Neat SPF/DKIM/DMARC dns record testing and learning tool

[Toby]

Hi!  I just wanted to share this really neat DMARC testing & learning tool that helped me out today: https://www.learndmarc.com/

Enjoy,

Toby

[John Visser]

Whoa. That's cool. Thanks for sharing!

~john

John Visser  |  johnvisser.net
Tenacious, solution-driven WordPress development, optimization, and maintenance in Minnesota.

--
You received this message because you are subscribed to the Google Groups "Minneapolis St. Paul WordPress User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mpls-stpaul-word...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mpls-stpaul-wordpress/20ae03f8-4fd2-4845-b812-7da27696de2cn%40googlegroups.com.

[Jodi Stammer]

Thanks, Toby – this is cool! It made me aware that I had forgotten to authenticate my DKIM even though I had added the record. Doh!

 

What do you set your DMARC policy to? Do you use a tool to read the reports? I’ve seen people insist you must do this, but even if I did and saw who’s attempting to spoof, what would I even do with that information? Call the Internet Po-Po?

While I’m here I’d also like to rant about how difficult GoDaddy makes it to get a DKIM record if clients were “unlucky” enough to purchase O365 email through them! Ugh.

 

Cheers,

Jodi

--

[Nick Ciske]

> What do you set your DMARC policy to?

It depends on your goal. If you just want to comply with the Google/Yahoo need for DMARC existing, then “None" will do the trick.

Quarantine tells the provider to flag it as spam.

Reject tells the provider to reject the message.

Generally you start with none, collect some data then move to the more strict levels over time. Then monitor logs on an ongoing basis to ensure new sources of email are not being flagged or rejected (e.g. new server/service).

https://powerdmarc.com/what-is-dmarc-policy/

> Do you use a tool to read the reports?

If your goal is to become actually compliant, this is required as you need to see what’s going on so you can increase the policy to enforcement. There are free tools and paid tools. Cloudflare has a free tool that is a few clicks to set up if your DNS is already there.

> I’ve seen people insist you must do this, but even if I did and saw who’s attempting to spoof, what would I even do with that information? Call the Internet Po-Po?

The goal of monitoring is to find legitimate emails that would be flagged or rejected if the policy was made more strict.

Once all legit mail is covered by your SPF and DKIM records, you adjust the policy and the email providers (who support DMARC) handle enforcement for you.

This isn’t a "stop the source" approach, it’s a "make it undeliverable/not profitable" approach.

DMARC is basically a reporting tool and enforcement indicator on top of SPF (who can send mail as you?) and DKIM (how can I know you sent the email?).

_________________________

Nick Ciske

CTO/CISO | LuminFire

To view this discussion on the web visit https://groups.google.com/d/msgid/mpls-stpaul-wordpress/014201dabdda%2443aecba0%24cb0c62e0%24%40gmail.com.

[Jodi Stammer]

Thanks for taking the time to answer my questions, Nick. It’s finally getting through my thick skull — very well explained! I sort of understood parts of it, but this puts it all together in a way I can comprehend. You rock!

To view this discussion on the web visit https://groups.google.com/d/msgid/mpls-stpaul-wordpress/1489f3e0-b851-4dbc-acde-f3fe2b36ecf1%40Spark.