I think I can consider both suggestions, but I need to know whether what I
think is a good solution.
As I already said I set up SPF, DKIM and DMARC for salicetti.it (Google is
the standard email provider) and the actual policy is (sp=reject; p=reject).
PEC email provider (obviously is not Google but another one certified by
the government) told me that I can set up SPF record for sub-domain
pec.salicetti.it but no DKIM.
Said that I've been thinking to proceed that way:
1. keep for salicetti.it (sp=reject; p=reject) to preserve sub-domains
close and safe.
2. publish an explicit record SPF for pec.salicetti.it as suggested by
PEC email provider (v=spf1 include:pec.spf.kqi.it -all).
3. publish an explicit record DMARC for pec.salicetti.it (v=DMARC1;
p=reject; pct=100; fo=1; rua=x...@zzz.yy; ruf=x...@zzz.yy;).
Is this a good solution? More suggestions?
*Denis Salicetti <http://linkedin.salicetti.it/>*
2018-02-15 16:47 GMT+01:00 Al Iverson via dmarc-discuss <
> On the flip side of that, you might want to consider implementing p=reject
> on the PEC sub-domain, since perhaps you don't want to deliver mail
> claiming to be PEC mail if authentication fails. Wouldn't the three primary
> reasons for DMARC failure be, DKIM signature mangling, email forwarding, or
> spoofing? Only one of those (email forwarding) are likely to be legit/safe
> Al Iverson
> On Thu, Feb 15, 2018 at 9:40 AM, Todd Weltz via dmarc-discuss <
> firstname.lastname@example.org> wrote:
>> Hi Denis,
>> For now, rather than leaving all sub-domains open, I would recommend
>> publishing an explicit record for pec.salicetti.it with a p=none and
>> setting salicetti.it back to sp=reject. This will put the reject policy
>> back in place for all other potential sub-domains, but the explicit record
>> for pec.salicetti.it will mean that it will not inherit the sub-domain
>> policy from salicetti.it
>> It sounds like deliverability is absolutely critical on these messages so
>> possibly you wouldn't move forward with a stronger DMARC policy on this
>> sub-domain. But potentially you could check with the Certified Email
>> Provider to see if they have options to authenticate the mail.
>> Todd Weltz
>> On Thu, Feb 15, 2018 at 9:02 AM, Denis Salicetti via dmarc-discuss <
>> email@example.com> wrote:
>>> I need a suggestion about a particular thing.
>>> In Italy, there is a "special" type of e-mail called PEC (certified
>>> e-mail). This is the equivalent of a traditional registered mail with
>>> return receipt. It is mandatory for all companies (legal stuff between them
>>> or government). Basically, you get an electronic receipt every time a
>>> message has been received by recipient's domain server (as a proof that you
>>> got the message). More info here: https://en.wikipedia.org/wiki/
>>> The address format must be em...@pec.domain.it
>>> I always used this configuration for salicetti.it (sp=reject; p=reject)
>>> with no problem, but now I have to decide what to do for
>>> pec.salicetti.it. For the moment I've changed it with (sp=none;
>>> Said that I would like to know how to setup correctly DMARC policy for
>>> this subdomain (pro and con). What do you suggest? Did any Italian members
>>> of this list do that so far?
>>> I'm looking forward to your kind reply.
>>> Best regards.
>>> Denis Salicetti
>>> dmarc-discuss mailing list
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>> Todd Weltz, Customer Success Engineer
>> twe...@agari.com l M: 416.471.8633 <(416)%20471-8633> l www.agari.com
>> Changing Email Security For Good
>> dmarc-discuss mailing list
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
> al iverson // wombatmail // miami
> dmarc-discuss mailing list
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
dmarc-discuss mailing list
NOTE: Participating in this list means you agree to the DMARC Note Well terms