SPF/DKIM/DMARC is just plain hostile. I spent hours learning all that. And now it turns out that even if I "include:mail.community.recurse.com" in my SPF record, mail with SMTP FROM mail.community.recurse.com still gets rejected. WTF.
Conversation
Bringing security to existing ecosystems is delicate. All user pain must be:
1) aggressively minimized (by design, tooling or tradeoff)
2) justified by a security gain (more concrete the bigger the pain)
3) effectively communicated (if you do x, you get benefit y)
1
6
28
DMARC is failing one of these, even though I don't know for sure which.
And the consequence is that, being an user after all, I'm just disabling it. Alas.
4
7
More emergent damage of DMARC: since it forces the envelope MailFrom to be the same as the From header (for no good reason, since it's meant to protect the latter, and the former is invisible), my newsletter bounces are now going to my FastMail inbox instead of Mailgun ¯\_(ツ)_/¯
3
6
Previously.
Quote Tweet
Title: Actually, DMARC works fine with mailing lists
Body: It's reasonable to require that mailing list users enable stuff that's not regularly required, and you have to turn off all features that make it a mailing list.
— Every single DMARC article.
1
2
2
16
DMARC is undeployable, episode 2491: (Pro) sends newsletters with Sender/MailFrom m.ghost.org, but From filippo.io.
There is literally nothing I can do but disable DMARC, or pay $200/month for a Business account with a custom Sender.
4
10
It's incredibly painful if you involve other parties in it because they don't do things correctly. It's easy if you're sending all the mail yourself.
Mailing lists need to be designed for compatibility with it by having you send mail to it and forwarding it along untampered.
1
1
They can add non-oversigned headers like List-Unsubscribe or other list-related headers. If they mess with the body or the signed headers they break it. If they send the mail entirely themselves then they need a working way to support that on your domain like adding DKIM keys.
You can use DMARC without SPF. Can omit the SPF record entirely and simply use DKIM. Need to have an aligned DKIM signature so the mailing list needs to support referring to your domain and having you set up DKIM properly just like mail providers (G Suite, etc.) do properly.
1