Sign Outgoing Email
nils-wisiol opened this issue · 8 comments
to help users tell which mail is spam and which isn't.
Do you mean DKIM, PGP, or S/MIME? If you want to prevent From address spoofing with DKIM, you should also enable DMARC.
Your emails are DKIM signed, but the Signing Domain Identifier is a4a.de. This domain seems unrelated to desec.io or talk.desec.io for automated checkers, so it isn't really helpful, as any spammer can sign fake mails with a Signing Domain Identifier under his control.
This also prevents you from enabling DMARC. There, the Signing Domain Identifier and the From Address Domain must be from the same Organizational Domain (derived from the PSL, when using relaxed mode), or even better, match exactly (strict mode).
Your DMARC record for desec.org is invalid, because it has the format of an SPF record:
_dmarc.desec.org. 900 IN TXT "v=spf1 mx -all"
That record isn't invalid, there is just no DMARC record. :)
I'll look into it, but it's not very high on my priority list right now.
We've started rolling auf DMARC, currently with p=none. Will tighten up policy after observing for a bit.
For testing and debugging I recommend to set fo=1. It enables reporting if any test fails not just if every test fails. For productive it should be set back to less reporting.
See: https://www.rfc-editor.org/rfc/rfc7489.html#page-18
If sub domains are not used for sending mails it is recommended to reject any mail from *.desec.io with sp=reject.
See: https://www.rfc-editor.org/rfc/rfc7489.html#page-20
Also publish a spf record which deny any mails v=spf1 -all for *.desec.io.
Subdomains are used, e.g. by the forum software at talk.desec.io.