Skip to content

check SPF/DKIM/DMARC records on incoming mail

as part of the %improve mail services roadmap, I have realized that we should not only publish SPF/DKIM records (and sign outgoing mail), we should also check incoming mail. This is becoming critically important because Hetzner are becoming unhappy with us backscatter-spamming people through Mailman (see message [AbuseID:998963:1A]).

That was a Spamcop complaint about a user that was receiving backscatter bounce through Mailman. Specifically a message that was marked "too big" and "held for moderation". That specific instance would have been solved by an SPF check, because there are fairly strict ones on that specific victim's email server:

account.co.za.		9476	IN	TXT	"v=spf1 +a +mx +ip4:136.243.12.222 +ip4:5.9.29.165 +ip4:5.9.29.168 -all"

So it seems like part of roadmap should also include checking incoming email, if only to limit the spam we relay through (and then hurts our reputation).

First step would be to check SPF, but we should also probably check DMARC since it may influence SPF. DKIM would be second.

  • SPF checks
  • DMARC checks? if necessary for SPF, definitely needed for DKIM...
  • DKIM checks