Une toolbox intéressante et très utile par les temps qui courent autour des BIMI, DMARC, DKIM, TXT, etc.

Lien de la source ==> https://lnkd.in/emCnGryq

#cybersecurity #toolbox #infosec #blueteam #bimi #dkim #dmarc

I host my own #email on a cheap (<$10/mo) VPS.

Technically, I deployed postfix with the default configuration, published #SPF records and sign with #DKIM.

I am an email expert, but the only experty things I did were to not host on a provider like OVH that seems to specialize in hosting spammers, not to allow my users to send spam, nor to forward spam.

That's all. And my #deliverability is just fine, with no particular effort involved.

Um ja nicht zu viel #MSTeams und #Azure Kram zu machen, habe ich erst mal #DKIM auf dem Linux Mail Server konfiguriert. #DerGeneralist

When I set up #SPF years ago, I was happy that it blocked so much #spam. Then I moved to requiring matching reverse DNS records (which I still have mixed feelings about) and that blocked all that spam and more.

After several days of having #DKIM and #DMARC verifiers, I observed only one piece of spam being blocked by these (with SPF also failing), while all professional spammers have valid DKIM signatures.

Maybe I should write more #email so I experience my messages being blocked or not.

I like the #DWIM approach of UI design, but now I remember useful examples only in Emacs and Python.

I feel it's a confusing complexity in how #OpenDKIM handles its config and the entire logic of signing or verifying.

A #DKIM milter needs to verify mail that an MTA receives from elsewhere and sign mail that the MTA sends from its own system, and these are obviously different for Postfix. So OpenDKIM duplicates some MTA settings and has a nontrivial logic which mails to sign.

Reading about #DKIM, I think the main complexity in configuring it is key rotation and the automation it needs with various mail servers and DNS servers. (There is also dkim-rotate, maintaining a zone file and providing Exim configuration.)

I think as all my emails are GPG-signed, except for automated ones like Nextcloud share notifications, I have completely no need for plausible deniability which would be the only reason for key rotation.

So I might use a manual procedure for key rotation.

Today: ripping out my old #DKIM and #DMARC processors, OpenDKIM / OpenDMARC, in favor of #rspamd. I can even drop Postgrey and parts of Postscreen.

Oh it's a pain to set up (you kinda have to wrap your head around hey they do configuration includes to separate site config from package config), but the all-in-one approach *with a web interface* for easy viewing is... Yeah I'm migrating.

Plus it also supports ARC, and seems to be faster at scanning than SpamAssassin.

#Postfix is happy. #email