1. 61
  1.  

  2. 5

    Good advice, although I think it can be done simpler. I would keep the SPF just as they suggest like “v=spf1 -all”, but the DMARC I have set on all my non-mailing domains is “v=DMARC1; p=reject”. If you want to monitor if it’s being used as the sender domain by spammers add a rua tag, i.e. “v=DMARC1; p=reject; rua=mailto:postmaster+dmarc@yourdomain.com.

    All the other options they suggest are optional or defaults. Furthermore, this avoids abuse of DKIM by any receiver that checks DMARC.

    1. 1

      rua=mailto:postmaster+dmarc@yourdomain.com

      This is quite a late reply, so please don’t mind my question, as I am quite curious about this part. If we don’t intend to receive email on this mydomain.com, how would be able to monitor an email to postmaster+dmarc@yourdomain.com?

      1. 2

        If we don’t intend to receive email on this mydomain.com

        DMARC, SPF and DKIM are all services for the person you are sending mail to, i.e. your outbound flow. It doesn’t mean you won’t accept incoming mail. I always setup hostmaster@ and postmaster@ aliases on my mailserver for all domains that I’m running DNS for, including the ones with an SPF -all and DMARC reject policy.

        1. 1

          Thank you for the clarification.

          hostmaster@ and postmaster@ aliases on my mailserver

          By this, do you mean to setup email aliases in your postfix configuration? So that, I don’t have to explicitly setup any mailbox for the forensic reporting, but instead just depend on postfix to send me the forensic reports.

          1. 2

            Exactly! See RFC 2142 for some recommended mailboxes.

            1. 2

              That is so awesome that this is possible. Thanks for the tip!

    2. 5

      Not sure why this is on the gov.uk website, but sharing it because it’s not something I’ve ever considered before (someone spoofing emails from a domain I don’t use for mails).

      1. 14

        This is probably something that Government Digital Services use as internal documentation, but GDS actually have a really good transparency policy (and open source!).

        GDS help a bunch of branches of government run their own *.service.gov.uk sites.

      2. 4

        I use ProtonMail and have basically all of these enabled and set for my domains.