On 24/08/2014 06:34, Doug Barton wrote: > On 8/23/14 11:10 AM, Marco d'Itri wrote: ...
>> This is why DMARC best practices require to use both SPF and DKIM (which >> has different failure modes, but at least they can usually be blamed on >> bad software used by intermediaries) in the hope that at least one will >> validate. > > I'm not sure I agree with you there, but I won't quibble. Actually I think you should quibble. The issue isn't "bad" software used by intermediaries, it's that by design DMARC p=reject breaks a very common model used by intermediaries. Whether that is a bug or a feature in DMARC is out of scope for this thread, however. Brian > >>> and DKIM isn't that much harder. In fact for >>> one domain it's also dead simple (ProTip: Use OpenDKIM). I couldn't >>> find a > >> The problem is managing it for tens of thousand of domains, when you >> often do not manage their DNS zones as well. > > Yes, I get it. Advances in e-mail security are making your life (and > perhaps even your business model) more difficult, and you don't like > that. But complaining about it isn't going to help. The world is moving > on, if you want to continue to stay successful you need to move with it. > This has always been true, regardless of the times, the industry, etc. > It's also always been true that change is hard, and harder for some than > others. The fact that it's hard doesn't mean you can opt out of it. > > And not to toot my own horn, but I've been responsible for hosting > solutions with hundreds of thousands of domains, so I feel your pain. > Really, I do. But "It's hard!" doesn't mean you don't have to do it. > >> The support cost of teaching customers how to implement it is >> significant enough that for now blocking IPv6 to gmail is much easier. > > And you can continue to limp along like that. Your network, your rules. > But as time goes on IPv6 is going to be the rule, not the exception. In > the shorter time frame (arguably much shorter, as in the next few years) > domain-based reputation will not only be the norm, it will be a > requirement. So if you're not already hard at work making that happen > for your customers, you're way behind the curve, and losing ground every > day. > > Another way to look at this would be to analyze how much time, effort, > etc. you're putting into complaining about it, and put (at least) that > same amount of effort into solving the problem on your end. > >> (Also, if you manage just a couple of domains on your own personal >> server you will probably not have reputation issues with gmail, so this >> is barely relevant.) > > Actually you're quite wrong about that. :) Even leaving aside my > previous experience in the hosting world, when I pick up a new domain I > do some casual testing with it to see who I can and can't send mail to > without SPF, DKIM, etc. It's been a couple of years at least that you > can't send mail with any degree of confidence to the big three without > at least SPF, and over a year that you also need DKIM. > > Doug > > >
