Hacker News new | ask | show | jobs
by sylware 891 days ago
Abusive, SPF is plenty enough unless you cannot map the domain with the right IPs due to DNS trickery (rotation, etc), then you would need an IP agnostic way to do some checks, hence the cryptographic DNS based signature.

That said, with no-DNS email addresses, SPF comes for free (alice@[x.x.x.x] bob@[ipv6:...]).

Namely, if SPF does pass, cryptographic DNS based signature mecanisms are excessive and must not be used to score.
3 comments
chuckadams 891 days ago
SPF only authenticates the envelope-from, whereas it's DKIM that takes care of the From: header. Without DKIM, one can easily do "EHLO randomspamdomainboughtyesterday.com" and "From: accounts@citibank.com". SPF is about the transport, DKIM is about the content.

And to round it out, DMARC tells the receiver what to do when the SPF or DKIM tests fail, namely "report", "quarantine", or "reject". Not sure why they're requiring it when it doesn't affect a spam verdict. Maybe it's so those who run a misconfigured server can't complain if their mail is being dropped silently, google and yahoo can just tell them to switch the policy to "report".

link
sylware 890 days ago
This is wrong:

DKIM would be used only if SPF does not "pass", if there. DNS SPF is inappropriate for those email provider implementing DNS trickery which cannot work with DNS SPF. For DNS SPF to "pass", not only the SMTP prolog and transactions must be evaluated, but also some header fields (from:,reply-to:).

For instance, if you are self-hosted and your SPF DNS entry does match the domain in the SMTP prolog/transactions and the header fields, your spam score will be significantly lower.

With no-DNS email servers, you don't have the SPF DNS indirection and can directly check the IPs ( bob@[x.x.x.x] alice@[ipv6:... )] for spam scoring.

That said, the real worst are those sys admins blocking instead of enabling grey listing.

link
chuckadams 890 days ago
I'd ask you to show me the relevant section in RFC4408 that backs up your claims about header fields, but honestly I don't care to read any more incoherent rambling screeds on the topic. Cheers.
link
sylware 890 days ago
chatgpt?
link
ericpauley 891 days ago
IP addresses get reused, private keys don’t.

Aside from SPF being around first DKIM makes far more sense.

link
jabroni_salad 891 days ago
https://github.com/CanIPhish/spf-bypass

i wish. If you are using spf-only, you are consenting to being spoofed.

link