EmailDiscussions.com - View Single Post - Which approach for implementing own domain?

n5bb · 25 Dec 2016, 06:28 AM

Welcome to the EMD Forums!

Are you familiar with DKIM signing? This provides a signed encrypted signature on outgoing messages so the receiver can verify that certain portions of the message such as specified headers (From, To, Date, Subject, etc.) and all or a portion of the message body have not been altered. DKIM is probably more important than SPF these days, since SPF is broken by automatic message forwarding unless SRS (Sender Rewriting Scheme) is used. For DMARC purposes, SFP is always broken by forwarding.

DMARC is becoming a popular method for domains to specify how the receiver should treat a message which fails both SPF and DKIM authentication. You should consider your choice of email provider based both on how you send email which will be trusted by the receiver and spam/phishing detection when you receive email from others.

When receiving mail, forwarding to provider B might pass basic SPF if the forwarding service offers sender rewriting (SRS), but forwarding will always break SPF as applied by DMARC (due to alignment failure). So I would not use forwarding if you ever want to use DMARC to reduce spam and domain spoofing.
Does provider A provide DKIM signing when sending messages?
Does provider A provide SPF, DKIM, and DMARC authentication tests when receiving?

The use of DMARC reject policies is rapidly increasing at major domains. A p=reject policy for a domain means that email systems which follow DMARC recommendations will reject email which is received if it fails both properly aligned DKIM and SPF tests. Here is what major email domains currently publish in their DNS records as their DMARC policy (checked today at https://www.dmarcian.com/dmarc-inspector ):

aol.com: p=reject
gmail.com: p=none (changing to p=reject in early 2017)
hotmail.com: p=none (changing to p=reject in early 2017)
outlook.com: p=none (changing to p=reject in early 2017)
yahoo.com: p=reject

I use Fastmail.com (which has a subforum here at EMD Forums), and they provide optional full support (including DNS hosting) for user domains. You can see what they provide (and learn more about DKIM, SPF, and DMARC) here:
https://blog.fastmail.com/2016/12/24/spf-dkim-dmarc

In general, I think that option A is better, since forwarding is not needed. Forwarding makes it hard for the receiving email system to verify the reputation of the sender in various ways (including the SPF/DKIM/DMARC issues I mention above).

Bill

25 Dec 2016, 06:28 AM	#2
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	Don't Forward Welcome to the EMD Forums! Are you familiar with DKIM signing? This provides a signed encrypted signature on outgoing messages so the receiver can verify that certain portions of the message such as specified headers (From, To, Date, Subject, etc.) and all or a portion of the message body have not been altered. DKIM is probably more important than SPF these days, since SPF is broken by automatic message forwarding unless SRS (Sender Rewriting Scheme) is used. For DMARC purposes, SFP is always broken by forwarding. DMARC is becoming a popular method for domains to specify how the receiver should treat a message which fails both SPF and DKIM authentication. You should consider your choice of email provider based both on how you send email which will be trusted by the receiver and spam/phishing detection when you receive email from others. When receiving mail, forwarding to provider B might pass basic SPF if the forwarding service offers sender rewriting (SRS), but forwarding will always break SPF as applied by DMARC (due to alignment failure). So I would not use forwarding if you ever want to use DMARC to reduce spam and domain spoofing. Does provider A provide DKIM signing when sending messages? Does provider A provide SPF, DKIM, and DMARC authentication tests when receiving? The use of DMARC reject policies is rapidly increasing at major domains. A p=reject policy for a domain means that email systems which follow DMARC recommendations will reject email which is received if it fails both properly aligned DKIM and SPF tests. Here is what major email domains currently publish in their DNS records as their DMARC policy (checked today at https://www.dmarcian.com/dmarc-inspector ): aol.com: p=reject gmail.com: p=none (changing to p=reject in early 2017) hotmail.com: p=none (changing to p=reject in early 2017) outlook.com: p=none (changing to p=reject in early 2017) yahoo.com: p=reject I use Fastmail.com (which has a subforum here at EMD Forums), and they provide optional full support (including DNS hosting) for user domains. You can see what they provide (and learn more about DKIM, SPF, and DMARC) here: https://blog.fastmail.com/2016/12/24/spf-dkim-dmarc In general, I think that option A is better, since forwarding is not needed. Forwarding makes it hard for the receiving email system to verify the reputation of the sender in various ways (including the SPF/DKIM/DMARC issues I mention above). Bill Last edited by n5bb : 25 Dec 2016 at 06:30 AM. Reason: Don't forward