On 4/26/20 3:23 PM, Jaroslaw Rafa wrote: > Dnia 26.04.2020 o godz. 08:00:56 Richard Damon pisze: >> This is exactly what DMARC is intended to indicate. Configuring a domain >> with DMARC says that it is intended that message only be accepted if >> they come directly from the sender. It was designed for things like >> Banks to be able to send out messages that the recipients can trust came >> from them and not a scammer. > But email providers like Google are ignoring the fact that DMARC was > intended for such purposes, and consider it an universal anti-spam measure. > Google, as a recipient, clearly indicates in their sender guidelines > (targeted at senders who have trouble with deliverability of their messages > to Gmail users - among other cases, messages being placed in Spam folder) > that the sender has to have DMARC, DKIM and SPF configured. That's the first > thing they require from you if you have any deliverability problems with > them. However, having all this set up doesn't provide any guarantee that > your email won't be qualified as spam (so why require it at all?). > BTW, with regard to messages being marked spam, DMARC reports are pretty > useless because they don't give you any information about that. And that > would be actually the most interesting thing in those reports. They only > give me information whether the message passed or failed DMARC/DKIM/SPF > check, but this tells me nothing in terms of knowing if the recipient > actually got my message or not. > What's worse, Gmail does not honor Disposition-Notification-To: header, > which could be used to determine if the recipienta ctually read my message > or not. > So sending mail to someone at Gmail is actually sending it into the > unknown...
I have never had GMail ask me to setup DMARC, they will ask you to setup SPF or DKIM as a first step for delivery problems, as letting them confirm SENDER (not From) is the first step to them being able to do something about you. With SPF enabled, then they can verify that any message that claims you are the sender of the message, is actually coming from a machine under you control, so they can reject forged senders. Note, there is a MAJOR difference between SPF and DKIM as stand alone protocols, and on how they are used within DMARC. Plain SPF/DKIM are tied to the sender of the message, which should be a reference to the machine that actually sending the message (or the organizations that control it). For instance, all messages from this mailing list have a sender address that is in the postfix.org domain. If a machine receives a message, and then sends it along anew (like a mailing list) then it is supposed to reset the sender to itself (as that is where deliver errors should go) in the process. That means that messages from this list will be checked against the postfix.org SPF and DKIM rules, so it can validate that this transmission was initiated by something at postfix.org When DMARC comes into play, rather than using the sender, you check the From: header, which a re-sender is NOT supposed to change. This means that messages from this list are likely going to fail DMARC/SPF, unless the domain that originated the message specifically added the postfix.org outgoing email servers to its allowed host list. (and ARC when it is working might allow that domain to say that it trust postfix.org to verify and re-transmit its messages). IF the originating server has a properly configured DMARC/DKIM setup, then the message will be signed, and because the postfix.org mailing lists don't touch the parts of the message normally signed by DKIM, the relayed message will pass DMARC/DKIM and thus pass DMARC (since only one needs to pass). More commonly, many email list systems will do minor administrative changes to the message (adding a subject wart or a list footer) which will break DKIM and thus the fail DMARC/DKIM abd DMARC/SPF. GMail isn't really out of line in using broken DMARC as a spam indicator. Domains with DMARC enabled have indicated that they what people to be careful about their messages, and broken DMARC is a sign of problems. It could be argued that if the DMARC uses p=none then it shouldn't count against delivery, but by a reasonable interpretation of the RFC, delivery to the GMail spam folder does qualify as delivery, and there aren't any hard rules about spam detection. Yes, DMARC replies won't let you know if the user every actually saw the message, that isn't there purpose. There purpose is to help you know how bad your spoofing problem is, or to help you diagnose your own outgoing DMARC issues. As to Disposition-Notification-To: headers, the RFC for those clearly state that it is just a polite request to the receiving system, and they are well within bounds to ignore it. I personally always disable the automatic reply off those headers (and won't use a system that won't let me do so if I have any choice about it). -- Richard Damon
