Scott Kitterman <post...@kitterman.com> writes:
> On Friday, April 12, 2019 10:46:50 AM micah anderson wrote:
>> The site https://hardenize.com provides relatively decent Email reports,
>> along with other reports. It checks a number of things including certs,
>> MTA-STS, TLS-RPT, DANE, SPF, DMARC, and then also TLS. These are all
>> good checks and recommendations, with the exception of the TLS one, I do
>> not see how its possible to meet their standards, and provide an email
>> server on the internet. However, I could be wrong, so I'm interested to
>> know if I am.
>
> If I followed their DMARC recommendation, that would translate into 90% of
> the
> mail I send getting spam foldered or rejected. At a glance, I'm not
> convinced
> this is any more than "let's make a list of all the things". For the parts I
> looked at, I don't thinks it's all well thought through.
Technically, their DMARC test does not give you a warning or a failure,
it just says "Feature is not implemented or disabled" and it colors it
'grey' -- this is their way of saying that this is not something they
are currently recommending, one way or the other.
They have this text:
Although syntactically valid, your DMARC policy is effectively
disabled. An effective policy must set the value of the 'p' directive
to either 'quarantine' or 'reject'. In addition, if the 'pct' directive
is present, it must be set to a value other than zero. (The default is
100, which means to apply policy to all emails.)
I think they are being fair here, it is true my policy is effectively
disabled, and it is true that an effective policy has to do that. They
don't give me any penalty for having a policy that p=none.
However, I do think that it might be more 'clear' if they said something
like "if you set p=reject, you are likely to have 90% of the mail you
send getting spam foldered or rejected".
--
micah
