Stricter Email protocols are being required such as DMARC for Microsoft, Yahoo and Google

I looks like that Microsoft, Yahoo and Google will now require the following for servers that send more than 5000 emails to their servers.

  • SPF or DKIM
  • DMARC set to at least none
  • FCrDNS (I think this is a term to include both DNS and rDNS)

My Thoughts

  • The 5000 limit will not stand for long because spammers can count.
  • It seems DMARC will be required so you might aswell have both SPF and DKIM enabled.
  • DNSSEC will be next for domains.
  • Other emails providers will follow suit.

Since we installed our iredmail We have had DKIM DMARC, and SPF active. It is the only way to not risk to end up in spamfolders. Its easy to implement and a one way thing. You can use 1 DKIM for multiple domains but our experience is that it is a bad way, the risk of being considered as spam is much bigger

Anyone not having all those setup already and are running a legit email server, deserve to remain in queue for eternity.
But who am I kidding.
Way too many firms buy the cheapest hosting they can find, just create some email acocunts and call it a day. Nothing secured or compliant.
Then, when their emails get bounced, come up with the old “but we only have this problem with your email server. Everyone else accepts our emails”

1 Like

Learn and Test DMARC

Great site to check if you are compliant!

2 Likes

Yep, it’s time to tighten up email setups—SPF, DKIM, and DMARC are a must now. Better to get compliant early before more rules kick in.

1 Like

If virtualmin has all the email protections going it would give the platform an edge over the competitors.

We have all of them. DKIM, SPF and DMARC. Have had since we launched the email servers. Never had problems with mails ending in spam. But we use the iredmail server setup.

Not srs for forwarding emails and maybe the new ARC, DMARC reporting (developers are talking about some of these).

Totally, ARC and proper DMARC reporting are next-level steps—forwarding’s always been tricky, but it’s getting more attention now.

SRS is easy to implement and takes care of the forwarding issue.

1 Like

Can you explain more about SRS and how it addresses the actual problem compared to ARC?

it rewrites the email’s sending envelope so the emails’ headers are re-written to match the forwarding server so DKIM, SPF all match when the email is delivered to the final destination.

There is, I believe, an additional header added to indicate the email has been forwarder, but this does not affect deliver.

SRS is a must irrespective of ARC.

I would also assume that reputation. Is based on the sending email server and sender information is rewritten by SRS to match the forwarding server then the ARC verification would now apply to the forwarding server and not the original sending server

DKIM? Are you sure about that? If so, could you explain how, or at least provide a link to the source or documentation?

SRS is helpful for email forwarding, but it has drawbacks.

Rewritten sender addresses can look odd (after rewriting, the sender address looks something like SRS0+randomstuff=original@forwarder.com), potentially confuse recipients, and cause reply issues if not handled properly [if the forwarding service doesn’t handle replies properly (e. g., rewriting it back), the reply might not reach the original sender].

Some older or misconfigured mail servers might not recognize or handle SRS correctly, causing delivery or reply issues.

Setting it up adds complexity.

SRS mostly helps with SPF, but if the original message fails DKIM or doesn’t align with DMARC policies, it can still get flagged.

According to Microsoft, SRS fixes forwarding but does not alter DKIM headers. DMARC policies need to be configured to allow forwarded emails on the remote server. This apparently is where ARC fits in.

If it looks like SRS0+randomstuff=original@forwarder.com at the recipient, SRS has not been setup correctly.

In my setup, this is totally transparent.
I send an email from yahoo to mydomain.
mydomain is set to forward to gmail
In my gmail I see:
|mailed-by:|mydomain.com|
|signed-by:|yahoo.com|

Sender email is the right one, without any SRS in it.