Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mathstodon.xyz is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon instance for maths people. We have LaTeX rendering in the web interface!

Administered by:

Server stats:

2.8K
active users

mathstodon.xyz: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#dmarc

2 posts2 participants0 posts today
Public *
Piiieps & Brummm

#fediask

I operate my own mail server. I followed the great instructions in "Run your own mail server" by @mwl

Last night I had the idea, that it would be nice to publish a public key for S/MIME in my #DNS like the stuff for #DKIM, #DMARC and #DANE. I would really like to automatically get #encrypted emails by other people.

Turns out, this idea isn't new, but #RFC8162 from 2017 is marked experimental.

Any news on this?

Please boost. I really would like new information about this.

Public *
Jonathan Kamens

I've ranted before about #DMARC and whether it's worth private mail-server admins implementing.
Today's rant: the reference implementation, github.com/trusteddomainprojec, has been abandoned for ~4 years, and its maintainers, trusteddomain.org/, are completely AWOL.
Linux distro maintainers have had to do proxy maintenance themselves, picking and choosing patches from pull requests submitted to the project to add to their distributions.
This sucks.
#FOSS #SMTP #OpenDMARC #TrustedDomainProject

This is the Trusted Domain Project's impementation of the DMARC protocol libary and mail filter, called OpenDMARC. A "milter" connects to unix-based mailers (originally, sendmail, bu...
GitHubGitHub - trusteddomainproject/OpenDMARC: This is the Trusted Domain Project's impementation of the DMARC protocol libary and mail filter, called OpenDMARC. A "milter" connects to unix-based mailers (originally, sendmail, but now many) and provides a standard filtering API.This is the Trusted Domain Project's impementation of the DMARC protocol libary and mail filter, called OpenDMARC. A "milter" connects to unix-based mailers (originally, sendmail, bu...
Replied in thread
Public
John Goerzen

@jeremiah_ @elb #NNCPNET, the new #NNCP-based email network, now has a bidirectional, opt-in, Internet #email bridge! salsa.debian.org/jgoerzen/dock

This gates Internet email to/from NNCP. The bridge is off by default. It is a full participant in #SPF, #DKIM, #DMARC, and #TLS in both directions.

Yes, now you can get Internet email straight to your #RaspberryPi ! (And even without this, your Pis can email each other!)

GitLabIntroduction to the Internet Bridge · Wiki · John Goerzen / Docker container for email over NNCP · GitLabDebian Salsa Gitlab
Continued thread
Public
Jan Schaumann

System Administration

Week 8, The Simple Mail Transfer Protocol, Part III

In this video, we look at ways to combat Spam. In the process, we learn about email headers, the Sender Policy Framework (#SPF), DomainKeys Identified Mail (#DKIM), and Domain-based Message Authentication, Reporting and Conformance (#DMARC). #SMTP doesn't seem quite so simple any more...

youtu.be/KwCmv3GHGfc

youtu.be- YouTubeEnjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
#SysAdmin#SRE#DevOps
Public *
Marcos Dione

"The stats we collect for the #SpamAssassin project (mass-scan results from participating sites) have long shown that spammers are more consistent at making #SPF, #DKIM, and #DMARC correct than are legitimate senders. DMARC in particular has no discernible benefit for most senders, so it is a useless signal.

Rejecting mail based solely on authentication failures of those deeply flawed authentication methods does more harm than good."

jwz.org/blog/2025/03/dmarc-and

EDIT: h/t @grumpybozo

#mail
Replied in thread
Public *
Erik van Straten

@grumpybozo : I definitely am not angry with you (I very much agree).

Unfortunately many admins treat security solutions like they're a religion.

Some time age there was a hefty debate on a Dutch "mostly admins" site (tweakers.net, I'd have to look up the exact thread) about the "correct" sending and receiving MTA configurations. There was no agreement.

Microsoft even used to ignore SPF/DKIM/DMARC if the sender was in the "safe senders" list (which the user's address book defaults to). What could possibly go wrong (later MS corrected that).

The screenshot below is from part of security.nl/posting/766069/DMA (I wrote that Sept. 14, 2022).

Edited 23:36 UTC to add: {
arxiv.org/abs/2302.07287
Forward Pass: On the Security Implications of Email Forwarding Mechanism and Policy
Enze Liu, Gautam Akiwate, Mattijs Jonker, Ariana Mirian, Grant Ho, Geoffrey M. Voelker, Stefan Savage
}

Screenshot from part of https://www.security.nl/posting/766069/DMARC+bypass+%28Outlook+only%3F%29#posting767981 Microsoft has meanwhile changed this behavior, but https://docs.microsoft.com/en-gb/microsoft-365/security/office-365-security/use-dmarc-to-validate-email#how-microsoft-365-handles-inbound-email-that-fails-dmarc used to read: { How Microsoft 365 handles inbound email that fails DMARC If the DMARC policy of the sending server is p=reject, Exchange Online Protection (EOP) marks the message as spoof instead of rejecting it. In other words, for inbound email, Microsoft 365 treats p=reject and p=quarantine the same way. [...] Microsoft 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it's sent to a mailing list that then relays the message to all list participants. If Microsoft 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they'll be marked as spam and not rejected. If desired, users can still get these messages in their inbox through these methods: • Users add safe senders individually by using their email client. [...] }
#SPF#DKIM#DMARC
Replied in thread
Public
Erik van Straten

@deepthoughts10 wrote: "email authentication like DMARC/SPF does one thing: it prevents impersonation of a specific domain (assuming policies are configured for reject or quarantine.)"

It does not even do that on my iPhone.

P.S. SPF was invented to prevent Joe Jobs (en.wikipedia.org/wiki/Joe_job). Marketing idiots (including Bill Gates) said that it would kill spam. It killed forwarding instead.

@grumpybozo @jwz

Screenshot showing an email sent by "Liberapay Support" regarding problems with a payment for infosec.exchange. Problem: the sender domain is not shown.
#SPF#DKIM#DMARC
Public
Hans van Zijst
I just found out that Dovecot 2.4 is a crippled version of Dovecot 2.3: no more clustering support, the director function has been removed. If you want to do clustering now, you'll have to buy a Pro license.

https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html#removed-features

So, although I've used Dovecot for years, both private and for work, it seems like this is the end of the line for me.

At the same time I see what @Stalwart Labs can do. Yes, clustering, for one. And a whole lot more, including bayesian classification, analysis of DMARC reports and even a reputation database.

I'm really impressed by what it can do. Bit hesitant about the fact that it's still only version 0.11.5 though, smells alpha...

Looks like Stalwart is the future for me.

https://stalw.art/docs/cluster/overview

#Dovecot #Stalwart #E-mail #DMARC
doc.dovecot.org2.3 to 2.4 | Dovecot CEDovecot CE Documentation
#dmarc#email
Public
towo

dmarc-subject = %x52.65.70.6f.72.74 1*FWS %x44.6f.6d.61.69.6e.3a 1*FWS domain-name 1*FWS %x53.75.62.6d.69.74.74.65.72.3a 1*FWS domain-name 1*FWS %x52.65.70.6f.72.74.2d.49.44.3a msg-id

Yes, it allows newlines. Tough luck, @towo. No, Google, the D is a capital letter. No, Microsoft, don't fucking put a '[Preview]' in front.

#dmarc#sysadmin#mail
SearchLive feeds
About