It's not to control how received emails are validated. That's done internally by whatever software you're using to receive the mail. There's no reason it would need to be in a DNS record. The DNS record is for other people to check what's expected for emails from that domain.
Conversation
This Tweet was deleted by the Tweet author. Learn more
I didn't know the details before I had to set it up properly for attestation.app in the past year. I'd previously always let other people deal with it and only had a general idea of what it did which is a bit different than having experience setting it up and testing it.
1
1
I'd definitely say that it's backwards because it shouldn't even be possible to send mail claiming to be from a domain without a valid DKIM signature. Mail should just be dropped without it, regardless of whether the DMARC policy permits it. It shouldn't even be an option.
1
1
If you run a mail server, you can and should implement mandatory DKIM, and people with their own email servers can set it up properly or deal with email being dropped. I'm not saying mark it suspicious or put it in spam but rather drop 100% of unverified email. Google should too.
1
1
I think this is actually *friendlier*, because your email doesn't go through at all so you'll quickly notice and fix it rather than it going to people's spam folder or being marked suspicious and they probably aren't ever going to let you know that there's anything wrong with it.
1
This Tweet was deleted by the Tweet author. Learn more
This Tweet was deleted by the Tweet author. Learn more
Yeah, they should definitely do that. It's also quite likely that a lot of emails from there haven't made it through stricter forms of spam filters. They do have SPF set up but not DKIM or DMARC and they should really have those. DMARC is needed to force SPF/DKIM enforcement.
1
Their SPF policy is also soft fail (~all) rather than hard fail (-all). Would definitely recommend using hard fail SPF, setting up DKIM, setting up DMARC and phasing in 100% reject DMARC policy to enforce mails are properly DKIM signed and from the SPF whitelisted sources.
1
1
Totally separate from whatever is causing the issue here, but definitely a good idea if they don't want people sending fake emails from arstechnica.com. Should do the same for any other domains including ones that never send email. It's annoying default isn't reject 100%.
My expectation is that amazon.com email was actually 'legitimate' since they do have this stuff set up but by 'legitimate' I mean it could be a compromised account or an employee doing something sketchy (annoying marketing). Either that or a Gmail / G Suite bug...