If you have domains that you're not using for email, please set up DNS records to prevent spammers from using them.
. TXT "v=spf1 -all"
. MX . 0
_dmarc. TXT "v=DMARC1; p=reject;"
Conversation
Is this just primary domains, or subdomains too? If I have SPF/MX established for mydomain.invalid do I also need such records for blog.mydomain.invalid or mail.mydomain.invalid too?
3
Many things for sub-domains should percolate up to parent domains with these records.
Emphasis on โshouldโ.
1
2
You need to add the NULL MX and SPF records alongside every A and AAAA record. DMARC applies to subdomains unless they provide their own policy. Just make sure not to have a permissive policy for subdomains via the sp parameter. SPF hardly does anything. It's DMARC that matters.
1
1
3
DMARC requires valid, aligned SPF / DKIM. The policy specifies what to do when it fails to pass. A p=reject policy will prevent spoofed emails from the domain to providers enforcing DMARC. SPF itself doesn't stop spoofing since it does not need to be aligned with the FROM header.
2
1
3
Also, hardly anyone enforces SPF even with a hard fail policy, but it's not particularly relevant since it doesn't have to be aligned. SPF will pass with a spoofed FROM header as long as MAIL FROM (relay) passes. DMARC is what makes SPF and DKIM actually function properly.
In order of importance: set up DMARC and then set up DNSSEC. Fill in the NULL MX records and SPF records for every A and AAAA record if you want to go the extra mile. It's much less important than the baseline. DMARC will still reject spoofed mail without having an SPF record.
2
1
2
And if you really want to make a difference for mail spoofing... pressure Google to at least set a p=quarantine for gmail.com instead of p=none. It's an embarrassment that they permit anyone to spoof emails from Gmail users. Even Yahoo does much better...
1
1
Show replies
I personally do enforce SPF policies that others publish.
If you use -all and send from an unauthorized IP, then the onus is on you to fix your email.
I bemoan people who do not uphold SPF as published by domain owners.
1
Here's the problem: SPF doesn't require alignment. SPF alone cannot prevent spoofing. As an example, a spoofed email can be sent with FROM set to anything@grapheneos.org that will pass SPF despite only mail.grapheneos.org being whitelisted in a hard fail SPF policy.
2
Show replies