Re: Conditional milter_header_checks?

Wed, 14 Jul 2021 01:15:30 -0700 

On 14/07/2021 08:43, raf wrote:

On Wed, Jul 14, 2021 at 02:38:00PM +1000, raf <post...@raf.org> wrote:


On Tue, Jul 13, 2021 at 06:06:16PM -0400, post...@ptld.com wrote:

Viktor wrote:


That's because DMARC (which I don't use or recommed)

Why don't you recommend DMARC? What is wrong with it? Do you accept *ALL*
mail sent to you in your inbox spam or not? Other than SPF records and DMARC
what other tools exist to verify if mail came from the domain they purport
to?

Here's a (silly) thing that wrong with DMARC: :-)

I've sent two messages to this mailing list so far, and
I've received 52 DMARC forensic/failure report emails
as a result! :-)

I suppose that means that lots of list members have DMARC
checking set up.

But seriously, I'd also appreciate a critique of DMARC.
It seems like a reasonable attempt to solve some of the
flaws with SPF and DKIM. If it fails to do that, or it
has flaws of its own, I'd be interested in hearing
about it.

For what it's worth, anyone on these lists with SPF
might want to add these to their SPF record:

   ip4:168.100.1.3
   ip4:168.100.1.4
   ip4:168.100.1.7
   ip6:2604:8d00:0:1::3
   ip6:2604:8d00:0:1::4
   ip6:2604:8d00:0:1::7

It would be good if mailing lists published spf records
that members could include: in their spf records. But I
suppose most people wouldn't be able to benefit from
them.
We use DMARC for our main business domains (via opendmarc and opendkim) and I am a fan. The main problems with DMARC are that it has to be set up and tested carefully before setting p=reject, and that it is broken by many mailing lists (though not, I thought, this one). ARC, a development from DMARC, is meant to provide a way round the second problem - I have not tried it. 

This is a mailing list so naturally many subscribers don't like DMARC!
A commonly-held view is that DMARC is only worthwhile for transactional emails - for instance it is now used by most responsible financial institutions. But, even though we are not such, I hate the idea that anyone can easily send emails that perfectly fake our identity. DMARC addresses this - maybe DANE does too?

Reply via email to