📢 Nous disposons maintenant du trio indispensable pour authentifier et sécuriser la totalité des mails expédiés depuis nos serveurs : SPF, DKIM et DMARC.
Grâce à ces trois protocoles, la délivrabilité de vos mails est encore améliorée avec toujours moins de risque d'un classement comme spam 🥳
Merci à @Octopuce pour l'aboutissement de ce projet de longue date, qui nous permet de proposer une plateforme mail plus fiable que jamais ! 😍
I know that back in the days of POP3 and unencrypted email you could write anything in From: and one would have to cross-check with the other headers to see if the message at least went through the domain in the address.
I believe nowadays big servers like gmail are stricter in the email they accept (to the point of rejecting valid emails, which is super annoying, I know), but is there a standard in check that foo@bar.com comes from bar.com?
@kinnison@hisham_hm#DKIM does help against spoofing headers such as "From:", and the mail body. It comes with the major caveat (amongst others) that once leaked, you have no way* to plausibly deny authorship of emails. IIRC this has happened with Hillary Clinton's mails on Wikileaks.
*you can regularly rotate your signing keys and publish the old keys, however there does not seem to be a standard way of doing this.
Inwiefern ist DMARC und insbesondere sind dessen Report-Formate aggregate und forensic mit den Anforderungen der DSGVO vereinbar? Katharina Küchler (Anwältin, eco Verband) und ich (E-Mail Experte, Leiter Kompetenzgruppe E-Mail eco) sind dieser Frage im vollständig überarbeiteten Rechtsgutachten des #eco Verbandes nachgegangen.
If you use #ACM#Email forwarding actively, HEADS UP.
#Google is now enforcing #DKIM policy and as of midnight last night is bouncing email from ACM.ORG addresses that did not come through the ACM #SMTP Relay service.
You need to change your email configuration to use the ACM SMTP Relay service immediately.
Here is a link for how to configure your mail service (including GMAIL) for the Mailroute SMTP Relay.
Fun and games with email today… Yahoo and Google have stepped up their filtering game, requiring stricter DKIM/DMARC.
That broke my workplace email addresses.
Consequently, I wound up reviving my old yahoo.com.au email address… fun and games remembering the password to an account I haven't used regularly in the better part of 25 years.
Thankfully, I must've logged in more recently, and changed the password… and crucially, stored it in the password manager. So it's working again.
My home mail server: delivers to the old Yahoo account, no problems at all.
SPFv1 for both work's domains are correct, how the hell does a hobby server admin like me get something right that professionals like Microsoft get wrong?
An alle, die mit E-Mail zu tun haben und die es amtlich richtig™ machen wollen: Das @bsi hat die Technische Richtlinie BSI TR-03182 „Email Authentication“ https://bsi.bund.de/dok/tr-03182-en veröffentlicht, welche beschreibt wie #spf, #dkim und #dmarc eingesetzt werden müssen, damit sie konform mit der TR sind und einen Audit für eine BSI-Zertifizierung bestehen können.
Weshalb ich das schreibe? Ihr lest den troet des stolzen Autors, der 1,5 Jahre mit dem BSI an der TR getüftelt hat.
I suspect that, with both Gmail and Yahoo recently tightening up on authenticated emails, some Zoho users may begin to notice their emails are being rejected and may no doubt blame Zoho for the problems!
1/3. The mail server must sign outgoing mail with DKIM. You generate a key pair called “foo” (e.g., with opendkim-genkey), configure your mail server to use it, and publish the public key in the DNS like:
foo._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; "
"p=..."
)
@dalias
Cheers. In context of your other reply this makes sense and makes @riastradh post much clearer!
So effectively there is a school of thought that says for #dkim to be both effective and not a threat you would need to be able to
• generate a private key per email
• insert it into the header
• sign the entire message
• publish the dkim record during transit
• profit...
After this week's Spring Break, we return in my #SysAdmin class to dive into #SMTP.
We start with an overview of the ecosystem consisting of MUAs, MTAs, MDAs, Access Agents, and tcpdump a simple manual SMTP session over telnet. We then talk about STARTTLS, MTA-STS and #DANE, before diving into #spam defenses, including #SPF, #DKIM, and #DMARC, all with practical examples, tracking lookups and traffic on the sender and receiver.
Heh, request smuggling is no longer just for HTTP. Circumvent #SPF, #DMARC, #DKIM by smuggling #SMTP commands (and thus spoof mail), because some MTAs don't strictly require \r\n.\r\n :
In the wake of Google’s announcement of new rules for bulk senders, Microsoft is urging Microsoft 365 email senders to implement SPF, DKIM and DMARC email authentication methods.
I've successfully set up Mox by Mechiel Lukkien as my new mail server. It handles SMTP, IMAP, SPF, DKIM, and DMARC. It has a built-in spam filter, a web interface, webmail, autoconfiguration and it can show a checklist whether your DNS is set up correctly or not. All in a single binary! Pretty cool stuff. I'm planning to test various other solutions and document it on my blog soon.
W tym tygodniu na „silva rerum” opis konfiguracji poczty na home.pl, tak by hostowany tam WordPress mógł wysyłać maile w formie przyjmowanej przez Gmail.
Usage of RSA-SHA1 for #DKIM was deprecated in 2016. Still about 1 % of all DKIM signatures use that insecure algo-hash combination. Check your key material if it is older than 3 years. Replace it with RSA-SHA256 and while you are at it add (!) ED25519 (RFC 8463) as a second type of signature algorithm if your software supports that. ED25519 has a significantly shorter bitlength, puts less load on DNS and speeds up processing.
Hey @Vivaldi noticed that vivaldi.net is one of the all-greens on Hardenize.
I'd move my mails to vivaldi.net, but I have size worries, still use other providers, & own domain.
Do you have any plans to implement paid size plan, & features like automatic IMAP fetch, external sending SMTP, own domain management?
I am going to point out now that I've been running my own mailserver for 15+ years
And I can't send mail to people with Apple or Google accounts. Why? Well, I'm not a known corporate entity. They whitelist email to known large businesses, an unrecognized IP gets blocked directly.
So y'know, yeah. Globally recognized protocol, got all the SPF/DKIM/DMARC/etc, but when it comes down to it, once big business gets a majority of an open protocol? They will devour it
It's been a big #problem for years, though it's getting #worse. The #Gmail / Outlook-Hotmail-Office365 / Yahoo triumvirate have backroom deals so they don't have #deliverability issues to each other. But the small guys have trouble delivering to them - particularly Gmail.
I've run my own mail server for going on 25 years now. For the last 15 years it's had the same IP. Strict #SPF & #DMARC, correct #DKIM & #DNS. Zero #spam. And I still have deliverability problems.
I apologize if this has been asked before, but I'm wondering if it would be feasible to implement a new approach to defederation that offers the option of choosing between complete or partial defederation from another instance....
Cory Doctorow @pluralistic@doctorow
28 Apr 2022
TFW your self-hosted email server of 20+ years stops working because Gmail no longer accepts email from it. #DKIM
A modest proposal: roundtable on defederation
I apologize if this has been asked before, but I'm wondering if it would be feasible to implement a new approach to defederation that offers the option of choosing between complete or partial defederation from another instance....