(Cross posted from Spam Resource.) Every couple of days, somebody new pops up on the DMARC-Discuss mailing list to ask some question or share an observation. It’s great to see people interested and joining the conversation. Clearly, DMARC interest and adoption are growing. What’s really frustrating, though, is that for about a quarter of the new subscribers, their first mailing list...
I’ve been preaching “DKIM is great! DomainKeys is obsolete, get rid of it!” for several years now. I thought I’d take a look at my mailbox and see who was using authentication. I’ve divided this into “Ham” and “Spam”. Spam is, well, all the spam I’ve received over the past couple of years. Ham is the non-spam mail in my inbox, whether...
There have been a number of comments on my post about Hotmail moving to SPF authentication having to do with troubleshooting authentication failures. I have been helping clients troubleshoot these issues, and am able to take on new clients to solve authentication problems. Contact me for more information. Of course, many of these issues can be solved with access to the right tools. Steve’s...
Hotmail has recently stopped using Sender ID for email authentication and switched to authenticating with SPF. The protocol differences between SenderID and SPF were subtle and most senders who were getting a pass at Hotmail were already publishing SPF records. From an email in my inbox from September: Authentication-Results: hotmail.com; sender-id=pass (sender IP is 65.55.240.72) header...
After they were a a little embarrassed by their own DKIM keys being poorly managed a few months ago, Google seem to have been going through their inbound DKIM handling and tightening up on their validation so that badly signed mail that really shouldn’t be treated as DKIM signed, won’t be treated as signed by Gmail. This is a good thing, especially as things like DMARC start to be...
As an update to yesterday’s post, Gmail is contacting postmasters at domains signing with 512 bit keys to warn them of the upcoming changes. This message also clarifies “DKIM keys failing.” Messages signed with 512 bit keys or less will be treated as unsigned by Gmail in the next week or so. Hello, We noticed that your domain is sending email to Gmail users that is DKIM signed...
Today’s Wednesday question comes from Andrew B. and got pushed to Thursday so I could check a few more facts. Have @Gmail yet confirmed the @ReturnPath story that they’ll start failing weak DKIM sigs? RP cites no source: @hey4ndr3w The answer is that no one from Gmail has publicly confirmed that they’re failing to authenticate mail signed with weak DKIM keys. But conversations...
While we were at M3AAWG, Wired published an article talking about how simple it was to crack DKIM keys. I didn’t post about it at the time because it didn’t really seem like news. DKIM keys smaller than 1024 are vulnerable and not secure and the DKIM spec does not recommend using keys smaller than 1024. When I asked the DKIM-people-who-would-know they did tell me that the news was...
Email – and email filtering – makes a lot of use of DNS, and it’s fairly easy to miss something. Here are a few checklists to help: Data you need before you start: [table] Information,for example Return path / bounce address,bounces.myesp.com Mailserver hostname,mail4.myesp.com Mailserver external address,192.0.2.4 DKIM “d=”,greatbigmarketer.com DKIM selector,oct2012...
Facebook hosted a DMARC interoperability event earlier this week. In terms of protocol development, interoperability events are a sign that the protocol is ready for more widespread use.
DMARC is a layer built on email authentication (SPF and DKIM) that provides brands with the ability to control use of their domains in email.
RSS - Posts