Comment by qurren
4 hours ago
Aw hell. How many things do I have to set up just so that I can send e-mails from my own domain?
The effect of all this seems to be less "making e-mail secure" and more "making it so that only Google, Apple, and Microsoft can send e-mail successfully"
DKIM2 and DMARCbis are actually the opposite of this. They are long awaited fixes of brittle and often broken systems that are designed to now make providing secure email easier rather than harder.
They both have fairly clean migration paths and resolve a lot of the annoying edge cases that currently exist with authenticating and verifying email.
And sometimes if you do everything right, it still doesn’t work.
Recently I checked the IP against blacklists, waited a few months, did all of the other things, and then found out Microsoft bounces my entire VPS’s IP range. Appealing did not help.
They intermittently block Cloudflare email routing IPs too. All of these security measures and still it comes down to the IP address of your sender.
Is it an el cheapo VPS?
Is Cloudflare a cheapo VPS?
It is a cheap VPS, but it would still be nice if there was a way to know (not assume) beforehand.
> 550 5.7.1 Unfortunately, messages from [IP ADDRESS] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150).
> Your IP(s) qualify for conditional mitigation.
Still blocked. The system is working as expected.
5 replies →
This sort of Regulatory Capture is quite old in the software field. People were already noticing it in the 90's.
Making a spec that contains a venn diagram of most of the features each of the signatories to the specification have implemented themselves ends up pulling the ladder up behind them. Each non-academic committee member discovers they're already more than 75% of the way to having completed the spec and any junior members or amateurs have years of work to do in order to catch up to Now. If any upstarts threaten to get within striking distance of an implementation you can always convene the committee again and discuss version 2 of the spec.
Mobile devices tamped this down just a little bit but mostly they lowered the slope of the line a hair and changed where the focus was a bit.
DMARC isn't for sending email successfully, it's for preventing other people from impersonating your domain. Without it, there's nothing stopping anybody from sending an email saying it is from you@qurren.com. SPF tried. DKIM tried. Both of them had gaps.
When you use them together and have a DMARC policy that requires one of them or the other for successful delivery, it's the best current solution.
Except I think I've had 1:1 personal e-mails from my domain go into a legitimate recipient's spam filter just because I didn't have DMARC set up and their mail server was flagging that "DMARC not set up == spammy domain"
Too many admins just had it set to “no valid DMARC? Spam” instead of the more proper “failed DMARC? spam”.
Which is subtly different.
That is perfectly reasonable. Set it up correctly.
1 reply →
> Aw hell. How many things do I have to set up just so that I can send e-mails from my own domain?
... said every spammer.
I'm sorry for your pain, and I'm in the same boat.
But it's important to understand that any sufficiently large, distributed-agent system (like federated email), will see the rise of parasites that will pump resources and diminish the value of the system.
What we're seeing here is an "immune" response to those parasites. We all pay for it.
I think this is an important lesson for anyone designing a distributed-agent system [1]. How do you design it so as to keep the bad actors out, or at least so their impact is negligeable?
[1] imma make my own email system! With blackjack, and hookers! oh wait...
>>parasites that will pump resources and diminish the value of the system.
Countries' legal systems really need to do something about them.
I don’t think they can. Spam, like speeding on highways and drug sales, is such an asymmetric enforcement area that I have very limited confidence that legal enforcement would make a significant dent in the volume. It’s far too technically easy to anonymously, repeatedly break anti-spam laws. This is an area where consortium enforcement (like the big inbox providers pushing solutions like DKIM2) is probably the most effective.
Don’t get me wrong, there are tons of areas where countries’ legal systems have no excuse for not enforcing the law more stringently (e.g. flagrant corruption in multiple regulatory bodies’ failure to enforce investment/wire fraud). But spam is part of the other category—technically difficult enough to crack down on that legal action is a waste of time. There are ways to change that, but they’re all either more centralization-prone, worse for privacy/liberty, or extremely expensive.
1 reply →
Eh, I read the article, and at most you only have to wait for your MTA to update to add the required headers and update your DNS records and you are golden. It still uses the same key you generated as far I'm aware.