Conversation

Ryan Castellucci ;

(){

& };

@ryancdotorg

Nov 20, 2020

If you have domains that you're not using for email, please set up DNS records to prevent spammers from using them. . TXT "v=spf1 -all" . MX . 0 _dmarc. TXT "v=DMARC1; p=reject;"

777

2,339

Replying to

and

Is this just primary domains, or subdomains too? If I have SPF/MX established for mydomain.invalid do I also need such records for blog.mydomain.invalid or mail.mydomain.invalid too?

Replying to

and

Many things for sub-domains should percolate up to parent domains with these records. Emphasis on “should”.

Replying to

You need to add the NULL MX and SPF records alongside every A and AAAA record. DMARC applies to subdomains unless they provide their own policy. Just make sure not to have a permissive policy for subdomains via the sp parameter. SPF hardly does anything. It's DMARC that matters.

Replying to

DMARC requires valid, aligned SPF / DKIM. The policy specifies what to do when it fails to pass. A p=reject policy will prevent spoofed emails from the domain to providers enforcing DMARC. SPF itself doesn't stop spoofing since it does not need to be aligned with the FROM header.

Replying to

Also, hardly anyone enforces SPF even with a hard fail policy, but it's not particularly relevant since it doesn't have to be aligned. SPF will pass with a spoofed FROM header as long as MAIL FROM (relay) passes. DMARC is what makes SPF and DKIM actually function properly.

Replying to

In order of importance: set up DMARC and then set up DNSSEC. Fill in the NULL MX records and SPF records for every A and AAAA record if you want to go the extra mile. It's much less important than the baseline. DMARC will still reject spoofed mail without having an SPF record.

Replying to

And if you really want to make a difference for mail spoofing... pressure Google to at least set a p=quarantine for gmail.com instead of p=none. It's an embarrassment that they permit anyone to spoof emails from Gmail users. Even Yahoo does much better...

12:11 AM · Nov 22, 2020Twitter Web App

Replying to

Ya…. I have a different perspective than many on this. I view what you are aptly describing as the tip of the ice berg that you can see. There is worse below the water line.