Important reminder, if you own a domain name and don't use it for sending email.
-
DJM (freelance for hire)replied to Jerry Lerman last edited by
@Jerry If needed, here's a DMARC domain checker https://dmarcian.com/domain-checker/
-
@Jerry great advice. One question: does this config protect also subdomains?
-
@[email protected] There’s also a null MX record for the sake of completeness https://serverfault.com/questions/714052/why-is-rfc-7505-null-mx-necessary
-
@Jerry would adding those txt records cause any issue to a wildcard redirect I use for myself?
I have xxxxx.com and an auto redirect by my dns provider so that anything sent to [email protected] is forwarded to [email protected] so when I give out the address I can see if it's been shared.
I like the idea of protecting against unauthorized use but wouldn't want to lose my throwaway capability.
I find email servers to be akin to dark arts so am at a loss here tbh.
-
Amy (she/her/hers)replied to Jernej Simončič � last edited by
@[email protected] @[email protected] hmm, might have to try that out - planning on restructuring my homelab soon so that could be a good opportunity
atm my main problem is that my homelab, being on residential internet, is on SBL because of my ISP (screw you charter!!) and I've yet to find a reasonable SMTP relay. should I ever find a relay, I'd need to re-set-up DMARC around that -
@Jerry is
@even legal in DNS? (It is not in hostnames, but so is_, so…) -
-
@tychotithonus @Jerry
It will probably work OK with 10 - that's supposed to be a relative number, for when there's more than one MX record and a "main MX / backup MX" disposition is desired.As with line numbers in BASIC, the default is 10 to allow for numbers to be added above and below.
The important part is the null host (single dot).
But I wouldn't want to rely on every other mail server interpreting that correctly. -
@Jerry How in practice can I do this for my site if dynu.com does the dns, and not a dns server I control?
-
Trinity Blair 🥀🔞+ (age in bio or blocked)replied to Jerry Lerman last edited by
@Jerry if you do use your domain for email, is adding these still helpful or unnecessary?
-
Jerry Lermanreplied to Mx Amber Alex (she/it) last edited by
-
Jerry Lermanreplied to Trinity Blair 🥀🔞+ (age in bio or blocked) last edited by
@trinityblair
If you don't have the 3 records, much of your email that you send will go into spam folders because email clients will have reason to be suspicious of your emails since there's no protection, and eventually, you may see people spoofing your domain, if they aren't trying already.I have a few domains and I see attempts weekly to spoof my domains, both with domains I don't use for email, and those that I do. Fortunately, the spoofs fail.
My friend had a spoof attempt on his domain 4 weeks ago.
So, yep. You should have an SPF, DKIM and a DMARC record.
-
@adingbatponder
Can you open a support ticket for help? Or, maybe, they've already done it for you. You can check at https://www.dnsdomainlookup.com/ and pick dns summary from the dropdown.If you see the spf, dkim, and dmarc records, then you're all set.
-
@dec23k @tychotithonus
My DNS provider doesn't allow just a dot. Many don't. But saying nobody is allowed to send emails for me (SPF record) should cover it. -
-
@mirabilos In some records it is, and even required. It means the "root" or no sub domain name.
-
@amyipdev @jernej__s
What I learned is that every single home IP address from every single ISP provider is pre-blacklisted by spamhaus and several others I came across. It's not your ISP's fault. -
@b3lt3r I'm far from an expert, but if your redirect is at the server, and your server adds a ".forward" to the email, and does not alter anything, you should be fine because your SPF and DKIM should pass.
If your redirect is via an email client, or the server doesn't add a .forward, it may alter the email slightly, but in a way sufficient for DKIM to fail because the hash won't match any longer. But, I think in this case, if SPF passes, your email client would still accept it since the original DKIM passed before the forwarding.
It gets really complicated. Suggest you try it.
And this is based on my understanding, which, who knows?
-
@momo
Yep, people have mentioned it. I went back to try it and discovered my ISP does not allow a null MX record to be added. If it can be done, it's great, but an SPF that says nobody can send email should do the trick. If you could do, that's better.
