as a reminder, all of my emails are signed using DKIM. if you ever receive an email lacking a DKIM signature or with a DKIM signature using a key not associated with my domain, you can be assured it's a forgery.
Conversation
Replying to
Is there a particular mailing list blocking you from using an enforcing DMARC policy?
Mailing list software is largely compatible with it nowadays, as long as it's properly configured. Either needs to be configured to avoid tampering with signed mails or mark it as sent by them.
2
2
Replying to
switching to an enforcing policy is on my to-do list, possibly this weekend, given the spam incidents that are happening.
1
i mostly cite FOFAFO (fear of fucking around and finding out) as the reason i haven't done it yet.
1
Replying to
Most smaller email servers don't set up OpenDMARC or equivalent to enforce it. It works really well with the major providers though.
It doesn't tend to silently break anything but email is pretty annoying since it can take a really long time to actually get the error message.
2
1
I always set up an enforcing policy for each domain as the first step. It's useful even if it doesn't send email, since you still don't want someone spoofing emails from there. Setting null MX ("0 .") also gives people instant errors that they can't send email to the domain.
1
2
Replying to
internet.nl/test-mail/ + havedane.net + sparkpost.com/email-tools/au is what I use to check that stuff is set up properly.
First 2 largely to check DNSSEC + DANE and the last one to check that DKIM/SPF are passing. Also checks that the PTR record for MX IP matches it.
1
2
In theory, internet.nl/test-mail/ now allows a domain to pass if it has enforcing DMARC policy, null MX and a disallow all SPF policy which it interprets as it being a non-mail domain. It only seems to actually work for subdomains at the moment though. I need to report that...
1
1
This should also work for bare domains. See for example: en.internet.nl/mail/example.n Let us know if you get different results. Thanks!
1
It appears to permit having no DKIM records for non-mail subdomains but not a non-mail bare domain.
Could set an empty placeholder like the example but it's not like DKIM records enforce something on their own. It would essentially just be gaming the test.
Thanks for feedback! Could you share the domain you tested?
1
1
1
Show replies