As I’m guessing most of the people on HN do, I’ve got many domains that I’ve purchased after having had an idea that never had anything done with them.
I generally try to make sure they all redirect back to my site, but I’ve never even thought to do anything with incoming mail and certainly never with outgoing. As soon as I read the title it clicked, it’s obvious, but it’s never occurred to me...
Nope, you're totally correct. Anytime I give a DMARC talk this is actually the example that I use (all the domains that you buy and don't use). At the end, I close by telling people to go home and turn off email from those domains with the sample SPF and DMARC records that mirror these.
Do you happen to know of a tool that does a comprehensive check of your email configuration? I can find individual tools for SPF, DKIM, etc., but it’d be great if there were one that just have me a big green check mark or something.
DMARC reports actually do this for you. They'll provide a report about how every IP address claiming to send on behalf of your domain is doing.
dmarcian does a great job of helping you make sense of these by grouping all of the traffic by sending source and then letting you drill down for more details. There's also a cool "TMI Mode" on the SPF checker if you have an account that will use the traffic from your DMARC reports to show you which parts of the record it's associated with.
Each sending source (Google, Sendgrid, Mailgun, Mailchimp, etc) needs to be verified for DMARC alignment. Alignment is important because you can pass DKIM using a domain that's totally different than the one that the message claims to be from. DMARC alignment addresses that gap.
Edit: Below brightball pointed out they support inactive domains, so my complaint about not being able to add inactive domains wasn't accurate. I deleted it.
Head slapping moment for me too. Without a DMARC record I would never even know that it's happening.
I wonder if the systems that generate the DMARC reports could be set up to keep historical data for domains with DMARC shut off. When DMARC is turned on, domain owners would be able to see what has been going on without them knowing.
It might be a bit of a shock to some. I learned a lot from my first report.
I don't work for them and am actually a new customer, but getting your domain safe from a DMARC perspective SOUNDS easy until you realize you do want SOME people "spoofing your emails". Mailgun, SendGrid, Greenhouse, Shopify, Google Calendar, etc.
We live in a world where our companies outsource a lot of the logic and many send emails on our behalf so to discern between that and "spoofing" takes some config that DMARCian was super helpful with.
I would say it's also important to receive mail on RFC2142 [1] addresses as well. I usually set up abuse@, hostmaster@, postmaster@, and webmaster@ for idle domains.
That RFC by definition doesn't apply to domains that don't support email. Right in the abstract is this line:
> ...organizations which support email exchanges with the Internet are encouraged to support AT LEAST each mailbox name
These recommendations are all for domains that don't run mail servers. If you do have a mail server, then yeah it is best practice to have those present but these recommendations won't apply to you.
I've seen issues where people weren't able to communicate with customers because someone's running a mail server that rejects email based on the RFC-Clueless RBL or its predecessor, RFC-Ignorant[0].
I've never in history seen postmaster@domain every receive anything but spam, and I have seen it receive so much spam that I would never identify a legitimate email amongst the screens full of junk if one ever did arrive.
In this case you’re right. I really doubt someone is probing the RCPT TO response to decide if a server is legit or not!
Certainly there are protocols where you might be required to accept an option or configuration value you can’t implement and so simply discard it. Perhaps some QoS request for example. Or termcap info for cursor movement when all you do is act like you’re talking to a printing terminal.
The reality is that an absent DKIM TXT record does not really tell whether the server-in-question is a legacy mail server or a new domain without mail servers (and you cannot do this with WHOIS filtering because some ccTLDs does not store when the domain was first acquired, only when it was last renewed). At least if you are putting a blank key, it will signal to supported mail servers that it is a positive fail, and not a possible legacy mail system.
But DKIM has already existed since around 2004, but the first draft of DMARC was seven years after that. In other words, the empty DKIM is for backward compatibilty that signals to other servers which does not yet read DMARC but already does DKIM verification that this domain does not send emails.
If the message isn't signed, the receiver won't do a DKIM lookup. If the message is signed, whether the record is absent or empty doesn't matter, validation will fail.
Maybe the standard should be changed to distrust lack of SPF/DKIM by default?
Within a few years we've severely reworked how HTTPS certificates work (max validity period, signature algorithms, etc) and the world hasn't ended, so maybe mainstream e-mail providers should do the same with e-mail?
This would force everyone else into compliance, and unconfigured domains will no longer be a problem because the lack of SPF/DKIM would automatically fail any authentication across the board.
I would like more sending systems validating the policy before changing the default.
E.g., I don't think sendgrid/mailgun/gmail check that they are allowed by the SPF policy to send emails from a domain, when you add a sender address. Worse, some APIs don't require you to set up sender addresses ahead of time, you can just set it in the "send email" API call, which makes it easy to unknowingly send emails that are blocked by your own policy.
DMARC would allow you to find out, but I'm not sure how many people have configured reports, apart from those whose whole business is email.
> Maybe the standard should be changed to distrust lack of SPF/DKIM by default?
I don't know what standard might be relevant, but the lack of SPF will kill your inbound reputation for gmail. You'll be lucky to even get beyond MAIL.
This is quite clever. All of the things listed are problems we in the hosting industry usually have to fix for people when there are email delivery issues.
Breaking them intentionally will definitely cause mail delivery problems for anyone trying to spoof emails coming from those domains.
I've added a new "no email domain protection" ready-to-import DNS zone file that's in BIND format specially for Cloudflare users. You can download it from here and save time [1].
P.S. There are also files for other services too, feel free to checkout. Some CF employees are also among stargazers, feel free to star if you like it too :)
The real trick would be if intermediary MTA servers could make the assumption that any domain without SPF/DKIM/etc. has the same intent ("I'm not supposed to be used for sending email") as a domain that explicitly has these "no-email" records. We could eliminate a huge swathe of spam senders from the web in a single stroke. (Right now we already apply this heuristic, but the output is just a signal for spam classifiers at the receiver, rather than a "drop the mail on the floor" signal at intermediates, the way that e.g. DNSRBLs are.)
If we did make this "you don't intend to send email if you don't have the secure-origin records" assumption, how much would that break email as a system? What old email servers are sitting around sending unsigned mail, that we want to protect/preserve the functioning of (in the same way we keep Internet-realm HTTP transport around in browsers to preserve access to old HTTP-only Web1.0 servers?)
Your solution would work well if everyone (or nearly all people) agreed to migrate to it.
It may need to be in a few steps. The first step might be, for a 5 year period, mail clients display a warning saying the sending domain doesn't have the correct SPF records. Then after that, those mail clients dropped those emails.
Overall, the cleverness of the OP solution is that it uses to current system to make the next iterative step in solving the problem in a backwards compatible way.
If we could break backwards compatibility, I think we can solve a large number of issues with email wholesale.
It would be easier to add something like a `forbid` policy to DMARC IMO, since you'd want to set up DMARC to monitor spoof attempts anyway. A simple `p=forbid,sp=forbid` (not real options) in DMARC would be ideal.
forbid - all mail is forbidden regardless of DMARC alignment
There are many servers still not using DKIM, as it requires a server/software update. But SPF is super easy, requiring only DNS changes. Could probably do as you suggest looking at only SPF.
Good recommendation, I wish more domain owners followed them, but Unicode quotes in examples for DNS TXT record is bad:
TXT “v=spf1 -all”
should be
TXT "v=spf1 -all"
instead.
I see a lot of broken SPF records where instead if ASCII hyphen (-) some other symbol is used e. g. en-dash (–) or em-dash (—). Probably admins just copy-paste an examples from a web pages like this.
Quotes are from the bind zone file syntax (the same format used in most DNS servers). It is not very well documented in bind ARM, but can be found in RFC1035.
The UK advice on securing your email is really good.
However, I wish they went further to have none of this vague GCHQ cyber security nonsense but laws with teeth and a clued up police force so that the UK was a very attractive place to do business. If the UK was the best place to host your stuff because hackers got themselves prosecuted instead of let off then this would be a good thing.
This could also cut both ways so that if you didn't have things like DMARC for email then they would close you down.
I know this would not be for everyone but you could always host elsewhere. The internet could go the way of shipping where a 'Liberia' domain meant you didn't care whereas a '.co.uk' flag on the internet 'seas' meant you were afforded the protection of the 'Royal cyber force'.
Anyone know what the story is about Vodafone seemingly controlling the zone files for various gov.uk subdomains (mentioned at the end of the article)? I'm surprised a government agency doesn't have direct responsibility for something like that.
I assume its a holdover from the Government Secure Intranet that was designed in the 1990s by Cable and Wireless, one of the UK's main telecoms infrastructure companies at the time and which was only privatised in the 80s. C&W was taken over by Vodafone.
Why an explicit null MX record? Mainly because email servers may keep trying thinking it's a temporary issue rather than an explicit configuration the domain does not receive email.
This is good advise. As an aside, I run an ESP and we've seen a marked increase in the number of domains using a DMARC policy. Our users have to set up soms DNS records to add our service as an approved sender.
I generally try to make sure they all redirect back to my site, but I’ve never even thought to do anything with incoming mail and certainly never with outgoing. As soon as I read the title it clicked, it’s obvious, but it’s never occurred to me...