switching to an enforcing policy is on my to-do list, possibly this weekend, given the spam incidents that are happening.
Conversation
i mostly cite FOFAFO (fear of fucking around and finding out) as the reason i haven't done it yet.
1
Replying to
Most smaller email servers don't set up OpenDMARC or equivalent to enforce it. It works really well with the major providers though.
It doesn't tend to silently break anything but email is pretty annoying since it can take a really long time to actually get the error message.
2
1
I always set up an enforcing policy for each domain as the first step. It's useful even if it doesn't send email, since you still don't want someone spoofing emails from there. Setting null MX ("0 .") also gives people instant errors that they can't send email to the domain.
1
2
Replying to
internet.nl/test-mail/ + havedane.net + sparkpost.com/email-tools/au is what I use to check that stuff is set up properly.
First 2 largely to check DNSSEC + DANE and the last one to check that DKIM/SPF are passing. Also checks that the PTR record for MX IP matches it.
1
2
In theory, internet.nl/test-mail/ now allows a domain to pass if it has enforcing DMARC policy, null MX and a disallow all SPF policy which it interprets as it being a non-mail domain. It only seems to actually work for subdomains at the moment though. I need to report that...
1
1
This should also work for bare domains. See for example: en.internet.nl/mail/example.n Let us know if you get different results. Thanks!
1
It appears to permit having no DKIM records for non-mail subdomains but not a non-mail bare domain.
Could set an empty placeholder like the example but it's not like DKIM records enforce something on their own. It would essentially just be gaming the test.
1
Thanks for feedback! Could you share the domain you tested?
1