Dnia 11.07.2023 o godz. 18:47:03 Grant Taylor via mailop pisze: > On 7/11/23 4:20 PM, Jaroslaw Rafa via mailop wrote: > >For start, I suggest to implement SPF, DKIM and DMARC only for > >outgoing mail, and in fact only to satisfy Google's requirement that > >these should be in place. Don't bother checking them on incoming > >mail. (It's actually how I do it). > > I am extremely surprised to see that recommendation, especially here > on the mailop mailing list. > > That seems very much like "checklist compliance" and not actual > security that said checklist is evaluating.
Exactly, because from my experience SPF, DKIM and DMARC bring very little (if anything at all) to security. I have written above - this is only to satisfy Google's requirements. Stupid requirements, IMHO, but as you said - their server, their rules, if I want to send mail to them I need to have (outgoing) SPF, DKIM and DMARC set up. That's the *only* reason why I had set them up at all. > I'm actually more worried about phishing than I am spam. Spam is an > annoyance but much less dangerous than phishing. Phishing can cost > people a LOT. I had (and still have) no problems whatsoever with phishing without having to check SPF, DKIM or DMARC. I simply don't need them. Phishing messages are already caught by antispam filters - I look from time to time into what my antispam filters have caught and I see a few phishing messages there. They are usually so obviously blatant that I wonder how anybody could fall victim to them - like those famous "I have recorded you masturbating to porn websites, send me money" emails. In fact, I receive more phishing via text messages on my phone than I do on my email. The SMS phishing is actually far more dangerous, because on a phone you have very little possibility to check if a message is genuine (there are no headers to look into etc.), and usually shortened links are used in the message, so you don't know where the link points to. But if you use some reasoning, those phishing SMS messages also look little probable to be authentic. Email phishing is from my point of view a practically nonexistent thing. So why bothering configuring tools that are theoretically meant to protect against it (but in my opinion are actually not helpful at all), if they wouldn't bring any benefit? Of course YMMV, as I said. I have never experienced phishing as an actual problem. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
