[conspire] (forw) [BALUG-Admin] So, DMARC. A week ago.

[Rick Moen]

Quoting Akkana Peck (akkana at shallowsky.com):

> Also, for most non-techies these days, the idea of running a separate
> program for email (instead of just going to a page in their browser)
> probably sounds like a big complicated new thing they'd have to learn,
> thus to be avoided at all costs.

At minimum, there are a bunch of DNS requirements to meet (especially if
you value your outbound mail not getting rejected or spamtrapped) and 
at a couple of RFC-mandated mailboxes that must accept inbound mail
(postmaster@ and abuse@), plus your mail server must accept mail from
the null sender (likewise an RFC mandate).

And then, there is the thorny problem of doing spam detection/rejection 
properly within the MTA itself, which is among other things a balancing
act, i.e., you want to make your MTA picky, but being _too_ picky is a
tactical mistake, because you want to be mean to spammers but kind to
people doing inevitable dumb things on both the mail-admin and sender
levels.

Steve suggests just shared-hosting your personally-owned domain at
commercial provider (outsourced), which takes the MTA configuration
problem out of your hands (and you just have to hope the provider 
is _good_ at that, because for good or bad you have no control, there), 
but you still need to learn and manage all of the DNS requirements.

I know there are people who maintain (on the Web) "So, you want to run
your own mail server" tutorials/guides, and come across them directly.
Next time I do, I need to remember to link one or two good ones from the
Linuxmafia.com Knowledgebase.

> And I want to thank you for posting about it, because I didn't know
> there were new requirements, so it finally got me off my duff to add
> DMARC on my mail server. I had SPF already; adding DMARC was way
> easier than I expected. Your remark about DMARC requiring either SPF
> or DKIM, not both, was helpful, because most of the tutorials I found
> claimed both were required before adding the DMARC record.

A caution:  I _think_ that is the case, and several currently-maintained
sites I consulted on DMARC configuration claimed so.  If I wanted to
hear from the horse's mouth, I guess I'd have consulted whatever RFC
the Yahoo guys wrote that defines DMARC.

And then there's the other thing:  Understanding fully the way a
protocol's authors intended it to be implemented is obviously an
excellent idea, but then you also have to worry whether that's the way
other clowns are implementing it.

I'm not saying that's an issue, just that the problem matrix needs to
include that among the list of extra bonus headaches.

BTW, one of the pages I encountered about the current new requirements
claimed that Gmail is giving "preference" to mail from domains that
DKIM-sign all outbound mail.

> Our server hosts a couple of very small smartlist mailing lists, and
> it seems to be working well enough at least on a small scale. I don't
> administer these lists, my husband does, so I asked him. He says
> smartlist is fast and reliable, and much less hateful than mailman,
> but it doesn't have any documentation to speak of, so it takes a while
> to figure out how to do anything. But once you figure it out, you're
> set since "it hasn't changed in 20 years."

Good to know, thanks.

If I want to explore that, I might ask you for a tarball of your
production configuration.

-- 
Cheers,                          "Mastodon: owned by nobody and/or everybody!
Rick Moen                        Seize the memes of production!"  -- jwz 
rick at linuxmafia.com              https://www.jwz.org/blog/2023/11/mastoversary/
McQ! (4x80)