[AlternC-dev] After DKIM, let's DMARC & SPF ?

Retour à l'archive de la liste
Le site d'AlternC
Google Custom Search

Gabriel Filion gabster at lelutin.ca
Ven 19 Juin 20:38:08 CEST 2015


On 17/06/15 02:43 PM, Benjamin Sonntag wrote:
> since AlternC 3.1, we are automatically publishing DNS records and sign with DKIM emails sent by the server, for domains where we host DNS and EMAIL locally.
> 
> Thanks to TXT records in advanced subdomains, we also can declare SPF records through the web interface, but one's need to do it, and to know what SPF is.

this sounds like a good idea but we should be careful with their default
implementation, since it could harm ppl who are expecting to send email
from subdomains not hosted by the alternc instance.

> - the default values for the variables would be "relax", saying that anything violating the SPF or DMARC rules would not be a problem.
> - of course, the admin account could choose more strict rules that would be applied on every installed domain.

for example, the default DMARC value could be:

_dmarc IN TXT "v=DMARC1; p=none"

and SPF could be:

@ IN TXT "v=spf1 include:_spf.%%DOMAIN_OF_ALTERNC_INSTANCE%% ~all"

the above SPF would then need a TXT record _spf on the domain that's
hosting the alternc instance.

the _spf TXT record could then be set by alternc to the list of all IPs
of MX and web servers that are managed by alternc.


However, if we do implement such measures, we really need to think about
the interface: it needs to be possible to easily change or disable those
records. for advanced users, being able to change them by just changing
the text is a must, but for less knowledgeable ppl, it would be
important to have a specialized interface that lets them choose possible
values to possible tags, and that suggests good "basic" values.


Wrt the current DKIM implementation, there's something quite lacking:
users are not able to retrieve/change, let alone be aware of the
existance of cryptographic key pairs that are used for the feature.

This means that ppl who aren't aware of what DKIM is, can get bitten in
the knees when/if they migrate their mail into or away from the alternc
hosting.

Also to those ppl with knowledge of what DKIM is and how it works, the
only way they can get their keys to migrate away is by asking sysadmins
of the alternc instance to send them the keys.
And users in the same category who are migrating their mail into the
alternc instance who previously had DKIM, they can't set the
cryptographic keys in order to keep signatures consistant.

I don't mean to block your suggestion since I think it is a good idea.
However, before wrapping DKIM into DMARC, we probably should look into
perfecting the current implementation.

-- 
Gabriel Filion

-------------- section suivante --------------
Une pièce jointe autre que texte a été nettoyée...
Nom: signature.asc
Type: application/pgp-signature
Taille: 801 octets
Desc: OpenPGP digital signature
URL: <http://lists.alternc.org/arch/dev/attachments/20150619/184cc99d/attachment.sig>


Plus d'informations sur la liste de diffusion Dev