Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Thank you for this answer!

A few more questions:

1. Would there be any issues receiving emails with these policies set?

2. Quoting OP's edit:

> Edit: Also, if I have a domain that currently does not send email but may in the future, am I hurting my future self by setting any of these?



None. SPF, DKIM and DMARC only affect outgoing mail.

Incoming mail is handled entirely by your mail server which is pointed to by your MX record.

This is actually where a lot of the confusion comes from. When you buy a domain, it doesn't go anywhere until you point it to specific web servers by adding A or CNAME records in your DNS. Same thing with your incoming email, nobody knows where to send a message until you setup your MX records. You can setup a web server that will serve any domain you want, but until the DNS points to it there's not an easy way for people to find it.

Outgoing mail had no such check though. Any server could send a message claiming it was from your domain unless you took the time to specify where your mail is coming from.

And no, this won't hurt you at all. All it does is tell the receiving mail servers that for an email from the domain to be valid, it must pass a DMARC check. If you subsequently setup something like Google for your domain's email, you'd just update the record by following the instructions Google will give you. For example:

"v=spf1 include:_spf.google.com ~all"

This let's Google manage the set of IP addresses. Google will likely also give you instructions to setup DKIM by adding a couple of additional records. This will ensure anything sent by Google for you domain will pass both SPF and DKIM, allowing it to be properly validated and delivered.

You'll notice that "~all" instead of "-all" as well. When you're actually sending email from the domain, it's best to use "~all" instead of "-all". The "-all" can sometimes be over zealously strict and by using "~all" instead it will be enforced but let you defer to the DMARC policy for the enforcement of failures (such as forwarding or list serves that DKIM would still survive but SPF wouldn't).


> nobody knows where to send a message until you setup your MX records

Not quite. RFC 974 says It is possible that the list of MXs in the response to the query will be empty. This is a special case. If the list is empty, mailers should treat it as if it contained one RR, an MX RR with a preference value of 0, and a host name of REMOTE. (I.e., REMOTE is its only MX). In addition, the mailer should do no further processing on the list, but should attempt to deliver the message to REMOTE.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: