DKIM, SPF, DMARC, oh my!
-
It seems like every year there's a new email signing/authentication mechanism I need to deploy to ensure my emails go through.
Anyways, now I have a DMARC record added so I get mailed daily with a bunch of XML reports so I can see who's sending what. Neat. Turns out I don't have DKIM or SPF enabled for our main Google Apps thinger, so I added that.
Unfortunately the Google Toolbox MX checker says my SPF records are not set up properly.
My current SPF record is this:
v=spf1 include:_spf.google.com include:sendgrid.net include:smtp.groovehq.com ~all
The explanation for the error:
SPF Permanent Error: Two or more type TXT spf records found.
From what I can find online, you cannot have duplicate SPF records (which I don't, they're three separate services). I don't see any typos, and I'm allowed to have multiple
include:
clauses in my SPF record.Is there something I'm missing here?
-
I Googled "spf validator" and http://www.kitterman.com/spf/validate.html seems to agree with Google Toolbox. There's a link at the bottom of the page to download the source code, so that might help.
-
@julianlam Another sign that email must die and be replaced. Maybe send an WhatsApp message instead or whatever.
-
Ended up pasting it into another validator and it returned
Plus a test email seems to have been sent ok. We'll see...
-
@julianlam So
dig -ttxt <domain>
returns only one TXT record? I don't know, usually Google's services have been pretty solid but this one seems to have its head up its ass to start with. I tried with my domain and it moans about not being able to get NS and MX records, DKIM not being set up and other bullshit while mail-tester.com, dmarcian.com and pretty much every other service I've tried say the setup is fine.Edit: oh, for nodebb.org. Yeah, dig looks perfectly OK for SPF.
-
@julianlam that's a great strategy, try different validators until one of them say everything is fine
-
Thanks @laoc -- good to know. Hopefully I won't see any disruptions, as Google seems to suggest I will...
-
@ben_lubar said in DKIM, SPF, DMARC, oh my!:
I Googled "spf validator" and http://www.kitterman.com/spf/validate.html seems to agree with Google Toolbox. There's a link at the bottom of the page to download the source code, so that might help.
That Python code seems to be crap. I haven't followed much deeper down the rabbit hole than verifying that it indeed finds two identical TXT records and it seems to do the
include:
resolution by itself. The two things seem related—but it's bedtime now.
-
@sockpuppet7 said in DKIM, SPF, DMARC, oh my!:
@julianlam that's a great strategy, try different validators until one of them say everything is fine
Of course, how else will I find a scapegoat? I'm doing due diligence when leveraging this new technology in order to cover my ass
Anyone know if DMARC records are web scale?
-
@julianlam Seriously, e-mail is a WTF and forum software shouldn't be using it anymore. Let this thing die already.
(I know you can't, because customers, but that is my opinion anyway)
-
@sockpuppet7 BTW the emails this forum sends when people do PMs are amazing. It puts all the PM text in a GIANT blob of text in the middle of the email with zero spacing or carriage returns or anything.
-
@blakeyrat You can lay at least part of the blame there at the feet of the W3C. Some wise guy somewhere decided that HTML should ignore basic whitespace and force you to represent everything except for single spaces with special tags and entities instead, and now if any software fails to do the special conversions, that's what you get.
-
@masonwheeler Ok but the unreadable email I got was from NodeBB. They picked HTML as their presentation layer, they have to deal with it.
-
@blakeyrat said in DKIM, SPF, DMARC, oh my!:
@sockpuppet7 BTW the emails this forum sends when people do PMs are amazing. It puts all the PM text in a GIANT blob of text in the middle of the email with zero spacing or carriage returns or anything.
So in other words, doesn't html-ify it? What happens if you have Markdumb inside it? I'm assuming it doesn't render it at all and sends off the raw code...
-
@masonwheeler said in DKIM, SPF, DMARC, oh my!:
@blakeyrat You can lay at least part of the blame there at the feet of the W3C. Some wise guy somewhere decided that HTML should ignore basic whitespace and force you to represent everything except for single spaces with special tags and entities instead, and now if any software fails to do the special conversions, that's what you get.
To be fair, that was decided long before there even was a W3C.
-
@laoc Fair enough. Here, have a . It was still a stupid decision that's been causing trouble for a long time now.
-
@masonwheeler said in DKIM, SPF, DMARC, oh my!:
a stupid decision that's been causing trouble for a long time now.
Those tend to accumulate IME...
-
@blakeyrat said in DKIM, SPF, DMARC, oh my!:
@sockpuppet7 BTW the emails this forum sends when people do PMs are amazing. It puts all the PM text in a GIANT blob of text in the middle of the email with zero spacing or carriage returns or anything.
Have you tried reading the emails with a different client that doesn't parse HTML? I hear the plaintext emails NodeBB sends are quite nice when you read them with PINE.
That said I think you're referring to multiple messages bunched together? I'll look into it.
-
@julianlam Well I can't share them because they're full of private info but trust me, in gmail it's one big glommed up glommation of text with no linebreaks or padding or anything.
-
@julianlam said in DKIM, SPF, DMARC, oh my!:
I hear the plaintext emails NodeBB sends are quite nice when you read them with PINE.
Pine, schmine. /bin/mail should be good enough for anyone.
-
@blakeyrat said in DKIM, SPF, DMARC, oh my!:
They picked HTML as their presentation layer, they have to deal with it.
As opposed to ?...
-
@zecc XML or JSON, presumably.
(inb4 "bad ideas thread is ")
-
@zecc said in DKIM, SPF, DMARC, oh my!:
As opposed to ?...
Well I suppose for email you don't have a lot of choices. That doesn't change my point though.