I just noted a hilarious thing about the DMARC system.
I set my DMARC settings to “reject” 100% of unauthenticated emails, and now, I’m receiving all the bounces from my email provider that are rejecting spam emails sent to me that are also purported to be from me!
So, I’m still receiving the spam that spammers intended to send to me (and also appear from me) but got rejected by the system, and the bounce is from an authenticated address.
@ramsey It probably goes against your nature to use a third-party service for this, but I recommend it. You still own and operate everything (your domain, your DNS records, etc.), but all the reports get sent to an email address provided by the service, so it can consolidate them for you. (I use Dmarcian, which is free for personal use.)
@shiflett Thanks! I need to set that up. However, this isn’t referring to the report messages. This is a bounce saying the email was rejected by the receiver.
@ericmann These messages used to arrive in my junk folder, but since setting it to “reject,” the bounces arrive in my inbox because they’re properly signed. 🤣
@ramsey same. I'm not a celebrity by any means but my name is out there enough I do everything I possibly can to prevent impersonation.
So far this month I've had ~100 of those bounces (almost all from Japan), someone trying to change my direct deposit at work, and using some weird reverse invoice to allege to PayPal I owed them $2500.
@ericmann I only changed from “none” to “reject” yesterday, for the first time, so we’ll see what happens this week.
I had a security researcher contact me to let me know that ramsey.dev was missing a DMARC record. I think they contacted me because I have a proper security.txt on my domain. This prompted me to update all my domains to “reject.” I’m not sure why I used “none” for all these years. (1/2)
After thanking them, they asked if I provided compensation for bounties. I wanted to laugh at them, but I thanked them again and explained that I’m not a company with a bounty program. (They were addressing me as “team.”) I’m planning to write back and ask if they have a kofi or venmo where I can throw them $10 to buy a drink. (2/2)
@ramsey these things are sent out in bulk to scraped domain lists. Your generosity is lovely but you'd be encouraging less than ethical behaviour by donating 😬
Add comment