On Mon, Aug 22, 2022 at 01:51:59PM -0400, Demi Marie Obenour wrote:
> The correct solution to prevent email forgery is DNSSEC + DKIM +
> DMARC with p=reject + some way to prevent DMARC from accepting based
> on SPF alone. In practice, lots of stuff is misconfigured. I don’t
> run a mail server, but if I did, I would be pretending that Google
> had p=quarantine, even though it has p=none. I would also be using
> DNS over TLS to 8.8.8.8 with pinned CA certificates to get Google’s
> DNS records, and refusing to send mail to Google unless a Google CA
> signed the server’s TLS cert.
You'd end up receiving 419 scam messages from Gmail, and "upgrading"
p=none to p=reject is IMNSHO vandalism.
--
Viktor.
