PTR mechanisms in SPF records

If PTR mechanisms are detected, the current diagnostic output is: Warning: PTR mechanisms SHOULD NOT be used and cannot be resolved using this diagnostic tool.  More info at <this page!>. What does the PTR mechanism mean?  When an email receiver gets a piece of email and the PTR mechanism is in the sender's SPF record, the receiver will look at the incoming IP address and do a "PTR" lookup.  For example, if the sender is sending email from IP address…
9 October 2015
dmarcian Tools

Meaning of “WARNING: No A or AAAA records found”

If you publish an SPF record and use the a mechanism, but your domain doesn't actually have an A record in place, then you'll see this warning. Here's a sample SPF record that contains the a mechanism (the a is in bold): v=spf1 a ~all The A DNS record is how you use the DNS to associate an IP address with your domain.  The AAAA DNS record (also called "quad-A") is used to associate an IPv6 address with your…
8 October 2015
dmarcian Tools

Meaning of “No DMARC reports received yet which confirm DKIM signing”

Users sometimes ask What does "No DMARC reports received yet which confirm DKIM signing" mean? dmarcian uses DMARC-XML data to detect the presence of DKIM signatures.  There is no straight-forward way to query the internet for the presence of DKIM signatures, and so dmarcian relies on the contents of DMARC-XML reports to provide information on DKIM signatures. Given the above, there are 4 reasons why you might see this message: DKIM hasn't been implemented with the domain's source(s) of email. DKIM…
7 October 2015

Brief history of email authentication

Email is huge (largest deployed application on the Internet?) and it takes a long time to change the fundamentals. 2003: First SPF draft 2004: First DomainKeys draft (predecessor to DKIM) 2006: First DKIM draft PayPal begins work with Yahoo on authentication-based model 2007: BITS Email Security Working Group publishes paper recommending TLS + SPF + DKIM for email DKIM RFC published PayPal + Yahoo blocking based on DomainKeys+SPF goes live 2008: PayPal publishes "A Practical Approach To Managing Phishing" 2009:…
5 October 2015


A user once asked: I can't seem to find the answer to this question anywhere on the Internet (it may just be me not fully understanding the standards), so I thought I'd ask you. If I have DMARC set up in my DNS (which I do) and also ADSP (also do), which one takes precedence? I'm also assuming that I am in overkill mode and that DMARC is enough. Your input would be appreciated when you have a moment.…
4 October 2015

What is the difference between SPF ~all and -all?

SPF is all about publishing a list of servers that are authorized to send on behalf of a domain. After writing out a list of servers in the form of an SPF record, the right thing to do is to end an SPF record with something that says "and everything else on the Internet is NOT authorized". The way the above is written is to use the "all" mechanism.  This mechanism matches everything.  By adding a prefix of "~" or…
3 October 2015