SPF/DKIM/DMARC is just plain hostile. I spent hours learning all that. And now it turns out that even if I "include:mail.community.recurse.com" in my SPF record, mail with SMTP FROM mail.community.recurse.com still gets rejected. WTF.
Conversation
Bringing security to existing ecosystems is delicate. All user pain must be:
1) aggressively minimized (by design, tooling or tradeoff)
2) justified by a security gain (more concrete the bigger the pain)
3) effectively communicated (if you do x, you get benefit y)
1
6
28
DMARC is failing one of these, even though I don't know for sure which.
And the consequence is that, being an user after all, I'm just disabling it. Alas.
4
7
More emergent damage of DMARC: since it forces the envelope MailFrom to be the same as the From header (for no good reason, since it's meant to protect the latter, and the former is invisible), my newsletter bounces are now going to my FastMail inbox instead of Mailgun ¯\_(ツ)_/¯
3
6
Previously.
Quote Tweet
Title: Actually, DMARC works fine with mailing lists
Body: It's reasonable to require that mailing list users enable stuff that's not regularly required, and you have to turn off all features that make it a mailing list.
— Every single DMARC article.
1
2
2
16
DMARC is undeployable, episode 2491: (Pro) sends newsletters with Sender/MailFrom m.ghost.org, but From filippo.io.
There is literally nothing I can do but disable DMARC, or pay $200/month for a Business account with a custom Sender.
4
10
Replying to
DMARC is utter trash, and I say that as someone who's been running mail servers for two decades. These days, a large fraction of spam passes SPF, DKIM, and even DMARC. Origin domain reputation is really the only useful signal.
2
1
DMARC is for preventing spoofing FROM, not filtering spam. DKIM + DMARC can be used by themselves without SPF. DMARC requires that either SPF or DKIM passes aligned to the FROM header. It doesn't need both, so you can have p=reject DMARC with only DKIM and that's totally fine.
You're still going to get a ton of spoofed mail, just not with FROM headers for domains with DMARC p=reject or p=quarantine. Spam doesn't need to use spoofed mail and it's somewhat hard to understand why a spammer would even do that since it's much more likely to be filtered.
3
Being able to send emails as other people is a problem. It's not a problem that's being solved any time soon thanks to there being so much apathy and active resistance to fixing email but thankfully email can be largely replaced and phased out since it's not going to get fixed.