from Hacker News

Learn and Test DMARC

by timsneath on 10/1/23, 7:58 PM with 58 comments

by Rookie42 on 10/1/23, 11:59 PM
Great way of pushing the critical email services we all need to reduce spam. While I have always wanted SPF, DKIM and DMARC to be enough of an incentive for the businesses i work with, reputation is often not enough of a driver to prioritise the investment.
But fret not! For when you are dealing with companies which want to communicate with customers in a trusted way, there is a marketer's dream standard - Brand Indicators for Message Identification (BIMI) - now security isnt the only outcome, you get a pretty logo too! https://www.litmus.com/blog/what-is-bimi-and-why-should-emai...
I have used BIMI at multiple companies now which talk about Customer Experience to drive the proper (P=Reject) implementation of DMARC.
by dang on 10/1/23, 8:59 PM
Related:
See how DMARC, SPF, and DKIM work interactively - https://news.ycombinator.com/item?id=29869266 - Jan 2022 (108 comments)
by blacklion on 10/2/23, 10:58 AM
Does anybody know open-source or, at least, free way to process DMARC reports?
I have several e-mail domains with SPF, DKIM and DMARC enabled, and it works, but I have two annoying problems with DMARC:
(1) Some sites like to send DMARC reports which says "you send us 3 messages, everything is OK, all checks are passed, you are clear".
(2) Sometimes my domains are used to (try to) send spam via other servers and I got DMARC reports like "this <IP> tired to spam with your domain in HELO/FROM and we killed it, as checks failed".
Both reports are of no use for me: I don't want to know, that my users send mail to @gmail.com and @mail.ru (first reports) and I can do nothing about second case, as these <IP>s are not <IP>s of my server, so what should I do?
Some filter or dashboard will be very useful, as unpacking & checking XMLs by hands are very cumbersome.
by pests on 10/1/23, 9:07 PM
Very cool.
> For DMARC to pass, DKIM and/or SPF checks need to pass and the domains must be in alignment.
AFAIK this is incorrect.
It is not "and/or" but rather "or" - only DKIM or SPF needs to pass. There is no method to require both.
by aeturnum on 10/2/23, 1:03 AM
I really appreciate the iterative way it goes through the process. It's been a few years but this would have been a godsend at a previous company when we were trying to move to self-hosted email sending with all the proper security measures.
by guessmyname on 10/1/23, 9:13 PM
I sent an email via Apple’s “Hide My Email” service [1].
> Unhandled Promise Rejection:
> TypeError: a.from.replace(/[<]/gi," is not a function. (In 'a.from.replace(/[<]/gi,"(")', 'a.from.replace(/[<]/gi,"' is undefined)
> dist.min.js:3:32767
This error occurred after the interface began displaying the following information:
> Here are the message headers and message body:
> DKIM-Signature: d=icloud.com s=1a1hai
It’s been over a year since the website was featured on Hacker News (January 10, 2022), so I suspect that the JavaScript code may have become outdated and non-functional. It’s possible that it never supported Safari browsers in the first place, or perhaps it’s a combination of both issues. Nevertheless, I’ve learned a lot from the initial [2] and second [3] parts of the DMARC test, which gives me some insight into what might be happening in the subsequent steps.
[1] https://support.apple.com/en-us/HT210425
[2] dig +noall +answer -t TXT <EMAIL_DOMAIN> | grep -i SPF
[3] dig +noall +answer -t A <HOSTNAME>
by scohesc on 10/2/23, 9:44 PM
It is absolutely astonishing that we rely on layers and layers of shims/compatibilities/hacks to keep a technology that was well-meaning and ideal 30ish+ years ago running in the 21st century.
Same thing in the VOIP/telecom space.
Microsoft recently had issues with mail deliverability - most of our O365 tenants had a notice reminding us to check SPF, DKIM, DMARC (we're configured properly already) - some of our tenants were having issues mailing smaller mail providers (ISP-level) because the small provider is outright blocking IPs and IP ranges due to spam coming from the same IP address/mail server we're trying to send from.
by throwaway892238 on 10/2/23, 1:50 AM
Fun fact: sns.amazonaws.com still has no DMARC record. This is where AWS SNS messages originate from unless you use a custom domain, and it's where all CloudWatch alerts come from (no-reply@sns.amazonaws.com)
by amelius on 10/1/23, 10:25 PM
This is how email is supposed to work. In reality, there are whitelists ...
by RektBoy on 10/2/23, 9:15 AM
People, don't forget to properly set all these checks for DNS failover.
I saw companies got scammed, because they used default settings in Exchange Online.
And attacker just made the DNS "unavailable" for brief moment and all phishing emails passed. Because MS server responded with DNS "temp error" and pass all emails as not a spam. (detailed: received-spf: TempError (protection.outlook.com: error in processing during lookup of <phished domain>: DNS Timeout) and DKIM is checked on domain of sender's SMTP server, in this case attacker's server used for phishing )
Then I had the great experience with MS IT/security support, people there can't even understand how emails works, very funny and sad experience. I hope outsourcing works for them.
by graypegg on 10/1/23, 8:43 PM
This is so cool! I would love to see this for other protocols actually, maybe SSL or something!
by emaildelivboy on 10/2/23, 4:57 AM
DMARC is and has always been...fine, save for the fact that most phishing / exploits are sent using cousin domains. Is a DMARC policy necessary and a great security measure? Sure. Is it a domain identity security game changer?... no way.
by ChrisArchitect on 10/1/23, 9:23 PM
Bunch of discussion from 2022:
https://news.ycombinator.com/item?id=29869266
by normaldist on 10/1/23, 10:00 PM
Appears to be operated by uriports.com, in case anyone wondered where their email was going..
by ingen0s on 10/1/23, 10:26 PM
Dope af