Autor: Rick Moen Fecha: A: dng Asunto: Re: [DNG] Admins can you fix/set the header overrides?
Quoting Miles Fidelman (mfidelman@???):
> Ahh... missed that. Didn't really notice anything until this huge
> string of emails. Sigh...
Eh, no worries. I half-realised that's what probably happened.
[publishing SPF & DMARC/DKIM records in DNS for a mailing list host:]
> True, but it sometimes helps. And it's easy enough if one has
> access to one's nameserver records, as anyone who runs a list
> manager usually does.
Just as a matter of personal perspective/opinion: I watched the
introduction of DKIM (né DomainKeys) by Yahoo and considered it so
botched that I wanted nothing to do with it. When Yahoo extended DKIM
to create DMARC, it seemed to me Yahoo had learned nothing from the
DomainKeys/DKIM experience and screwed up a second time.
By contrast, all of the complaints against SPF (the real ones, not the
bullshit non-sequitur complaints like 'SPF doesn't block spam' and
'spamhaus domains can and do publish SPF records) divide neatly into two
categories:
1. I object to /etc/aliases and ~/.forward breaking and refuse to use
SRS in their entries. (Dude, wrong decade.)
2. I want to be free to originate outgoing SMTP from arbitrary
not-previously-planned IP addresses and not have it be suspected of
forgery. (Dude #2, good luck with that. Also, still the wrong decade.)
Both factions kept advising me it's Bad and Wrong for me to publish an
SPF record saying 'Please reject as forged any mail purporting to be
from my domains that isn't from IP address 198.144.195.186', to which I
always responded 'Why the Gehenna is that _bad_? It's exactly what I want
to happen, because all mail genuinely from my domain comes from my IP.
If users, even those who have shell on my machine, are forging my domain
from other IPs, I _want_ that mail to fail as forged, because it's
actually forged, and users should not try to do that.'
Anyway, as far as I'm aware, nobody is distrusting mail legitimately
from my domains for lack of DMARC attestation. I keep asking people
suggesting DMARC what demonstrable benefit my domains would get that
they don't already get from a very clear and emphatic SPF policy, and
nobody's yet given me a compelling answer.
If things change and I _do_ see signs of penalising domains with
emphatic SPF policies but no DKIM/DMARC, then I'll reconsider.
(Above speaks, obviously, just for me and my domains. I'm not part of
the Dyne/Dng administration team, just a friendly Devuan sysadmin and
recently-Debian-leaning Operations guy.)