On 7/11/23 4:20 PM, Jaroslaw Rafa via mailop wrote:
For start, I suggest to implement SPF, DKIM and DMARC only for
outgoing mail, and in fact only to satisfy Google's requirement that
these should be in place. Don't bother checking them on incoming
mail. (It's actually how I do it).
I am extremely surprised to see that recommendation, especially here on
the mailop mailing list.
That seems very much like "checklist compliance" and not actual security
that said checklist is evaluating.
My opinion is what your suggestion of only using SPF, DKIM, and DMARC on
out bound email and not checking on in bound email is very questionable.
That being said, your servers, your rules.
RBLs and content filtering are enough to protect from spam. I see
close to zero improvement if I would check SPF and/or DMARC. Of
course YMMV.
I'm actually more worried about phishing than I am spam. Spam is an
annoyance but much less dangerous than phishing. Phishing can cost
people a LOT.
Send, maybe yes. Having it delivered is the other way. Consider my
case: FCrDNS, and not a "generic" one, SPF, DKIM and DMARC in place,
domain used for a long time. Yet still Google puts messages from me
to Spam folder of the recipients and there seems nothing can be done
about it. They simply so strongly dislike my parent domain :(.
Maybe I'm lucky. But I think I've had remarkably good luck delivering
to Gmail recipients.
But we are talking about BCP here, not about a RFC that defines a
protocol. I think BCP can be a proper place for clarifying the
roles.
The problem is that mentioned email oligarchs understand "reputation"
as something completely untransparent and internal to their mail
systems, not anything related to the community consensus.
So.
Every single organization running email is free to run it however they
want to. Your server, your rules. My server, my rules. Oligarch's
server, Oligarch's rules.
Community consensus may be a client user base agreeing that something is
spam.
Nothing guarantees that people outside of the community have visibility
into the community consensus.
And you can't know in advance what is a "reputation" of a given
domain for a given email oligarch (see my problems with Google
mentioned above, which are clearly related to reputation, or rather
what Google understands as reputation).
You can't know for sure. But I suspect that you can have an idea.
Grant. . . .
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop