|
|
Subscribe / Log in / New account

Invalid recommendations

Invalid recommendations

Posted Nov 29, 2024 18:56 UTC (Fri) by Curan (subscriber, #66186)
In reply to: Invalid recommendations by dskoll
Parent article: Book review: Run Your Own Mail Server

> Neither SPF nor DKIM are anti-spam measures.

You should really tell this to various government bodies. Because they list this as requirements to combat spam...

Bud I do understand your position, it is just not, what is implemented in the world by big providers and required by government bodies.

> Back when I ran an email security company (so 2000-2018) we found that an SPF "pass" was a slight spam indicator, because spammers were more diligent about maintaining correct SPF records than non-spammers.

And just like that you told me, that SPF is pointless.

> Google et. al. demand SPF/DKIM/DMARC not to reduce spam, but to be able to hold senders accountable... if a piece of spam passes DKIM and SPF, we can generally know who (as in which domain or which MTA) was responsible for letting it out onto the Internet.

Oh come on, that is not helping anybody. Unless you try to tell me it is hard to get a domain. Which it is not, I must say. And if we assume getting a domain is easy: what does anybody gain by knowing "who" it was? The spammers will just change the domain.

Anyway, in my experience most spam comes from „legitimate“ domains like `gmail.com` and such. Making the whole endeavour circular at least.

to post comments

Invalid recommendations

Posted Nov 29, 2024 19:47 UTC (Fri) by mbunkus (subscriber, #87248) [Link] (2 responses)

> And just like that you told me, that SPF is pointless.

You're wrong insofar as you're only thinking about fighting spam. But as Diane said, SPF & DKIM are supposed to establish authenticity. When I receive email from my customers (for whom my company has set up SPF, DKIM, DMARC in the past) I can rely on two things:

1. The email does indeed come from my customer & not from a malicious third party.
2. No malicious third party has modified the most important headers while in transit.

These particular technologies are not about fighting spam. They addressed different shortcomings of the SMTP protocol itself:

1. No way to verify that a sender (both in the sense of the program creating the mail & the server relaying the mail) is allowed to send mail for a certain domain. This is what SPF addresses.
2. No way to validate that email headers haven't been modified after having been sent by the sender. This is what DKIM addresses.[1]
3. DMARC as the third part finally tells the recipient that both SPF & DKIM are actually supposed to be used by all mail originating by a domain, and what the domain's owner wants the recipient to do if one of both or them are invalid or missing.

Again, this is _not about spam_.

[1] Before DKIM there had only been a way to protect email bodies from malicious modifications by sending cryptographically signed emails (GPG, S/MIME). Those didn't do anything for the headers, though.

Invalid recommendations

Posted Nov 30, 2024 5:33 UTC (Sat) by Curan (subscriber, #66186) [Link] (1 responses)

> When I receive email from my customers (for whom my company has set up SPF, DKIM, DMARC in the past) I can rely on two things

No you can't, because this still assumes honest players. Really, I am running MTAs for very large organisations and my experience is: a lot of legitimate e-mails would be filtered if I enforce SPF/ DKIM. On the other hand I have actual and obvious spam in troves, that meets SPF/DKIM requirements.

In my personal experience: the best way to verify a sender is OpenPGP. That being said: that is a negligible amount of traffic here.

But since you insist on the "not about spam" line: that is not how it is sold. And not how it is promoted. See eg. https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail where it says in the first line

> DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.

Or in https://en.wikipedia.org/wiki/Sender_Policy_Framework

> Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain.[1][2] [...] Forgery of this address is known as email spoofing,[3] and is often used in phishing and email spam.

And I know Wikipedia is not the best source, but if you are honest you will find, the RFCs and other industry sources agree.

---

That being said: I do not think us discussing this issue over text in a comment section is going to help us, because this is a very poor communication channel. If you are at FOSDEM, let me know and we can meet up in person and discuss this better. Probably over a beer or two. ;-)

Invalid recommendations

Posted Nov 30, 2024 7:20 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

> On the other hand I have actual and obvious spam in troves, that meets SPF/DKIM requirements.

FWIW, spammers don't even bother with forging the 'from' field anymore because they assume that SPF/DKIM is everywhere.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds