If you have domains that you're not using for email, please set up DNS records to prevent spammers from using them.
. TXT "v=spf1 -all"
. MX . 0
_dmarc. TXT "v=DMARC1; p=reject;"
Conversation
Is this just primary domains, or subdomains too? If I have SPF/MX established for mydomain.invalid do I also need such records for blog.mydomain.invalid or mail.mydomain.invalid too?
3
Many things for sub-domains should percolate up to parent domains with these records.
Emphasis on โshouldโ.
1
2
You need to add the NULL MX and SPF records alongside every A and AAAA record. DMARC applies to subdomains unless they provide their own policy. Just make sure not to have a permissive policy for subdomains via the sp parameter. SPF hardly does anything. It's DMARC that matters.
1
1
3
DMARC requires valid, aligned SPF / DKIM. The policy specifies what to do when it fails to pass. A p=reject policy will prevent spoofed emails from the domain to providers enforcing DMARC. SPF itself doesn't stop spoofing since it does not need to be aligned with the FROM header.
2
1
3
Also, hardly anyone enforces SPF even with a hard fail policy, but it's not particularly relevant since it doesn't have to be aligned. SPF will pass with a spoofed FROM header as long as MAIL FROM (relay) passes. DMARC is what makes SPF and DKIM actually function properly.
2
1
2
I personally do enforce SPF policies that others publish.
If you use -all and send from an unauthorized IP, then the onus is on you to fix your email.
I bemoan people who do not uphold SPF as published by domain owners.
1
Here's the problem: SPF doesn't require alignment. SPF alone cannot prevent spoofing. As an example, a spoofed email can be sent with FROM set to anything@grapheneos.org that will pass SPF despite only mail.grapheneos.org being whitelisted in a hard fail SPF policy.
SPF can pass based on MAIL FROM being aligned and valid for the relay, i.e. the spoofed email was sent from a relay identifying itself as a specific domain where the SPF policy permits it. DKIM can also be unaligned. DMARC requires that either is valid AND aligned with FROM.
I agree.
But as you said, either SPF or DKIM.
One or the other is optional.