generic configuration to tell how other servers handle mail that claims to be from your domain. The only part that's specific to G Suite is that Google needs to be considered a valid source for the emails.
1
You then get reports from email providers about emails they received from your domain, which checks they passed and what they did with them based on your configuration. If it's not set up for arstechnica.com, it should be, so people can't send fake email from it.
1
It's not to control how received emails are validated. That's done internally by whatever software you're using to receive the mail. There's no reason it would need to be in a DNS record. The DNS record is for other people to check what's expected for emails from that domain.
This Tweet was deleted by the Tweet author. Learn more
I didn't know the details before I had to set it up properly for attestation.app in the past year. I'd previously always let other people deal with it and only had a general idea of what it did which is a bit different than having experience setting it up and testing it.
I'd definitely say that it's backwards because it shouldn't even be possible to send mail claiming to be from a domain without a valid DKIM signature. Mail should just be dropped without it, regardless of whether the DMARC policy permits it. It shouldn't even be an option.
1
1
If you run a mail server, you can and should implement mandatory DKIM, and people with their own email servers can set it up properly or deal with email being dropped. I'm not saying mark it suspicious or put it in spam but rather drop 100% of unverified email. Google should too.
1
1
Show replies