:: Re: [DNG] Is t worth the effort for…
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date: 2020-10-01 07:07 -000
To: dng
Subject: Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
Quoting terryc (terryc@???):

> On Sun, 27 Sep 2020 17:20:06 +0200
> Alessandro Vesely via Dng <dng@???> wrote:
>
>
> > You can also publish DKIM and SPF records so as to produce
> > DMARC-aligned authentication for any hosted domain. Users won't
> > notice any difference.
>
> Does anyone have any figures on how effective these methods are?
> It seems we get a new idea every few years and none make the slightest

                                                 ^^^^^^^^^^^^^^^^^^^^^^^

> difference in spam levels.

^^^^^^^^^^^^^^^^^^^^^^^^^

You have made a fundamental, basic error.

SPF and DMARC are _antiforgery_ extensions to DNS and SMTP. They permit
a domain owner to publish information in their authoritative DNS to
advise recipients of SMTP about what SMTP-originating IP addresses ought
to be considered _authorised_ SMTP senders for their domains, vs. which
others ought to be rejected as forgeries.

Nothing about SPF and DMARC say 'this will reduce spam'. They're about
making domain forgery (in received SMTP mail) be detectable and able to
be confidently rejected upon receipt.

DKIM is a (poorly designed, IMO) method for individual SMTP-mail
originating system to cryptographically sign outbound SMTP mail,
permitting receiving systems to verify that the mail contents hasn't
been tampered with en-route.

Since I personally refuse to have anything to do with DKIM or DMARC
(both designed by the same team at Yahoo), I'll illustrate SPF's
value proposition to a domain owner. I'm the owner/operator of domain
linuxmafia.com (among others). Here is that domain's publicly
proclaimed SPF record:

:r! dig -t txt linuxmafia.com +short
"v=spf1 ip4:96.95.217.99 -all"

That record says, translated into English, "Please accept as from an
authorised SMTP source for domain linuxmafia.com _only_ mail originated
by IPv4 address 96.95.217.99. Please hardfail (reject) mail received
from any other IP address."

My putting that information in my DNS is a huge win for my domain's good
reputation as a clean SMTP source, in that it states extremely clearly
what mail _purporting_ to be from linuxmafia.com ought to be considered
by receiving MTAs (that honour my wishes) to be genuine. Of course, I
have zero ability to compel or persuade receiving SMTP systems to check
and honour my domain's SPF record, but many do, and every little bit
helps.

Occasionally, someone tries to convince me that SPF is A Bad Thing for
any of several uncompelling reasons, most often because they have been
accustomed to originating mail from _their_ domains from arbitrary IP
addresses on TCP port 25 (SMTP), and fear that widespread adoption of
SPF will somehow make it less likely that their carefree habit will
continue much longer. My response inevitably is that I really couldn't
care less whether they like SPF or not. It permits me to unambiguously
declare to the public that IP address 96.95.217.99 is the only valid
source of SMTP mail from my domain, thereby exposing as forgeries mail
from anywhere else (falsely) claiming to be from my domain, so it is
A Good Thing for my domain, and I don't give a tinker's damn whether my
interlocutor approves of it.

And none of this has anything particularly to do with 'reducing spam'.
That just isn't the point, and the only people debating that supposed
issue are folks who never bothered to look up what the thing _is_.



> The only result is that there is now an industry of religious extremism
> in "blacklisting" sites that don't follow their desired implementation.


To be blunt: You have not bothered to understand what you're writing
about. I would suggest you do so.