Hi guys, I think I can consider both suggestions, but I need to know whether what I think is a good solution.
As I already said I set up SPF, DKIM and DMARC for salicetti.it (Google is the standard email provider) and the actual policy is (sp=reject; p=reject). PEC email provider (obviously is not Google but another one certified by the government) told me that I can set up SPF record for sub-domain pec.salicetti.it but no DKIM. Said that I've been thinking to proceed that way: 1. keep for salicetti.it (sp=reject; p=reject) to preserve sub-domains close and safe. 2. publish an explicit record SPF for pec.salicetti.it as suggested by PEC email provider (v=spf1 include:pec.spf.kqi.it -all). 3. publish an explicit record DMARC for pec.salicetti.it (v=DMARC1; p=reject; pct=100; fo=1; rua=x...@zzz.yy; ruf=x...@zzz.yy;). Is this a good solution? More suggestions? *Denis Salicetti <http://linkedin.salicetti.it/>* 2018-02-15 16:47 GMT+01:00 Al Iverson via dmarc-discuss < dmarc-discuss@dmarc.org>: > On the flip side of that, you might want to consider implementing p=reject > on the PEC sub-domain, since perhaps you don't want to deliver mail > claiming to be PEC mail if authentication fails. Wouldn't the three primary > reasons for DMARC failure be, DKIM signature mangling, email forwarding, or > spoofing? Only one of those (email forwarding) are likely to be legit/safe > messages. > > Cheers, > Al Iverson > > On Thu, Feb 15, 2018 at 9:40 AM, Todd Weltz via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > >> Hi Denis, >> >> For now, rather than leaving all sub-domains open, I would recommend >> publishing an explicit record for pec.salicetti.it with a p=none and >> setting salicetti.it back to sp=reject. This will put the reject policy >> back in place for all other potential sub-domains, but the explicit record >> for pec.salicetti.it will mean that it will not inherit the sub-domain >> policy from salicetti.it >> >> It sounds like deliverability is absolutely critical on these messages so >> possibly you wouldn't move forward with a stronger DMARC policy on this >> sub-domain. But potentially you could check with the Certified Email >> Provider to see if they have options to authenticate the mail. >> >> Regards, >> Todd Weltz >> >> On Thu, Feb 15, 2018 at 9:02 AM, Denis Salicetti via dmarc-discuss < >> dmarc-discuss@dmarc.org> wrote: >> >>> Hi, >>> I need a suggestion about a particular thing. >>> >>> In Italy, there is a "special" type of e-mail called PEC (certified >>> e-mail). This is the equivalent of a traditional registered mail with >>> return receipt. It is mandatory for all companies (legal stuff between them >>> or government). Basically, you get an electronic receipt every time a >>> message has been received by recipient's domain server (as a proof that you >>> got the message). More info here: https://en.wikipedia.org/wiki/ >>> Certified_email >>> >>> The address format must be em...@pec.domain.it >>> >>> I always used this configuration for salicetti.it (sp=reject; p=reject) >>> with no problem, but now I have to decide what to do for >>> pec.salicetti.it. For the moment I've changed it with (sp=none; >>> p=reject). >>> >>> Said that I would like to know how to setup correctly DMARC policy for >>> this subdomain (pro and con). What do you suggest? Did any Italian members >>> of this list do that so far? >>> >>> I'm looking forward to your kind reply. >>> >>> Best regards. >>> >>> Denis Salicetti >>> >>> _______________________________________________ >>> dmarc-discuss mailing list >>> dmarc-discuss@dmarc.org >>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >>> >>> NOTE: Participating in this list means you agree to the DMARC Note Well >>> terms (http://www.dmarc.org/note_well.html) >>> >> >> >> >> -- >> Todd Weltz, Customer Success Engineer >> twe...@agari.com l M: 416.471.8633 <(416)%20471-8633> l www.agari.com >> Changing Email Security For Good >> >> _______________________________________________ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> > > > > -- > al iverson // wombatmail // miami > http://www.aliverson.com > http://www.spamresource.com > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)