As I work with email and anti-spam and a bunch of other stuff I don't really understand, I figured I'd play with the various tools out there to stop people sending stuff and claiming it's from me. This web site and my email are hosted on the Google, and they're really good about supporting all this stuff. All this clever stuff lives in DNS, so you can easily look up my records to see how it all works here.

SPF

The Sender Policy Framework is basically a list of addresses that I say to accept email from my domain. The trouble with SPF is that a lot of people have to be able to send mail from other devices, so they use the ~all (accept mail from anywhere else too) option. I send everything through the Google mail servers, so I can use:

v=spf1 include:_spf.google.com -all

Instructions for setting it up on the Google are here.

DKIM

DomainKeys Identified Mail is signed by the sending machine, in this case, the Google mail servers, so it happens independently of who sends the message, as long as it goes through the Google servers. And I've already told people that anything not coming from the Google servers should be ignored.

Instructions for setting it up on the Google are here.

DMARC

Domain-based Message Authentication, Reporting and Conformance is basically a combination of both of these, along with telling the recipient what to do with messages that fail. It also generates a daily report based on what it saw and what it did. I started off with "none", so I was just generating reports, but I could see that the messages that failed were coming from IPs like 190.20.8.106 (Montevideo, Mexico) and 209.50.98.67 (Greenville, South Carolina), so I stepped that up to "reject". You can specify the percentages to quarantine or reject, but I originally didn't see a problem with using 100%. Sadly "reject" caused problems with remailer lists.

The reports are generated in XML format, that aren't really human readable (OK, they're short for me, but if I were sending more mail, it could be a problem). I forwarded the reports to DMARC Analyzer for a while - they provide some pretty graphics, but don't let you see the guts of the report. They started changing for it, and I didn't see it as worth paying for.

Instructions for setting it up on the Google are here.