@iwrconsultancy wrote:
Never looked into DMARC that much, but is it any better than SPF or DKIM? Using two unreliable technologies and hoping one of the pair will not give a false rejection, doesn't sound like the way to do a workmanlike job.
DMARC complements SPF and DKIM, rather than replaces them, and indeed is the glue that binds them together to be so effective. There is no 'hoping' for anything; if *either* the SPF or DKIM check passes then the message is regarded as genuine as it is either being sent by a mail server explicitly listed as authorised to send the message or has been digitally signed by someone using a private key that is cryptographically paired with the public key. Remember these are anti-spoofing mechanisms, not anti-spam/malware.
DKIM is in any case a difficult system to implement unless you are a corporate site wit your own mail service. It's also quite difficult to tell if it's been configured correctly, or not. If it hasn't you could be causing yourself problems. Which is probably why most sites don't implement it.
DKIM is relatively straightforward to implement - all it involves is getting the mail server to add a digital signature to outgoing mail and the publishing of some DNS records to enable these signatures to be verified. It is also very safe to deploy as not only does DMARC enable you to implement SPF and DKIM in testing mode (no actions to be taken whilst you're just experimenting and testing the waters) but also includes full feedback reporting for all passes and rejections.
