If you have domains that you're not using for email, please set up DNS records to prevent spammers from using them.
. TXT "v=spf1 -all"
. MX . 0
_dmarc. TXT "v=DMARC1; p=reject;"
Conversation
Is this just primary domains, or subdomains too? If I have SPF/MX established for mydomain.invalid do I also need such records for blog.mydomain.invalid or mail.mydomain.invalid too?
3
Many things for sub-domains should percolate up to parent domains with these records.
Emphasis on βshouldβ.
1
2
You need to add the NULL MX and SPF records alongside every A and AAAA record. DMARC applies to subdomains unless they provide their own policy. Just make sure not to have a permissive policy for subdomains via the sp parameter. SPF hardly does anything. It's DMARC that matters.
1
1
3
DMARC requires valid, aligned SPF / DKIM. The policy specifies what to do when it fails to pass. A p=reject policy will prevent spoofed emails from the domain to providers enforcing DMARC. SPF itself doesn't stop spoofing since it does not need to be aligned with the FROM header.
2
1
3
An email admin that I trust maintains that there is a way to do DMARC without DKIM.
Itβs some minutia of DKIM that Iβm not aware of.
I have not yet dug into and verified his claims.
1
DMARC requires either valid, aligned SPF or valid, aligned DKIM. That's how DMARC works. DKIM provides a way to verify signed email but doesn't enforce it, so it doesn't prevent spoofing alone, since it's not mandatory. SPF hardly does anything without DMARC due to alignment.
2
Yes, I largely agree.
Iβve had SPF, DKIM, and DMARC configured on my domains for years.
The key word is βeitherβ mei ONT that one (SPF) is sufficient for DMARC.
Should you have DKIM too? Yes.
Is DKIM technically required? I donβt think so.
1
Iβd have to go back and re-read minutia of multiple RFCs.
But Iβd rather exert less effort and use DKIM. Like I have done.
1
No one said DKIM is required. To prevent spoofing email from a domain to properly configured servers, only a DMARC p=reject policy is required. That requires that there is either valid, aligned DKIM or valid, aligned SPF. Lack of a DKIM / SPF setup will result in rejection.
1
If you want to extend the topic to actually sending email that passes DMARC, then sure, you can implement that with either SPF or DKIM instead of both. That's how DMARC works. However, if you only do SPF, you won't be able to send email via mailing lists / relays like with DKIM.
DKIM + DMARC is a lot more flexible because mails can be forwarded as usual, and it remains valid as long as there's no tampering with the email. A mailing list can still prepend List-Unsubscribe and other headers that aren't oversigned. DMARC with SPF only works directly.
2
1
Mailing lists canβt modify messages that I send and have them pass DKIM from my domain.
I sign the entire body and many headers, including subject, from, and too.
In fact I oversign them so that additional headers canβt be added.
Agreed.
I believe that mailing lists should NOT be sending email as me or my domain name.
My personal opinion is that they should be re-sending email as from their domain name.