> From: [email protected] [mailto:[email protected]] On > Behalf Of Jim Hickstein > > Don't stop with SPF, use > DMARC as well. It closes this loophole in SPF, and adds an enforcement > mechanism to DKIM.
Never heard of DMARC before, but it sounds like a good idea. The problem: A lot of receiving domains don't honor things like "-all" because it's so easy and common for sender domain administrators to configure it wrong. and A lot of sending domains don't set "-all" and instead use "~all" or nothing at all. Because they're afraid to make a mistake, they acknowledge a risk of some mail server or something sending valid email that they're not aware of and not accounting for in their SPF/DKIM settings... They're afraid to disrupt their domain's ability to send email. DMARC is layered on top of SPF & DKIM... "Senders get very poor feedback on their [SPF or DKIM] mail authentication deployments. Unless messages bounce back to the sender, there is no way to determine how many legitimate messages are being sent that can't be authenticated or even the scope of the fraudulent emails that are spoofing the sender's domain. This makes troubleshooting mail authentication issues very hard, particularly in complex mail environments." DMARC provides both feedback to the sender domain, so you can actually *validate* the correctness of your SPF/DKIM deployment (and hence improve your confidence to set "-all") and also allows the sender domain greater ability to tell receiving domains how to handle mail that fails authenticity. _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
