Thank you for that note on SPF - it clarified it for me in a way that other documentation on this has failed to do up to now.
On Thu, 2020-10-01 at 00:07 -0700, Rick Moen wrote: > Quoting terryc (ter...@woa.com.au): > > > On Sun, 27 Sep 2020 17:20:06 +0200 > > Alessandro Vesely via Dng <dng@lists.dyne.org> wrote: > > > > > > > You can also publish DKIM and SPF records so as to produce > > > DMARC-aligned authentication for any hosted domain. Users won't > > > notice any difference. > > > > Does anyone have any figures on how effective these methods are? > > It seems we get a new idea every few years and none make the slightest > ^^^^^^^^^^^^^^^^^^^^^^^ > > difference in spam levels. > ^^^^^^^^^^^^^^^^^^^^^^^^^ > > You have made a fundamental, basic error. > > SPF and DMARC are _antiforgery_ extensions to DNS and SMTP. They permit > a domain owner to publish information in their authoritative DNS to > advise recipients of SMTP about what SMTP-originating IP addresses ought > to be considered _authorised_ SMTP senders for their domains, vs. which > others ought to be rejected as forgeries. > > Nothing about SPF and DMARC say 'this will reduce spam'. They're about > making domain forgery (in received SMTP mail) be detectable and able to > be confidently rejected upon receipt. > > DKIM is a (poorly designed, IMO) method for individual SMTP-mail > originating system to cryptographically sign outbound SMTP mail, > permitting receiving systems to verify that the mail contents hasn't > been tampered with en-route. > > Since I personally refuse to have anything to do with DKIM or DMARC > (both designed by the same team at Yahoo), I'll illustrate SPF's > value proposition to a domain owner. I'm the owner/operator of domain > linuxmafia.com (among others). Here is that domain's publicly > proclaimed SPF record: > > :r! dig -t txt linuxmafia.com +short > "v=spf1 ip4:96.95.217.99 -all" > > That record says, translated into English, "Please accept as from an > authorised SMTP source for domain linuxmafia.com _only_ mail originated > by IPv4 address 96.95.217.99. Please hardfail (reject) mail received > from any other IP address." > > My putting that information in my DNS is a huge win for my domain's good > reputation as a clean SMTP source, in that it states extremely clearly > what mail _purporting_ to be from linuxmafia.com ought to be considered > by receiving MTAs (that honour my wishes) to be genuine. Of course, I > have zero ability to compel or persuade receiving SMTP systems to check > and honour my domain's SPF record, but many do, and every little bit > helps. > > Occasionally, someone tries to convince me that SPF is A Bad Thing for > any of several uncompelling reasons, most often because they have been > accustomed to originating mail from _their_ domains from arbitrary IP > addresses on TCP port 25 (SMTP), and fear that widespread adoption of > SPF will somehow make it less likely that their carefree habit will > continue much longer. My response inevitably is that I really couldn't > care less whether they like SPF or not. It permits me to unambiguously > declare to the public that IP address 96.95.217.99 is the only valid > source of SMTP mail from my domain, thereby exposing as forgeries mail > from anywhere else (falsely) claiming to be from my domain, so it is > A Good Thing for my domain, and I don't give a tinker's damn whether my > interlocutor approves of it. > > And none of this has anything particularly to do with 'reducing spam'. > That just isn't the point, and the only people debating that supposed > issue are folks who never bothered to look up what the thing _is_. > > > > > The only result is that there is now an industry of religious extremism > > in "blacklisting" sites that don't follow their desired implementation. > > To be blunt: You have not bothered to understand what you're writing > about. I would suggest you do so. > > _______________________________________________ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
