Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
Relevant post and discussion on Ian Jackson's blog: https://diziet.dreamwidth.org/6947.html -- Ian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
Rick Moen wrote: > My response inevitably is that I really couldn't > care less whether they like SPF or not. ... May I respectfully pick you up on that one. Regardless of the arguments for and against which have been done to death for long enough, SPF did predictably break email in many ways - some of which I used to use, and some which my clients used to use. In a small way, by implementing SPF yourself, you've added to the support for something that broke existing LEGITIMATE mail activities. So your approach has a hint of "I don't do that, so I don't care about the people who do and now find it broken". OK, in reality it doesn't make one jot of difference since the "big guys" had already taken the attitude that they don't g.a.s. about what they break for others, but still it's supporting something that takes away others' freedoms in a small way. Hmm, didn't Devuan come into being partly due to someone pushing a policy of not caring what he breaks for other people ? Sorry, that was a bit below the belt but I hope it illustrates the issue. Luckily the breakages with email have (mostly) been easier to deal with than those that caused Devuan to exist. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
Thank you for that note on SPF - it clarified it for me in a way that other documentation on this has failed to do up to now. On Thu, 2020-10-01 at 00:07 -0700, Rick Moen wrote: > Quoting terryc (ter...@woa.com.au): > > > On Sun, 27 Sep 2020 17:20:06 +0200 > > Alessandro Vesely via Dng wrote: > > > > > > > You can also publish DKIM and SPF records so as to produce > > > DMARC-aligned authentication for any hosted domain. Users won't > > > notice any difference. > > > > Does anyone have any figures on how effective these methods are? > > It seems we get a new idea every few years and none make the slightest > ^^^ > > difference in spam levels. > ^ > > You have made a fundamental, basic error. > > SPF and DMARC are _antiforgery_ extensions to DNS and SMTP. They permit > a domain owner to publish information in their authoritative DNS to > advise recipients of SMTP about what SMTP-originating IP addresses ought > to be considered _authorised_ SMTP senders for their domains, vs. which > others ought to be rejected as forgeries. > > Nothing about SPF and DMARC say 'this will reduce spam'. They're about > making domain forgery (in received SMTP mail) be detectable and able to > be confidently rejected upon receipt. > > DKIM is a (poorly designed, IMO) method for individual SMTP-mail > originating system to cryptographically sign outbound SMTP mail, > permitting receiving systems to verify that the mail contents hasn't > been tampered with en-route. > > Since I personally refuse to have anything to do with DKIM or DMARC > (both designed by the same team at Yahoo), I'll illustrate SPF's > value proposition to a domain owner. I'm the owner/operator of domain > linuxmafia.com (among others). Here is that domain's publicly > proclaimed SPF record: > > :r! dig -t txt linuxmafia.com +short > "v=spf1 ip4:96.95.217.99 -all" > > That record says, translated into English, "Please accept as from an > authorised SMTP source for domain linuxmafia.com _only_ mail originated > by IPv4 address 96.95.217.99. Please hardfail (reject) mail received > from any other IP address." > > My putting that information in my DNS is a huge win for my domain's good > reputation as a clean SMTP source, in that it states extremely clearly > what mail _purporting_ to be from linuxmafia.com ought to be considered > by receiving MTAs (that honour my wishes) to be genuine. Of course, I > have zero ability to compel or persuade receiving SMTP systems to check > and honour my domain's SPF record, but many do, and every little bit > helps. > > Occasionally, someone tries to convince me that SPF is A Bad Thing for > any of several uncompelling reasons, most often because they have been > accustomed to originating mail from _their_ domains from arbitrary IP > addresses on TCP port 25 (SMTP), and fear that widespread adoption of > SPF will somehow make it less likely that their carefree habit will > continue much longer. My response inevitably is that I really couldn't > care less whether they like SPF or not. It permits me to unambiguously > declare to the public that IP address 96.95.217.99 is the only valid > source of SMTP mail from my domain, thereby exposing as forgeries mail > from anywhere else (falsely) claiming to be from my domain, so it is > A Good Thing for my domain, and I don't give a tinker's damn whether my > interlocutor approves of it. > > And none of this has anything particularly to do with 'reducing spam'. > That just isn't the point, and the only people debating that supposed > issue are folks who never bothered to look up what the thing _is_. > > > > > The only result is that there is now an industry of religious extremism > > in "blacklisting" sites that don't follow their desired implementation. > > To be blunt: You have not bothered to understand what you're writing > about. I would suggest you do so. > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
Quoting terryc (ter...@woa.com.au): > On Sun, 27 Sep 2020 17:20:06 +0200 > Alessandro Vesely via Dng wrote: > > > > You can also publish DKIM and SPF records so as to produce > > DMARC-aligned authentication for any hosted domain. Users won't > > notice any difference. > > Does anyone have any figures on how effective these methods are? > It seems we get a new idea every few years and none make the slightest ^^^ > difference in spam levels. ^ You have made a fundamental, basic error. SPF and DMARC are _antiforgery_ extensions to DNS and SMTP. They permit a domain owner to publish information in their authoritative DNS to advise recipients of SMTP about what SMTP-originating IP addresses ought to be considered _authorised_ SMTP senders for their domains, vs. which others ought to be rejected as forgeries. Nothing about SPF and DMARC say 'this will reduce spam'. They're about making domain forgery (in received SMTP mail) be detectable and able to be confidently rejected upon receipt. DKIM is a (poorly designed, IMO) method for individual SMTP-mail originating system to cryptographically sign outbound SMTP mail, permitting receiving systems to verify that the mail contents hasn't been tampered with en-route. Since I personally refuse to have anything to do with DKIM or DMARC (both designed by the same team at Yahoo), I'll illustrate SPF's value proposition to a domain owner. I'm the owner/operator of domain linuxmafia.com (among others). Here is that domain's publicly proclaimed SPF record: :r! dig -t txt linuxmafia.com +short "v=spf1 ip4:96.95.217.99 -all" That record says, translated into English, "Please accept as from an authorised SMTP source for domain linuxmafia.com _only_ mail originated by IPv4 address 96.95.217.99. Please hardfail (reject) mail received from any other IP address." My putting that information in my DNS is a huge win for my domain's good reputation as a clean SMTP source, in that it states extremely clearly what mail _purporting_ to be from linuxmafia.com ought to be considered by receiving MTAs (that honour my wishes) to be genuine. Of course, I have zero ability to compel or persuade receiving SMTP systems to check and honour my domain's SPF record, but many do, and every little bit helps. Occasionally, someone tries to convince me that SPF is A Bad Thing for any of several uncompelling reasons, most often because they have been accustomed to originating mail from _their_ domains from arbitrary IP addresses on TCP port 25 (SMTP), and fear that widespread adoption of SPF will somehow make it less likely that their carefree habit will continue much longer. My response inevitably is that I really couldn't care less whether they like SPF or not. It permits me to unambiguously declare to the public that IP address 96.95.217.99 is the only valid source of SMTP mail from my domain, thereby exposing as forgeries mail from anywhere else (falsely) claiming to be from my domain, so it is A Good Thing for my domain, and I don't give a tinker's damn whether my interlocutor approves of it. And none of this has anything particularly to do with 'reducing spam'. That just isn't the point, and the only people debating that supposed issue are folks who never bothered to look up what the thing _is_. > The only result is that there is now an industry of religious extremism > in "blacklisting" sites that don't follow their desired implementation. To be blunt: You have not bothered to understand what you're writing about. I would suggest you do so. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
On 9/28/20 11:55 AM, terryc wrote: > Does anyone have any figures on how effective these methods are? > It seems we get a new idea every few years and none make the slightest > difference in spam levels. we use all these + custom SA scores for related rules and seen great decline in spam levels. the only spam that come through these days are from the "trusted" email mafia : gmail, yahoo, hotmail. got some custom SA rules for those too, but still it's hard to catch everything right.. just 2c. OpenPGP_0xF634004775696B86_and_old_rev.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
terryc wrote: >> You can also publish DKIM and SPF records so as to produce >> DMARC-aligned authentication for any hosted domain. Users won't >> notice any difference. > > Does anyone have any figures on how effective these methods are? > It seems we get a new idea every few years and none make the slightest > difference in spam levels. At blocking spam, no idea - but as you say, doesn't seem to have reduced spam much as there are still plenty of compromised systems that can send "legitimate" mail via their configured mail server. But they are highly effective at breaking things that were once considered, and IMO still are, legitimate activities - such as forwarding mail from one mail account to another. But I suspect the big players consider that a good thing as it tends to make people more inclined to use their broken services. > The only result is that there is now an industry of religious extremism > in "blacklisting" sites that don't follow their desired implementation. Agreed >> Currently, the RFC allows anything in the HELO name. > > Brings back memories of my first linux mailer SMTP, where it came with > teo alternative sets of greetings. I always preferred the second option > of; > "Who are you going to pretend to be today" and the response > "Thrilled beyond bladder control to meet you" > and so on. That's great :D I just might borrow those. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Is t worth the effort for SPF?, DMARC>, DKIM?, etc
On Sun, 27 Sep 2020 17:20:06 +0200 Alessandro Vesely via Dng wrote: > You can also publish DKIM and SPF records so as to produce > DMARC-aligned authentication for any hosted domain. Users won't > notice any difference. Does anyone have any figures on how effective these methods are? It seems we get a new idea every few years and none make the slightest difference in spam levels. The only result is that there is now an industry of religious extremism in "blacklisting" sites that don't follow their desired implementation. > Currently, the RFC allows anything in the HELO name. Brings back memories of my first linux mailer SMTP, where it came with teo alternative sets of greetings. I always preferred the second option of; "Who are you going to pretend to be today" and the response "Thrilled beyond bladder control to meet you" and so on. > > > > jm2c > Ale ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng