Conversation

Ryan Castellucci ;

(){

& };

@ryancdotorg

Nov 20, 2020

If you have domains that you're not using for email, please set up DNS records to prevent spammers from using them. . TXT "v=spf1 -all" . MX . 0 _dmarc. TXT "v=DMARC1; p=reject;"

777

2,339

Replying to

and

Is this just primary domains, or subdomains too? If I have SPF/MX established for mydomain.invalid do I also need such records for blog.mydomain.invalid or mail.mydomain.invalid too?

Replying to

and

Many things for sub-domains should percolate up to parent domains with these records. Emphasis on “should”.

Replying to

You need to add the NULL MX and SPF records alongside every A and AAAA record. DMARC applies to subdomains unless they provide their own policy. Just make sure not to have a permissive policy for subdomains via the sp parameter. SPF hardly does anything. It's DMARC that matters.

Replying to

DMARC requires valid, aligned SPF / DKIM. The policy specifies what to do when it fails to pass. A p=reject policy will prevent spoofed emails from the domain to providers enforcing DMARC. SPF itself doesn't stop spoofing since it does not need to be aligned with the FROM header.

Replying to

An email admin that I trust maintains that there is a way to do DMARC without DKIM. It’s some minutia of DKIM that I’m not aware of. I have not yet dug into and verified his claims.

Replying to

DMARC requires either valid, aligned SPF or valid, aligned DKIM. That's how DMARC works. DKIM provides a way to verify signed email but doesn't enforce it, so it doesn't prevent spoofing alone, since it's not mandatory. SPF hardly does anything without DMARC due to alignment.

3:10 AM · Nov 22, 2020Twitter Web App

Replying to

Yes, I largely agree. I’ve had SPF, DKIM, and DMARC configured on my domains for years. The key word is “either” mei ONT that one (SPF) is sufficient for DMARC. Should you have DKIM too? Yes. Is DKIM technically required? I don’t think so.

Replying to

I’d have to go back and re-read minutia of multiple RFCs. But I’d rather exert less effort and use DKIM. Like I have done.

Show replies

Replying to

and

This whole thread (as annoying as Twitter makes reading an entire threaded conversation) has been a wonderful education in the nuances of SPF, DKIM, and DMARC. I don't want to spam your replies on each of them, but did want to profusely thank you both for the learnin'!