Request: Please sign this list's messages via DKIM or SPF

Binarus lists at
Tue Apr 5 10:27:49 EDT 2016

On 05.04.2016 14:15, Alvin Starr via Info-cyrus wrote:
> I kind of have to agree with Andreas to some extent on this.
> SPF/DKIM does not help on incoming spam filtering all that much just because so few people use it and the default action is to accept mail that has no SPF/DKIM tagging.

Our default action is to reject all messages which do not pass either the SPF or the DKIM test.

> It is great however for controlling how other people abuse your email address.
> SPF can stop people from sending mail as you from systems that are not your own.

Not really, AFAIK. Even if you add the SPF record to your domain's DNS, a spammer of course can still use <your name here>@<your domain here> as envelope sender or From: header. It is the receiving part who checks if the connecting MTA (i.e. the "sending server") is allowed to send messages for <your domain here> (the check is done by querying the name server for <your domain here> for the SPF record and then checking if the sending (connecting) server one of the servers the SPF record allows).

In other words, if no SPF checks are done by the *receiving* MTAs, fake messages will make their way through the net without problems.
> I would argue that anybody operating a mail server should use SPF/DKIM just to make sure they are not helping the spammers.

I strongly agree.
> Sadly putting these tools in place is not trivial and it will only be when postfix, sendmail, qmail and others include SPF/DKIM setups as part of the default install can things really start to change.

Actually, I have been surprised how ridiculously easy I could setup the *sending* part of SPF. Using SPF as a sender means adding one TXT record (whose syntax can't be simpler) to your DNS records; this could be done within minutes (no more true if you want your MTA to forward messages from other domains; that's a special case). DKIM is slightly more complicated since it needs additional software which must be interfaced to the MTA. I used opendkim and liked it very much, though.

Checking SPF and DKIM (the *receiving* part) was much more complicated in our case, though. So I would recommend everybody who wants to improve email security to start with the sending part. If you don't forward messages for other domains, just start with adding the SPF record to your name server (and end that record with "-all" in every case, despite other examples which could be found on the net).



More information about the Info-cyrus mailing list