Hi Gary, If you have spf, and dkim set up the only other thing you might do is add a dmarc record and make sure all servers sending email are included in you spf record. I decided to allow spamassassin to check dkim as well and don't think it would be wise to reject email in absence of such a record.
Eric On Fri, Sep 27, 2019 at 8:07 AM Gary Bowling <g...@gbco.us> wrote: > > The recent questions about setting up DKIM prompted me to review my setup > and see if I needed to tighten things up a bit. ALL of my config > surrounding these things is very old, so what are the best practices in > 2019? > > > On the receiving side of things, my server has spfbehavior set to 2 and I > believe the default is 3. I seem to recall many years ago having problems > rejecting email, that I didn't want rejected, with it set to 3. But that's > been so long ago, it's not worth considering. Do most of you have it set to > 3? And have you had any problems with that if you do? > > > For DKIM receiving, I'm doing that in spamassassin/spamd. But it appears > that spamassassin just assigns a score if there is a DKIM_INVALID situation > and that score seems to be pretty low. Is this really the right way to > handle receiving messages where DKIM is concerned? I'm sure there is a way > to increase the DKIM_INVALID score, but not sure of the ramifications of > that. Do any of you change those settings? Or do DKIM checking somewhere > else for improvements? > > > On the outbound side of things. > > For my DNS, I have SPF records that have been there for years, that > affects other domains receiving mail from my server. So not sure how much > good it does, but it's there. > > > I do not have DKIM set up. Many years ago it seemed pretty useless from > what I read, so I didn't bother with it. From what I understand, if the > receiving end doesn't check for DKIM, then it does nothing. Or like in my > servers case, it just adds a tiny bit of score to spamassasin, so minimal > help. But maybe enough are doing something more robust now for it to be > useful. Maybe I should implement this now? > > > What are everyone's thoughts on all this in 2019? Should I be doing > stricter checking of spf? Does DKIM actually provide a useful service? And > are there better ways to handle DKIM checking? > > > All discussion and help is greatly appreciated! > > > Thanks Gary > -- > ____________________ > Gary Bowling > The Moderns on Spotify <https://distrokid.com/hyperfollow/themoderns/bbrs> > ____________________ > --------------------------------------------------------------------- To > unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For > additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com