top | item 16895119

(no title)

mgcunha | 7 years ago

Neither DKIM nor SPF provide domain owners with a verifiable disposition policy and monitoring. You should deploy SPF, DKIM and DMARC together. At that point either SPF or DKIM may pass but if the passing SPF/DKIM domain(s) don't match the DMARC domain the message isn't authenticated. Unlike SPF, DMARC will load its policy using the From: header, and thus ensure alignment between envelope-From and From: header (for SPF), or DKIM domain and From: header.

discuss

ahje|7 years ago

DMARC could solve this problem, but it would break a lot of things reliant on forwards. When Yahoo set their DMARC policy to reject, there was quite a stir about it: https://www.ietf.org/mail-archive/web/ietf/current/msg87153....

In this particular case, it seems the major issue is that spammers got access to 69.64.35.11, which is included in telus.com's SPF record. In the end, this will hurt deliverability for legitimate emails sent with telus.com in the return path, and I suspect telus.com's customer service will have some explaining to do for their customers.

massaman_yams|7 years ago

ARC is the new standard designed to fix the DMARC edge case with forwarding. It's relatively new, though, so adoption isn't nearly as widespread as SPF, DKIM, or DMARC.

sounds|7 years ago

ryan-c comments below that the 'exists:' config at Telus allows any IP to send mail.

Spammers seem to be abusing this hole.

thaumaturgy|7 years ago

You're right. I was thinking DMARC but wrote DKIM.

yread|7 years ago

it does say DMARC=fail fwiw