1. 85
    1. 18

      The explanation of SPF is a little off in that it implies that the email’s From header is involved, whereas SPF checks look at the envelope-from/MAIL FROM address which is usually not shown to the receiving user, unlike the From.

      To be fair this is probably the hardest bit to get your head around, but leads into DMARC alignment (confirming that the address in the From header is legitimate) - one of the most important things that DMARC brings along.

    2. 14

      And this, folks, is why I no longer run my own email server and likely never will.

      1. 3

        DMARC records aren’t just for self‐hosted email. You’ll want to set them up if you use a personal domain, even if your email is hosted by a cloud provider like Google or Microsoft.

      2. 8

        … because you didn’t want to add a couple DNS records?

        1. 13

          If you pay an email provider to do the hard stuff, then yes, it’s just a matter of adding some DNS records. But, when running your own email server, you have to set up and maintain a DKIM and a DMARC suite yourself and make sure everything works together along with the SMTP server.

          1. 6

            Sure, you have to install opendkim and drop a line in your config, then generate the DNS records. Don’t need any software for DMARC, if you need reports they’re all human readable XML, but usually just set the DNS to enforce DKIM and done.

          2. 2

            To be fair I only use my domains as email slingshot if I can, nothing goes in, only out - which is good enough for 99% of my services. Different story for my work, because for real email you need a lot more these days. (push notifications for apple and android which are different systems and totally insecure, carddav, maybe caldav, webview, greylists, spamlist …). I can highly recommend this video from one CCC talk, though it’s probably only in german. But it comes with this nice overview.

        2. 11

          Because adding a couple of DNS records is a vast oversimplification and I just don’t want the deal with the actual complexity your comment is pretending doesn’t exist.

          1. 11

            I’m genuinely curious what else one could take as needed after reading this article? As I allowed in the sibling, yes, you also need to run opendkim I guess. The article very clearly talks about three kinds of DNS records and how to set them up. They say if you run an email service and care about DMARC reports you might want an aggregation tool, but admit right in the article that for self hosters you can just read the report (and probably don’t have to if you just have one mail server anyway)

            1. 5

              The article also says that they “had to do a lot of hard work and research to understand this problem”, so sure, it’s “just” a couple DNS records (and some config, and…), but the work involved to get there from nothing is clearly not non-existent. For comparison, I’m sure most programmers here have had the experience of spending all day understanding a problem just to end up committing 5 lines of code.

              1. 5

                Yes, sure, if you don’t know you need these or what the syntax is it will take time to learn. But now that this article exists, you could just read it and know more than everything you need. That’s why I’m curious why the reaction to the article giving the answer is to think the question is too hard.

    3. 5

      This is a good write-up and covers the most common case. As someone who has done their fair share of debugging email issues, I am convinced of one thing: almost no one understands DMARC.

    4. 3

      Very good writeup!

    5. 3

      Huh, I have SPF set up for my email domain but not DMARC, and (after some double-checking) no DKIM either. I’ve never had problems sending email, at least that I’ve noticed (ie, sending to family members or my work gmail and having the messages vanish entirely). Am I just lucky to have an IP that hasn’t been used for abuse in the past or something?

      1. 7

        Yes, it’s most likely about the reputation attached to your IP address, and the separate reputation attached to your domain name. If it’s used only for personal mail, the time when you’re most likely to have trouble is right at the start, when you first set it up, before you’re on anyone’s lists.

        You might think that SPF and DKIM would be strong signals for spam detection, but in fact it isn’t hard for spammers to set them up. Their main value is that they force spammers to only use domains controlled by the spammers, and not impersonate other people’s domains. There’s plenty of spam out there that has proper SPF and DKIM records. So the reputation lists are the more valuable signal.

    6. 1

      The DMARC thing doesn’t sound so terrible. You need the reports to end up somewhere, right? And XML isn’t great, but there are plenty of tools to work with it.