-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
On 14/10/19 9:42 pm, 황병희 wrote: > Andrew McGlashan <andrew.mcglas...@affinityvision.com.au> writes: >> I have DMARC with DKIM and SPF setup for my domain name. > > There was related discussion: it's very seriosus... > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754809 Okay, well, I have p=quarantine for my setup, not p=reject, but that doesn't seem to be enough. I get reports from all over the place; the SPF failures may well be due to the list emails not having an SPF policy and I'm not going to give credentials to Debian to sent emails as me from my server for the list as that would be a security risk that is too great. DMARC needs to work, not be broken at all; it is supposed to help with legitimate mail delivery, not hinder it. SPF should be checked properly as well and emails rejected when they don't comply with the domain name's specified "rules". So many domain names have multiple SPF records (which results in permerror as you can only have one SPF record). It's not as if SPF is new, it has been a thing for quite long enough to treat it's rules appropriately. It also annoys me when people use "~all" .... to me that simply means, "screw it, we don't really care or we don't have a clue how to make this work"; it should be "-all" only, unless you are in a testing phase and are not yet committed to using SPF properly. Of course using "~all" will help when servers don't otherwise play ball correctly, but it's still very wrong to me. It might be better if real mail servers could freely register themselves as proper mail servers, they get a signed assertion to use from some shared authority, everyone should register and then the spammers and fraudsters should be left out in the cold. It would be important that legitimate servers be able to fix problems easily without extorting funds from them to fix things. If you run a mail server, your reputation is at stake, and your rep should count for something; if you abuse your assertion, then you should be subject to losing it. Sure, there will be errors with setups as humans are involved; those should be found and fixed, then properly observed. There is another level of problems when emails are forwarded on to the rotten mass public mail services; ordinary forwarding brings all sorts of other problems (forward as attachment mitigates these problems, but it is less easy unless manually done from client email program). I can blacklist bad IP address of mail servers that are found to be doing the wrong thing (just like RBLs do), but I can't block out a whole bunch of providers that allow their users to send spam through them, such as Microsoft, Google, Yahoo and even Apple and that's before even thinking about sendgrid, mandrill and other mass mailing services -- we can't easily stop rubbish from those servers without blocking good users whom use those services. It would be so much better if the big guys would shut up shop or otherwise crack down on bad users and stop the problems that require SPF, DMARC and the like. Kind Regards AndrewM -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCXaSAXQAKCRCoFmvLt+/i +8lOAQCqdnAqBakq35H+Sz9ufUY4wlnWOwwqYIDMdlQo+jZVtgD/TiosMfHf2DUv KDvegBieGl9Z3d2O2w0gVj2UFvd/8q4= =zBfJ -----END PGP SIGNATURE-----
