:: Re: [DNG] Is t worth the effort for…
Top Page
Delete this message
Reply to this message
Author: Peter Duffy
To: dng
Subject: Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
Thank you for that note on SPF - it clarified it for me in a way that
other documentation on this has failed to do up to now.

On Thu, 2020-10-01 at 00:07 -0700, Rick Moen wrote:
> Quoting terryc (terryc@???):
> > On Sun, 27 Sep 2020 17:20:06 +0200
> > Alessandro Vesely via Dng <dng@???> wrote:
> >
> >
> > > You can also publish DKIM and SPF records so as to produce
> > > DMARC-aligned authentication for any hosted domain. Users won't
> > > notice any difference.
> >
> > Does anyone have any figures on how effective these methods are?
> > It seems we get a new idea every few years and none make the slightest
>                                                  ^^^^^^^^^^^^^^^^^^^^^^^
> > difference in spam levels. 
>   ^^^^^^^^^^^^^^^^^^^^^^^^^

> You have made a fundamental, basic error.
> SPF and DMARC are _antiforgery_ extensions to DNS and SMTP. They permit
> a domain owner to publish information in their authoritative DNS to
> advise recipients of SMTP about what SMTP-originating IP addresses ought
> to be considered _authorised_ SMTP senders for their domains, vs. which
> others ought to be rejected as forgeries.
> Nothing about SPF and DMARC say 'this will reduce spam'. They're about
> making domain forgery (in received SMTP mail) be detectable and able to
> be confidently rejected upon receipt.
> DKIM is a (poorly designed, IMO) method for individual SMTP-mail
> originating system to cryptographically sign outbound SMTP mail,
> permitting receiving systems to verify that the mail contents hasn't
> been tampered with en-route.
> Since I personally refuse to have anything to do with DKIM or DMARC
> (both designed by the same team at Yahoo), I'll illustrate SPF's
> value proposition to a domain owner. I'm the owner/operator of domain
> linuxmafia.com (among others). Here is that domain's publicly
> proclaimed SPF record:
> :r! dig -t txt linuxmafia.com +short
> "v=spf1 ip4: -all"
> That record says, translated into English, "Please accept as from an
> authorised SMTP source for domain linuxmafia.com _only_ mail originated
> by IPv4 address Please hardfail (reject) mail received
> from any other IP address."
> My putting that information in my DNS is a huge win for my domain's good
> reputation as a clean SMTP source, in that it states extremely clearly
> what mail _purporting_ to be from linuxmafia.com ought to be considered
> by receiving MTAs (that honour my wishes) to be genuine. Of course, I
> have zero ability to compel or persuade receiving SMTP systems to check
> and honour my domain's SPF record, but many do, and every little bit
> helps.
> Occasionally, someone tries to convince me that SPF is A Bad Thing for
> any of several uncompelling reasons, most often because they have been
> accustomed to originating mail from _their_ domains from arbitrary IP
> addresses on TCP port 25 (SMTP), and fear that widespread adoption of
> SPF will somehow make it less likely that their carefree habit will
> continue much longer. My response inevitably is that I really couldn't
> care less whether they like SPF or not. It permits me to unambiguously
> declare to the public that IP address is the only valid
> source of SMTP mail from my domain, thereby exposing as forgeries mail
> from anywhere else (falsely) claiming to be from my domain, so it is
> A Good Thing for my domain, and I don't give a tinker's damn whether my
> interlocutor approves of it.
> And none of this has anything particularly to do with 'reducing spam'.
> That just isn't the point, and the only people debating that supposed
> issue are folks who never bothered to look up what the thing _is_.
> > The only result is that there is now an industry of religious extremism
> > in "blacklisting" sites that don't follow their desired implementation.
> To be blunt: You have not bothered to understand what you're writing
> about. I would suggest you do so.
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng