✨ Feature Suggestion | Warn against using custom domains for email providers that don't have SPF+DKIM+DMARC support for custom domains #1833

New Issue

2020-04-15T21:57:58Z

djoate commented

2020-04-15 21:57:58 +00:00

(Migrated from github.com)

Description

The minimum criteria for listing an email provider includes this requirement:

Valid SPF, DKIM and DMARC, with the policy p value set to either none, quarantine or reject.

We should warn against email providers offering custom domain support that do not provide clear documentation/steps on how to setup SPF, DKIM, and DMARC for custom domains and why they are needed. They are all used to prevent other people from sending emails as someone else. So, if a custom domain doesn't have all of those set up, it is easier to spoof emails from that domain.

For example,

ProtonMail has an entire page on it https://protonmail.com/support/knowledge-base/anti-spoofing/, and as we can see on the page, they include SPF, DKIM, and DMARC options in their setup flow for adding a custom domain
Tutanota provides instructions in their custom domains FAQ https://tutanota.com/howto/#custom-domain
Disroot only mentions setting up an SPF record at https://disroot.org/en/forms/domain-linking-form, without talking about DKIM or DMARC and without telling the user why it is important.

Furthermore, I think the email providers page should talk about the importance of SPF, DKIM, DMARC, along with DNSSEC, MTA-STS, etc.

## Description The minimum criteria for listing an email provider includes this requirement: > Valid SPF, DKIM and DMARC, with the policy `p` value set to either `none`, `quarantine` or `reject`. We should warn against email providers offering custom domain support that do not provide clear documentation/steps on how to setup SPF, DKIM, and DMARC for custom domains and why they are needed. They are all used to prevent other people from sending emails as someone else. So, if a custom domain doesn't have all of those set up, it is easier to spoof emails from that domain. For example, - ProtonMail has an entire page on it https://protonmail.com/support/knowledge-base/anti-spoofing/, and as we can see on the page, they include SPF, DKIM, and DMARC options in their setup flow for adding a custom domain - Tutanota provides instructions in their custom domains FAQ https://tutanota.com/howto/#custom-domain - Disroot only mentions setting up an SPF record at https://disroot.org/en/forms/domain-linking-form, without talking about DKIM or DMARC and without telling the user why it is important. Furthermore, I think the email providers page should talk about the importance of SPF, DKIM, DMARC, along with DNSSEC, MTA-STS, etc.

👍 2

dngray commented

2020-04-18 19:08:18 +00:00

(Migrated from github.com)

I did speak to some of the providers about their DMARC policies.

Some of them were setting them to none because of issues regarding mailing lists.

I think they were waiting on ARC to help with that.

I did speak to some of the providers about their DMARC policies. Some of them were setting them to none because of issues regarding mailing lists. I think they were waiting on [ARC](http://arc-spec.org/) to help with that.

This repo is archived. You cannot comment on issues.

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#1833