Great way of pushing the critical email services we all need to reduce spam. While I have always wanted SPF, DKIM and DMARC to be enough of an incentive for the businesses i work with, reputation is often not enough of a driver to prioritise the investment.<p>But fret not! For when you are dealing with companies which want to communicate with customers in a trusted way, there is a marketer's dream standard - Brand Indicators for Message Identification (BIMI) - now security isnt the only outcome, you get a pretty logo too! <a href="https://www.litmus.com/blog/what-is-bimi-and-why-should-email-marketers-care" rel="nofollow noreferrer">https://www.litmus.com/blog/what-is-bimi-and-why-should-emai...</a><p>I have used BIMI at multiple companies now which talk about Customer Experience to drive the proper (P=Reject) implementation of DMARC.
Related:<p><i>See how DMARC, SPF, and DKIM work interactively</i> - <a href="https://news.ycombinator.com/item?id=29869266">https://news.ycombinator.com/item?id=29869266</a> - Jan 2022 (108 comments)
Does anybody know open-source or, at least, free way to process DMARC reports?<p>I have several e-mail domains with SPF, DKIM and DMARC enabled, and it works, but I have two annoying problems with DMARC:<p>(1) Some sites like to send DMARC reports which says "you send us 3 messages, everything is OK, all checks are passed, you are clear".<p>(2) Sometimes my domains are used to (try to) send spam via other servers and I got DMARC reports like "this <IP> tired to spam with your domain in HELO/FROM and we killed it, as checks failed".<p>Both reports are of no use for me: I don't want to know, that my users send mail to @gmail.com and @mail.ru (first reports) and I can do nothing about second case, as these <IP>s are not <IP>s of my server, so what should I do?<p>Some filter or dashboard will be very useful, as unpacking & checking XMLs by hands are very cumbersome.
Very cool.<p>> For DMARC to pass, DKIM and/or SPF checks need to pass and the domains must be in alignment.<p>AFAIK this is incorrect.<p>It is not "and/or" but rather "or" - only DKIM or SPF needs to pass. There is no method to require both.
I really appreciate the iterative way it goes through the process. It's been a few years but this would have been a godsend at a previous company when we were trying to move to self-hosted email sending with all the proper security measures.
I sent an email via Apple’s “Hide My Email” service [1].<p>> <i>Unhandled Promise Rejection:</i><p>> <i>TypeError: a.from.replace(/[<]/gi," is not a function. (In 'a.from.replace(/[<]/gi,"(")', 'a.from.replace(/[<]/gi,"' is undefined)</i><p>> <i>dist.min.js:3:32767</i><p>This error occurred after the interface began displaying the following information:<p>> <i>Here are the message headers and message body:</i><p>> <i>DKIM-Signature: d=icloud.com s=1a1hai</i><p>It’s been over a year since the website was featured on Hacker News (January 10, 2022), so I suspect that the JavaScript code may have become outdated and non-functional. It’s possible that it never supported Safari browsers in the first place, or perhaps it’s a combination of both issues. Nevertheless, I’ve learned a lot from the initial [2] and second [3] parts of the DMARC test, which gives me some insight into what might be happening in the subsequent steps.<p>[1] <a href="https://support.apple.com/en-us/HT210425" rel="nofollow noreferrer">https://support.apple.com/en-us/HT210425</a><p>[2] dig +noall +answer -t TXT <EMAIL_DOMAIN> | grep -i SPF<p>[3] dig +noall +answer -t A <HOSTNAME>
It is absolutely astonishing that we rely on layers and layers of shims/compatibilities/hacks to keep a technology that was well-meaning and ideal 30ish+ years ago running in the 21st century.<p>Same thing in the VOIP/telecom space.<p>Microsoft recently had issues with mail deliverability - most of our O365 tenants had a notice reminding us to check SPF, DKIM, DMARC (we're configured properly already) - some of our tenants were having issues mailing smaller mail providers (ISP-level) because the small provider is outright blocking IPs and IP ranges due to spam coming from the same IP address/mail server we're trying to send from.
Fun fact: sns.amazonaws.com still has no DMARC record. This is where AWS SNS messages originate from unless you use a custom domain, and it's where all CloudWatch alerts come from (no-reply@sns.amazonaws.com)
People, don't forget to properly set all these checks for DNS failover.<p>I saw companies got scammed, because they used default settings in Exchange Online.<p>And attacker just made the DNS "unavailable" for brief moment and all phishing emails passed. Because MS server responded with DNS "temp error" and pass all emails as not a spam.
(detailed: received-spf: TempError (protection.outlook.com: error in processing during
lookup of <phished domain>: DNS Timeout)
and DKIM is checked on domain of sender's SMTP server, in this case attacker's server used for phishing
)<p>Then I had the great experience with MS IT/security support, people there can't even understand how emails works, very funny and sad experience. I hope outsourcing works for them.
DMARC is and has always been...fine, save for the fact that most phishing / exploits are sent using cousin domains. Is a DMARC policy necessary and a great security measure? Sure. Is it a domain identity security game changer?... no way.
Bunch of discussion from 2022:<p><a href="https://news.ycombinator.com/item?id=29869266">https://news.ycombinator.com/item?id=29869266</a>