Domain: dmarc.org
Stories and comments across the archive that link to dmarc.org.
Comments · 4
-
Re:What is this?
In addition to SPF and DKIM, you should also publish DMARC records for your sending domain(s). This way, you can receive failure reports from the major providers that support DMARC.
(DMARC is a DNS TXT record just like SPF, but you list a 'mailto' URI to receive failure and aggregate reports of problem messages.)
-
Re:Consequences vs. control...
I don't really have a suggestion, other than a standardized process for detecting events like this and reporting them to the sending organization. But it's hard to notify a company to let them know that their website has been hacked; I imagine it must be horrendously hard to find whomever is in charge of their mail infrastructure to point out to him that he's doing SPF wrong.
DMARC (which I just learned about from another comment) seems to be the answer to this problem. It's another layer to install and configure, but it allows senders and receivers to communicate about mail authentication.
-
Yes, be a hardass about it.
Hells yes. I use postifx and reject connections that fail SPF with a 500 error. For example..
"550 5.7.1 : Sender address rejected: Please see http://www.openspf.org/Why?id=dassergey%40tadka.com&ip=103.22.182.230&receiver=mail.server.com%20:%20Reason:%20mechanism"
I have found that most senders just forward the bounce message to their administrator who (you would hope) have the skills to rectify the problem.
I also use DKIM http://www.dkim.org/ and DMARC http://www.dmarc.org/. They're worth checking out too.
-
Re:The Reality
And that's why they created DMARC. DMARC allows you to specify exactly how mail servers should treat your SPF and DKIM policies. Additionally, you'll get reports from the providers processing it what the origin IPs claiming to deliver email from you are and whether or not they were allowed.
There's also one little note that the entire linked "why not spf" article is based on too...the DMARC reports also include whether or not the mail was forwarded so that mail servers know how to handle it.
The three techniques combined have been extremely effective in phishing spoofing against our domain, which was very heavy until we implemented all three. We've also been tracking deliverability with no issues.