[BlueOnyx:26724] Re: Google

[Michael Stauber]

Hi Ken,

> Am I missing something about DMARC?  We started down that road many years
> ago and decided it was a waste of effort.  We had to use a 3rd party service
> to parse the reports and my understanding was it would tell us who was
> spoofing our domain.  We were not going to police this, so what was the
> point?  We kept SPF and DKIM but dropped DMARC.
> 
> Maybe I didn't properly understand the value of DMARC?

Yeah, I personally think that DMARC is a waste of perfectly good 
electrons and I don't see any value in it.

My rant on this is still the same as it always has been:

Basically it just establishes a policy that tells a mailserver what to 
do if an inbound email fails the SPF and/or DKIM checks. You neither 
need a separate DMARC milter nor an extra set of DNS TXT records for 
that, as any decent MTA setup can be configured to do just that anyway.

For example: SpamAssassin adjusts the score of an email if SPF or DKIM 
are invalid. That's typically good enough and therefore we don't need 
DMARC for inbound email checks.

The value of the emailed DMARC reports is also garbage. It just creates 
extra noise for no good reason. Basically once you have set up SPF and 
OpenDKIM and run some tests to see if it works? Then you don't have to 
touch it anymore unless you make changes to your email sending 
infrastructure.

I don't need daily emailed ZIP files containing XMLs telling me that my 
infrastructure still works as good today as it did yesterday. And while 
we're at it: Why the heck do these reports HAVE to be bloody Zip-files 
with XMLs in them, when we try to teach everyone (and their 
grandmothers) not to blindly open attachments from unknown senders?

Yet the requirement for DMARC is another hurdle that "big players" throw 
our way to discourage running your own email services, while they 
themselves are the biggest safe havens for SPAM senders.

-- 
With best regards

Michael Stauber