Comment on How do email scammers spoof my email?
rufus@discuss.tchncs.de 9 months agoAnd you don’t even need SPF or AI to discard mails coming from the wrong mailserver. If you know the domain, you can do a lookup and see if the connecting mailserver is the one in the MX record. Check PTR records. At least throw away mail that’s coming from some random server and claims to cime from your own domain. You should know who is supposed to be a mailserver for your addresses.
Ocelot@lemmies.world 9 months ago
This isn’t really going to be accurate all the time. It is a totally reasonable configuration to use a mailserver not in the MX records. Lots of companies that send automated emails use a service like mailgun or sendgrid as a relay, which isn’t their MX server. It doesn’t come from their company’s mailserver. The only way to validate that is by adding mailgun/sendgrid as an include in the SPF record.
You’ll often miss things like “Your credit card expired” or “please change your password” or even “Here’s your monthly bill from the power company” emails.
rufus@discuss.tchncs.de 9 months ago
I’ve tried and lots of providers want the PTR. I think Gmail is espectally strict when it comes to antispam, doing the DNS lookups and checking IP ranges. I forgot what gets you into the spam folder and what gets your mail rejected completely. You’re right with the MX record though. I think I misremembered whatever I configured in Postfix. SPF is the way for that.
But I just follow suit with the big providers and am very strict with the incoming mail. I need to look it up, but i think i refuse them if the mailserver doesn’t have any dns records at all. And if it sends something silly in the HELO. With mailchimp or mailinglists, isn’t the way to do it to set mailchimp in the envelope-from and your company into the from header? and then I can check at least that mailchimp this is a proper mailserver? If you don’t set it up properly, you kinda deserve your mail getting lost.
But I think now I know where we don’t understand each other. I just check if it’s a proper mailserver with the first few checks. That gets rid of >>50% of my spam immediately. I don’t use that to verify the mailserver is allowed to send mail for that domain. That’s a job for SPF later. It just needs to have anything. And that’s enough to weed out most of the spam, especially from hacked boxes and crude IPs from the far east.
One exception. I have a specific list with servers allowed to send mail from my own domain. This prevents phishing and impersonating people internally. Nobody except me is supposed to configure mailing campaigns or mailing lists anyway. But now that we’re speaking of it, I think I should get rid of that extra config and use SPF for that. I configured that years ago, anyways.