I looks like that Microsoft, Yahoo and Google will now require the following for servers that send more than 5000 emails to their servers.
My Thoughts
Since we installed our iredmail We have had DKIM DMARC, and SPF active. It is the only way to not risk to end up in spamfolders. Its easy to implement and a one way thing. You can use 1 DKIM for multiple domains but our experience is that it is a bad way, the risk of being considered as spam is much bigger
Anyone not having all those setup already and are running a legit email server, deserve to remain in queue for eternity.
But who am I kidding.
Way too many firms buy the cheapest hosting they can find, just create some email acocunts and call it a day. Nothing secured or compliant.
Then, when their emails get bounced, come up with the old “but we only have this problem with your email server. Everyone else accepts our emails”
Great site to check if you are compliant!
Yep, it’s time to tighten up email setups—SPF, DKIM, and DMARC are a must now. Better to get compliant early before more rules kick in.
If virtualmin has all the email protections going it would give the platform an edge over the competitors.
We have all of them. DKIM, SPF and DMARC. Have had since we launched the email servers. Never had problems with mails ending in spam. But we use the iredmail server setup.
Not srs for forwarding emails and maybe the new ARC, DMARC reporting (developers are talking about some of these).
Totally, ARC and proper DMARC reporting are next-level steps—forwarding’s always been tricky, but it’s getting more attention now.
SRS is easy to implement and takes care of the forwarding issue.
Can you explain more about SRS and how it addresses the actual problem compared to ARC?
it rewrites the email’s sending envelope so the emails’ headers are re-written to match the forwarding server so DKIM, SPF all match when the email is delivered to the final destination.
There is, I believe, an additional header added to indicate the email has been forwarder, but this does not affect deliver.
SRS is a must irrespective of ARC.
I would also assume that reputation. Is based on the sending email server and sender information is rewritten by SRS to match the forwarding server then the ARC verification would now apply to the forwarding server and not the original sending server
DKIM? Are you sure about that? If so, could you explain how, or at least provide a link to the source or documentation?
SRS is helpful for email forwarding, but it has drawbacks.
Rewritten sender addresses can look odd (after rewriting, the sender address looks something like SRS0+randomstuff=original@forwarder.com), potentially confuse recipients, and cause reply issues if not handled properly [if the forwarding service doesn’t handle replies properly (e. g., rewriting it back), the reply might not reach the original sender].
Some older or misconfigured mail servers might not recognize or handle SRS correctly, causing delivery or reply issues.
Setting it up adds complexity.
SRS mostly helps with SPF, but if the original message fails DKIM or doesn’t align with DMARC policies, it can still get flagged.
According to Microsoft, SRS fixes forwarding but does not alter DKIM headers. DMARC policies need to be configured to allow forwarded emails on the remote server. This apparently is where ARC fits in.
If it looks like SRS0+randomstuff=original@forwarder.com at the recipient, SRS has not been setup correctly.
In my setup, this is totally transparent.
I send an email from yahoo to mydomain.
mydomain is set to forward to gmail
In my gmail I see:
|mailed-by:|mydomain.com|
|signed-by:|yahoo.com|
Sender email is the right one, without any SRS in it.
Microsoft, Yahoo, and Google now require that servers sending over 5,000 emails daily implement SPF or DKIM, have a DMARC policy set to at least “none,” and support FCrDNS (Forward-confirmed reverse DNS). While the 5,000-email threshold currently sets the bar, it likely won’t last long as spammers can easily adapt. To future-proof email deliverability, it’s wise to enable both SPF and DKIM, and implement a DMARC policy now. DNSSEC could be the next requirement as providers continue tightening security. Other email providers are expected to adopt similar standards soon.
I have never understood why this is a so big deal. We have 3 email servers running and from day 1 they were all set up with DKIM SPF and DMARC. Its a one time setup and then it can be forgotten. For me, it cant be a pro setup without it.
