> On 6 Apr 2021, at 14:48, [email protected] wrote: > > Hi Laura, Kai, > > On 6 Apr 2021, at 12:38, Laura--- via mailop <mailto:[email protected]> wrote: >> On 6 Apr 2021, at 10:36, Florian.Kunkel--- via mailop >> <mailto:[email protected]> wrote: >> >> Just so I understand what t-online.de is announcing. >> t-online.de is looking for full alignment between the SPF domain (5321.from) >> AND the d=domain (DKIM) with the header from (5322.from). > > ACK
This is where I get confused, because later in your reply you say you don’t care about the SPF domain. >> Additionally, t-online.de will reject any message that fails either SPF or >> DKIM authentication even if the other method passes. > > we don't follow DMARC, DKIM or SPF logic here, but this terminology and tech > is known and understood by senders. Not as well as any of us might hope or wish, unfortunately. I say that as someone who fields questions from senders on a daily basis that make it clear they don’t understand the terminology or the tech. > The requirement is, that if we can not build reputation on IPs, we do so on > the author's domain, visible to the recipient user. > These must be fully aligned. OK. This makes your requirement much clearer. Is a subdomain alignment acceptable? Or does it have to be exact? >> t-online.de is rejecting any message that does not align with both SPF and >> DKIM. > > we don't care of DNS SPF RRs for authentication. So you don’t care if the 5321.from and 5322.from align? > * align mail from and header from to your DKIM d= (you don't do this for us, > but for your customer/correspondent to recognize you!) > * DKIM sign your message > * have the necessary DNS RRs for your DKIM keys > + use double opt in > + stop addressing dead recipients > + keep complaint rates low Fair enough. Are you providing any end user visible indication that the mail was DKIM signed and aligned? How are you treating messages double DKIM signed? A lot of providers sign with a d= that belongs to their customer - so that it aligns and will pass DMARC. But they also sign with their own d= as they are also taking responsibility for the mail. A couple specific questions about double signed emails. If one of the d= signatures aligns, is that sufficient? Do you have a preference for the order in which things are signed? The other ISPs seem to treat the first (that is the 2nd DKIM signature to be added, the top one in the headers) as the ‘aligning’ and ‘primary’ domain. The second signature (that is the first DKIM signature to be created and the 2nd one in the headers) to be the provider domain and less important for reputation. Does this match with your evaluation process? >> t-online.de is rejecting any message that is not signed by DKIM. > > ... if you're not already known to us as a good netizen, yes. Ah! OK. That’s fair enough. That wasn’t clear from the original posting. If there are established reputations then those established reputations will continue, but this is mostly about new domains / mailstreams. So this is something we’ll need to be aware of for customers who are warming-up (or as I prefer to call it ‘conditioning’) when they move domains or IP addresses. >> If I understand the above statements, you are going much stricter than the >> DMARC spec >> and asking for a level of authentication currently beyond anything anyone >> else is doing. > > Let me form it the other way around: > what do you need DKIM for, if not to be held accountable for what you send? There are a lot of ways to sign DKIM that don’t align but aren’t, in any way, deceptive or avoiding accountability. I’m just trying to understand what t-online.de <http://t-online.de/> is asking for so that I can explain it. Part of this is I’m actually putting together a course on email authentication for later in the year. I need to make sure that I understand what you’re asking for so my recommendations are accurate. Another part of this is I spend a LOT of time answering questions from email professionals about authentication and these are questions I anticipate they will ask at some point. > And if you go for professional email services, what's the problem anyhow? I am a professional providing deliverability services for folks, so I’m trying to make sure that the advice I give complies with your expectations so that my clients don’t suffer delivery problems at t-online.de <http://t-online.de/> because I didn’t understand what you’re asking for. laura -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise [email protected] (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
