On Wed, Jul 14, 2021 at 09:51:25AM +0200, Bastian Blank <bastian+postfix-users=postfix....@waldi.eu.org> wrote:
> On Wed, Jul 14, 2021 at 05:43:57PM +1000, raf wrote: > > Here's a (silly) thing that wrong with DMARC: :-) > > I've sent two messages to this mailing list so far, and > > I've received 52 DMARC forensic/failure report emails > > as a result! :-) > > Your mails are not DKIM signed, so of course they will fail. My DMARC policy deliberately only reports on SPF failures for that very reason. If the absence of a DKIM signature constitutes a DMARC+DKIM failure and hence a DMARC failure, even though the "reporting policy" is to only report on SPF failures, then that's a pity. My intention was to state clearly that I only use SPF and not DKIM. Perhaps it's not possible to do that. When reading up on it all ages ago, I was lead to believe that that's how DMARC worked. Also, that fact that adding SPF-only DMARC at work did fix a problem with a client's third-party mail provider that was treating our emails as spam before we added it, but started accepting them afterwards. Their (admittedly dodgy) implementation seemed to agree with my interpretation of what I'd read. > > But seriously, I'd also appreciate a critique of DMARC. > > It seems like a reasonable attempt to solve some of the > > flaws with SPF and DKIM. If it fails to do that, or it > > has flaws of its own, I'd be interested in hearing > > about it. > > DMARC is documented in a informational RFC, so it never got a proper > standard review and you can clearly see it in every corner. On of the > largest problems is the use of SPF. Clearly, I really need to read the RFC. :-) Other explanations online don't seem to do a good enough job of explaining it. Thanks. > Bastian cheers, raf
