Wow, just checked my spam for my Grapl email and it's wild. I wonder if all of these companies offering their services realize that their emails are being automatically sent to spam.
Conversation
Replying to
For the GrapheneOS mail server, we enforce strict SPF (reject on hard or soft fail), DKIM (reject on errors such as DKIM signed but missing record) and DMARC along with only accepting mail via TLS. Eliminates nearly all spam. Fine with missing mail from broken servers.
2
4
Occasionally some marketing spam making it through and if it appears to be in an official capacity, I add their domain to a list of entirely rejected ones.
Also, enforcing some basic rules on header / HELO validity, etc.
Haven't needed PTR checks, graylisting, spam filtering.
Nearly all of it was killed by rejecting mail not sent via TLS and before doing that I checked and verified that there was not a single non-spam email sent without TLS for the initial couple years of having the domain.
Enforcing DKIM does reject some non-spam mail. Rest doesnt.
1
1
Typical issue with DKIM is that people use G Suite or something similar which DKIM signs their email and then the DKIM verifier gets an error looking up the DNS record because they didn't add it per the instructions.
I'm fine with rejecting it until they fix it though. *shrug*
1
1
Show replies
Replying to
I still have to figure out how to set a lot of this up for Grapl. We're all GSuite.
1
Replying to
postfix + dovecot + opendkim + opendmarc + python-postfix-policyd-spf
It's a whole bunch of configuration. Can optionally put nginx in front as a reverse proxy with the mail modules to provide denial of service resistance and better TLS configuration (optionally BoringSSL too).
1
Show replies