Understanding SPF, DKIM, and DMARC: A Simple Guide

At least once a month, I get asked to release some incoming email from quarantine that got sent there because the sender's SPF record is wrong or outdated

And at the same time, I regularly get Spam/Phishing with perfect SPF, DKIM, DMARC, etc. The domains and IPs they use might get blocked within a day, but of course, these people have no problem getting others.

And although I have set up my MTA perfectly, my mail gets refused by MS/t-online/etc., because I don't have enough "sender reputation". In e-mail, we have an oligopoly of a few big mail providers, and in the end, they decide which mail gets delivered and which isn't, and to me it looks like they give a rat's ass about SPF and DKIM, and probably rightfully so, because most spammers are probably better at configuring MTAs than your average mail admin.

What would you say the normal reception you receive from this email template is?

I like the idea, but I would think sending a technical email (with industry-specific acronyms that you don't spell out!) to a business that has no in-house IT would just be ignored in most cases.

Cool stuff! BTW, what's up with the license?

Does the script handle macros in SPF?

I've had a couple of other-company-IT-admins tell me that my MX is jacked because I use hosted SPF via proofpoint, and when they look up my SPF it looks like this:

"v=spf1 include:%{ir}.%{v}.%{d}.spf.has.pphosted.com ~all"

A surprising number of mail admins don't understand SPF macros.

How do I make use of the gist?

I do

    (load "spf-fail.rkt")

    (require spf-fail)

Awesome, mind if I send you an email solely to test if it gets through or if I get to be the recipient of your awesome script? ;-)

I work at an IT provider - we see this daily. Have to whitelist to keep the customer happy, usually the other end is a 1 or 2 person business with an old hosted Yahoo system or similar

I was on the receiving end of an automated version of this. However, when I looked into it, it seemed the problem (SPF record required more than 10 DNS lookups) was fairly common. I don't seem to have any other deliverability problems and my email and DNS is managed by some big hosting company so I assume it's not a real problem and didn't fix it.

That is really awesome. It can be easy to miss setting up SPF on every new tool.

Yeah, the only thing you need for simple SMTP services is:

- with DNS, the simplest as possible SPF record.

- Without DNS, (aka pure IPv[46] SMTP), your have implicit SPF: instead of querying the DNS and parsing the SPF record, you parse the mail header to check "reply-to/from/etc" fields (the appropriate fields) for the sending SMTP IPv[46] address, that to perform spam scoring.

If we care about keeping open protocols like HTTP and SMTP alive, we need to overhaul DNS.

Or at least create a simplified common abstraction layer.

It’s the most inherently user-hostile thing I’ve ever encountered - and I’m only just now starting to understand it, even though I’m almost 20 years into dealing with it.

Neat! I must try this.

My favourite are queries "why are you rejecting my email?"

Ehh... Because your dmarc policy told us to?

Came here to say this, plus add a little personal insight to the future of email.

I've run 5 or 6 different mail servers over the past 10 years. Originally before O365 I was an exchange admin, then postfix, iRed, mailcow, mail gun, you name it. Hosted on every cloud provider, even in our colo with part of a private /24 allocation with good reputation (built since 1997, gawdamn). Every sort of header combination, tls setup, and no blacklists. Always 100% alignment, including strict rejection policy (best results even over quarantine).

Does not matter, if you're sending from custom domain not handled through a big name, expect the spam box with Gmail. Yahoo and Outlook are fine, but Gmail is the bane.

I've spent maybe 100 hours of my own over this last year and know what I realized? Nobody cares about email anymore, except for automated account management stuff (login, PW reset). Businesses pay the $3 /mo / seat for fastmail and don't think twice.

But the current trend is toward social chat (discord or Whatsapp) and most the people who own an iPhone just use their apple ID email for everything.

Although I am a fervent supporter of open protocols and believe email (with pgp signing) is an awesome long form communication format... Face it, it's going the way of the fax machine.

I have had a Gmail account from the days when it was invitation only. The inbox contains spam and my test emails and nothing else!

I've run tiny smtp systems for 25 years or so. It can be done. I am based in the UK but at least one of my domains is a .net jobbie, so nominally American. That one still works fine and it is my (ltd) company domain, so all good. The MX records etc have moved around a bit but always very carefully.

It all starts around the IP address you are using. Is it "tainted"? is it in a tainted block? If it is then you need to either go elsewhere or clean it up and that takes a bit of time. By clean it up I mean apply for removal from the usual suspect's blocklists - Spamcop (lol), Spamhaus and all the rest that you can find.

Now setup PTR records. That has to be done by your ISP. If they can't do it for you, then find a new ISP. If you can't get PTR records to match A records then you may have to give up. One of the first checks an anti spam system will do is reverse look up an incoming IP address and compare it. Also that should match the HELO/EHLO announced by the SMTP MTA:

SMTP connection from IP address 12.13.14.15 HELO (my name is) smtp.example.co.uk

Receiver will check: smtp.example.co.uk == 12.13.14.15 AND 15.14.13.12.in-addr.arpa == smtp.example.co.uk.

Everyone gets their knickers in a twist about SPF, DKIM and DMARC but if you do not get the prior basics of IP -> A -> HELO -> PTR sorted out first then you will fail sooner or later. I also recommend that you ensure your MX records (receiving) match up too with your sending records. It means you can use mx is SPF, for example.

If you have multiple internet connections and IPs then be absolutely certain that your inbound and outbound IPs for SMTP match up.

Sorted all that? Cool, now proceed to SPF.

Most people fail at the PTR stage. If your ISP will not do PTR for you then you are probably screwed for self hosted SMTP. If you cannot change ISP to one that will, then you are really screwed. Sorry. In that case you will have to engage a service that will route SMTP on your behalf. It won't cost much but you won't own it and you will have to pay someone to do it. Soz.

Really depends on what you want to get out of your server. Most easy to use server software I know seems to be geared towards personal use and small organisations.

Mail-in-a-box still works, though last time I checked they were on quite an old Ubuntu LTS release. There are a few pre-packaged docker containers too (i.e. docker-mailserver) which seem to be popular. I myself use Mailcow, but that's pretty heavy for "just" a mail server.

There's also a mail server that I can't for the life of me remember the name of, which packaged a whole bunch of stuff into one single binary you can run rather than use the classic "every part of the email delivery chain is a separate process" approach. I think it was written in Go?

There's a bunch of options: https://github.com/awesome-selfhosted/awesome-selfhosted?tab...

I personally use docker-mailserver https://docker-mailserver.github.io/docker-mailserver/latest... because it's a pretty traditional stack (postfix+dovecot+sieve etc) just already containerized and configured, so there's a lot of info already out there on how it works

The number 0 requirement that you have to solve regardless of stack though is to get an IP with a good reputation. I've got Comcast Business to my apartment, which I think is probably the best way to get a good IP since it's relatively difficult for spammers to have used it in the past. Alternatively, relay everything through Mailgun/SES/whatever

Recommend Stalwart

https://github.com/stalwartlabs/mail-server

(No affiliation to the devs)

I’m partial to https://gitlab.com/simple-nixos-mailserver/nixos-mailserver

Does require some NixOS knowledge, but is nice for upgrades.

For a business? You don't. For hobby/fun? I still wouldn't. I tried years ago and you're just going to fight blacklisting constantly. If you're on a residential/consumer internet service, trying to set it up in your home lab, forget it.

It's annoying.

This seems very much like a problem you have created for yourself.

If you do SRS correctly it will not pass DMARC alignment for your domain but it will pass plain SPF which does not have the DMARC alignment check and is sometimes checked independently from DMARC. If the sender included valid DKIM it should pass DMARC for the sender's domain as long as you don't alter the signed parts of the message (unless possibly if they do something annoying like sign the absense of X-Forwarded-To). Google also wants you to use ARC, add X-Forwarded-{To, For} headers, avoid forwarding spam, and use a different IP address or domain for forwarding vs sending mail from your domain. Some email providers let you indicate that you trust particular ARC forwarders but I don't think Google uses it that way.

https://support.google.com/mail/answer/175365?hl=en

I don't know why Google want to force forwarders to do spam filtering.

Sendmail

You don't need public certificates for DKIM, it uses privately generated ones for as long as you want to keep them. (A security researcher recently found quite a few domains using weak DKIM keys generated by buggy Debian OpenSSL, more than fifteen years ago.)

uh, you are right, super cool!

sysadmins will love it

Fantastic!

Is it just me who finds this tool horrendous? Instead of just giving a report, it makes words fly on the page... Certainly it looks cool and perhaps appealing to some younger generation, but if it is tech analysis, you would expect clear and concise report, not some flying things with explanation like I am 4

Just tried it - you're right that is really good. Thanks.

I recently set up a mailchimp tenant for someone and was surprised that their email authentication wizard pretty much began and ended with DKIM. I'm way too used to b2b solutions that want the equivalent of a chmod+999 before it can run a hello world.

It's only really needed if you need to robo-forward stuff between domains. For example if you set up a domain but want to receive emails to your usual gmail.

I noticed that cloudflare's email forwarder uses an ARC record and it works a treat.

And you don't need to run your own server in order to escape the big players. I have been a happy Fastmail customer for many years now.

One of the reasons I decided to self-host emails for my domain names. There's no reason it should be hard to host your own email in 2024 even if you're just mildly technical.

An Ansible playbook that sets up Debian to host email, all the dependencies from the default Debian repositories.

https://github.com/programmer-ke/replatform/

dmarcian won't load in NL:

On February 20th 2024, the Hague Appellate court instructed dmarcian to block dmarcian.com visitors who originate from Dutch Internet Protocol addresses.

Apparently they had some trademark dispute with their local representative. The story on their website seems to be missing some key details to understand the whole picture.

Looking forward to this. First thing I ever ponied up on KS for.

I don't even run a mailserver, I'm just hoping it will take a bunch of the guides that have been floating about on the web, consolidate the sharp edges, and make sure its up to date.

I also hope it has some discussion on troubleshooting. Like dealing with blacklists and what not, folks always talk about that, but I've never see it documented what is actually done to resolve these problems (Like who do you send an email to, how do you even find out who to send an email to, etc.)

My startup is made to get user domains automatically onboarded to applications, DNS-related things such as SPF/DKIM/DMARC. It's a "Stripe-for-DNS" called cloudvalid.com.

Interesting. Not lot of startups out there talking about Domain Connect on their front page. Seems like a decent amount of overlap with my project TakingNames.io[0]. Feel free to reach out if you want to talk shop.

[0]: https://takingnames.io/blog/introducing-takingnames-io

The DMARC policy is none. Meaning if both SPF and DKIM fail then nothing should be done about the email. Now, many email security gateways and spam filters will just have rules automatically blocking anything that fails SPF regardless but you want to eventually get to `p=reject`.

Start with something like `p=quarantine; pct=25` to have 25% of reported DMARC policy failures be marked for quarantine, review the reports after a week and then ramp it up to 50%, 75%, 100% every few days. Then if your domain is not having a significant percentage marked for quarantine in your DMARC reports after a week or two, switch to `p=reject; pct=100%` and continue to monitor the reports to make sure everything is good.

DMARC is not bulletproof to people using your domain as spam though because even with a reject policy, if SPF fails but DKIM passes, DMARC will pass or vice versa. It helps curb abuse and takes 15 minutes of effort to set up once but still is not enough to kill spam.