Agree with Eric. Not many are using DMARC. I also have it on my Spamassassin config.
Remo > On Sep 28, 2019, at 10:28, Eric Broch <ebroch.w...@gmail.com > <mailto:ebroch.w...@gmail.com>> wrote: > > Hi Gary, > > If you have spf, and dkim set up the only other thing you might do is add a > dmarc record and make sure all servers sending email are included in you spf > record. I decided to allow spamassassin to check dkim as well and don't think > it would be wise to reject email in absence of such a record. > > Eric > > > On Fri, Sep 27, 2019 at 8:07 AM Gary Bowling <g...@gbco.us > <mailto:g...@gbco.us>> wrote: > > > The recent questions about setting up DKIM prompted me to review my setup and > see if I needed to tighten things up a bit. ALL of my config surrounding > these things is very old, so what are the best practices in 2019? > > > > On the receiving side of things, my server has spfbehavior set to 2 and I > believe the default is 3. I seem to recall many years ago having problems > rejecting email, that I didn't want rejected, with it set to 3. But that's > been so long ago, it's not worth considering. Do most of you have it set to > 3? And have you had any problems with that if you do? > > > > For DKIM receiving, I'm doing that in spamassassin/spamd. But it appears that > spamassassin just assigns a score if there is a DKIM_INVALID situation and > that score seems to be pretty low. Is this really the right way to > handle receiving messages where DKIM is concerned? I'm sure there is a way to > increase the DKIM_INVALID score, but not sure of the ramifications of that. > Do any of you change those settings? Or do DKIM checking somewhere else for > improvements? > > > > On the outbound side of things. > > For my DNS, I have SPF records that have been there for years, that affects > other domains receiving mail from my server. So not sure how much good it > does, but it's there. > > > > I do not have DKIM set up. Many years ago it seemed pretty useless from what > I read, so I didn't bother with it. From what I understand, if the receiving > end doesn't check for DKIM, then it does nothing. Or like in my servers case, > it just adds a tiny bit of score to spamassasin, so minimal help. But maybe > enough are doing something more robust now for it to be useful. Maybe I > should implement this now? > > > > What are everyone's thoughts on all this in 2019? Should I be doing stricter > checking of spf? Does DKIM actually provide a useful service? And are there > better ways to handle DKIM checking? > > > > All discussion and help is greatly appreciated! > > > > Thanks Gary > > -- > ____________________ > Gary Bowling > The Moderns on Spotify <https://distrokid.com/hyperfollow/themoderns/bbrs> > ____________________ > --------------------------------------------------------------------- To > unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com> For additional > commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > <mailto:qmailtoaster-list-h...@qmailtoaster.com>