Re: Use a non-web email client
Well, first off... gmail's web client is actually pretty robust. Shows a lot more information without having to go into the weeds, so bravo for them. But only with respect to helping detect spam and fraudulent emails... otherwise, I don't touch the stuff except maybe once every six months to go clear out the mountain of spam in there and to keep my account active.
If only other MUAs (web or program) would show the 5321.Mail domain, it'd help a lot.
The real problem is mobile MUAs. There's just not enough screen real estate to provide a robust UI for sussing out bogus emails. Hell, mobile MUAs can't even get the UI to help users differentiate between Trash and Spam....
On to this article.. now, not sure if this is new since it was published, but nodejs.org has a dmarc record... but it is just set for monitoring. Having monitoring is way better than no DMARC record, so.... I'm curious about the timeline now.
nodejs.org has a small SPF footprint - only has google mail in their SPF record... but they have an -all at the end. Hopefully they know what they're doing. Typically domains with an -all at the end don't.
Looking at npmjs.com, they too have a DMARC record, and like nodejs.org, it's just monitoring... but looking at the number of third-party includes in npmjs.com's SPF record, looks like they have their work cut out for them before they can crank that up.
And yes, DKIM must be done too.. But really, I wouldn't depend on DMARC if I didn't have both SPF and DKIM working perfectly for all emails. The reason is that either of these can break pretty easily with forwarding (hence why the -all in the SPF is dumb) or even going through a third-party spam filter... and the same with DKIM... it is very fragile.