Hello Mark, > We got a ding on our DNSSEC score, because the PTR record isn't > signed. Is this really as big an issue as the explanatory test makes > out? The tool looks for a perfect world, which there isn't. Un-signed rDNS is not reaaaaally a bad thing (of course, a hypothetical attacker could temper with your rDNS to make fcrDNS fail to get your mails rejected... but that is erm... "mildly unlikely".)
Still, if i'd not deduct points for those things, everyone would get a 10. ;-) > We also got a ding on our MTA-STS record, > but https://esmtp.email/tools/mta-sts/ said the only problem is a > missing CRLF at the end of our txt file; easy enough to fix. This > tool however just said that our system doesn't support MTA-STS. > After I add the CRLF I'll rerun the test; if it still fails, I'll > report back. Actually... you did not get anything for your MTA-STS record, because we're not testing that. You got that for your validation of and adherence to MTA-STS policies when _sending_ mails. I.e.: You don't validate/follow _our_ MTA-STS policy when sending emails. Besides: The CRLF thing is actually a bit funny; The RFC iirc just says 'delimited by', so i am not too sure whether it really must be at the end of the file; And then there is an errata clarifying that you can also delimit with LF instead of CRLF as mentioned in the RFC. With best regards, Tobias _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop