Käyttäjän työkalut

Sivuston työkalut


faq:dmarc_spf_considered_harmful

Erot

Tämä näyttää erot valitun ja nykyisen version kesken tästä sivusta.

Linkki vertailunäkymään

faq:dmarc_spf_considered_harmful [2017-12-19 12:46]
haa [Using -all SPF causes many people to not receive your emails]
faq:dmarc_spf_considered_harmful [2018-12-12 00:09] (nykyinen)
petri.koistinen DKIM on OK.
Rivi 1: Rivi 1:
 ====== DMARC and SPF considered harmful ====== ====== DMARC and SPF considered harmful ======
 +
 +This page is also visible at http://​www.spfconsideredharmful.org ​
  
 DMARC and SPF break many long-time common email usage patterns like forwarding and mailing lists. ​ DMARC and SPF break many long-time common email usage patterns like forwarding and mailing lists. ​
Rivi 15: Rivi 17:
   * SPF might accidently block some SPAM, but that is not its purpose   * SPF might accidently block some SPAM, but that is not its purpose
   * SPF is trying to protect your service against spoofing attacks, i.e., someone claiming to be you and sending emails on your name.   * SPF is trying to protect your service against spoofing attacks, i.e., someone claiming to be you and sending emails on your name.
 +  * SPF does not protect you against [[https://​en.wikipedia.org/​wiki/​Internationalized_domain_name#​ASCII_spoofing_concerns|internationalized domain name]] look-alike domain phishing or spam
 +
 +===== Many internet users forward their emails =====
 +
 +Surprisingly many internet users forward their emails, for example
 +  * to read all their email from a single mailbox,
 +  * forward email from old address to current mailbox address,
 +  * temporarily forward emails to their mobile address while traveling, or 
 +  * use an email forwarding service as their permanent personal address (e.g. university alumni addresses such as alumni.mit.edu,​ professional organisations such as acm.org or ieee.org, iki.fi, and many others).
 +
 +Using the power of email like this is more common for experienced users, thought leaders and high value contacts and customers making it important that you consider the reliability of your email reaching the recipients.
 +
 +===== "​Fixes"​ that break things =====
 +
 +There have been many projects that claim to //fix email// which do not take into account the many and varying ways people use email in the real world. The flexibility of the non-centralized email infrastructure is a major reason why email has been and is so successful, and many of these proposed schemes only work for those users who are locked into a single email provider with no flexibility.
 +
 +Spammers quickly adapt their behaviour to work around any new limitations or filtering methods, so you may end up breaking lots of legitimate email for very little benefit in the end.
 +
 +Unfortunately the non-centralized email infrastructure does also leave room for spam and other problems. These are pretty well under control using modern filtering tools which use multiple matching criteria to evaluate messages.
  
 ===== Using DMARC with "​reject"​ will prevent many people from receiving your emails =====  ===== Using DMARC with "​reject"​ will prevent many people from receiving your emails ===== 
Rivi 30: Rivi 51:
 Especially if you use the strict ''​-all''​ setting, you will experience your own real emails not being delivered to many recipients, as the email arrives via the forwarding email server(s) instead of the original server and thus may not pass a SPF ''​-all''​ check at the final recipient mailbox. ​ Especially if you use the strict ''​-all''​ setting, you will experience your own real emails not being delivered to many recipients, as the email arrives via the forwarding email server(s) instead of the original server and thus may not pass a SPF ''​-all''​ check at the final recipient mailbox. ​
  
-Most people ​would probably be surprised how many internet users for example forward their emailseither ​to +The SPF people ​have a clunky proposed workaround (envelope address rewriting) ​for some of these issuesbut expecting //everyone else on the internet ​to change ​to accommodate me// will not happenso **you should ​use at most the ''​~all''​ setting with SPF for your own domain** (SPF ''​~all''​ means SoftFail, i.e. //accept but mark// instead of reject).
-  * permanently ​to read in a single mailboxor  +
-  ​temporarily to their mobile address while traveling, or  +
-  ​* use an email forwarding service as their permanent main address+
  
-The SPF people have a clunky workaround (envelope address rewriting) for some of these issues, but expecting //everyone else on the internet to change to accommodate me// will not happen, so **you should use at most the ''​~all''​ setting with SPF for your own domain** (SPF ''​~all''​ means SoftFail, i.e. //accept but mark// instead of reject). +==== For email administrators ​(receiving side) ====
- +
-==== For email adminisrators ​(receiving side) ====+
  
 If you run an email server, you should similarly not block incoming email only based on any single reason, including the "SPF -all" check, but use SPF as one of multiple scoring methods. Otherwise your users will lose real email sent by organisations who have mistakenly configured their SPF with ''​-all''​. If you run an email server, you should similarly not block incoming email only based on any single reason, including the "SPF -all" check, but use SPF as one of multiple scoring methods. Otherwise your users will lose real email sent by organisations who have mistakenly configured their SPF with ''​-all''​.
  
-There have been many projects that claim to //fix email// which do not take into account the many and varying ways people use email in the real world. The flexibility of the non-centralized email infrastructure is a major reason why email has been and is so successful, and many of these proposed schemes only work for those users who are locked into a single email provider with no flexibility.+==== For users receiving emails ====
  
-Spammers quickly adapt their behaviour to work around any new limitations or filtering methods, so you may end up breaking lots of legitimate ​email for very little benefit in the end. +If you can not receive emails you need because ​of too tight filtering at your email provider, one solution is to use a email provider who works better, e.g. gmail.com
- +
-Unfortunately the non-centralized ​email infrastructure does also leave room for spam and other problemsThese are pretty well under control using modern filtering tools which use multiple matching criteria to evaluate messages.+
  
 +If you are an iki.fi member, you can configure iki.fi to forward your email to multiple addresses, and add e.g. gmail.com backup email address, where you can look for messages dropped by the misbehaving email provider.
 ===== Automated emails and SPF ===== ===== Automated emails and SPF =====
  
Rivi 54: Rivi 69:
 ===== More information ===== ===== More information =====
  
-More information (in Finnish) at +More information (in Finnish) at IKI:
   * [[faq:spf]] including instructions for ISPs   * [[faq:spf]] including instructions for ISPs
   * [[faq:​grossdharmaalistaus]]   * [[faq:​grossdharmaalistaus]]
   * [[faq:​spamassassin]]   * [[faq:​spamassassin]]
 +
 +More information around the internet:
 +  * http://​david.woodhou.se/​why-not-spf.html (slightly old)
faq/dmarc_spf_considered_harmful.txt · Viimeksi muutettu: 2018-12-12 00:09 / petri.koistinen