Re: WTF? / "But if people encrypt their emails then how will GCHQ be able to read them"
DKIM is NOT "encrypting emails" it is simply DIGITALLY SIGNING THEM using a public key.
SPF is (can) say "these servers are allowed to send my emails, everthing else cannot ( -all )
DMARC says "if an email passes SPF and DKIM checks, it's genuine, otherwise do x,y, or z.
The issue with uptake of SPF, DKIM and DMARC is primarily that I.T. people that understand it seem to have difficult explaining it to a layman, or implementing it....
e.g.
www.microsoft.com
not only does your www. lack an SPF record but your DMARC policy at microsoft.com does not contain an "sp=" value, so DOES NOT apply to ANY subdomains of www.microsoft.com
- so you (or a malicious third party) could send emails from any address ending @www.microsoft.com addresses - because they cannot be validated as genuine....
If microsoft added "sp=reject;" to their DMARC record it would fix this. (sp is subdomain policy!)
e.g.2
www.apple.com
is no better - in fact their DMARC record is worse. "p=none;"
(p is "policy - i.e. the primary domain policy - is no policy at all)
e.g.3
www.ubuntu.com is worst.
Letting the side down guys.
With DKIM the emails remain in plain text and the sending server uses a private key to digitally sign the email in such a way that the receiving server can mathematically compare the digital signature against a public key that the sender's domain has published as a TXT record in that domains public DNS records.
If the sending domain also has a strict(ish) SPF record and publishes a DMARC record then those emails can (in some cases) Automatically be validated as genuine.
(DMARC is essentially a policy - published as another TXT record in the sending domain's DNS - that can* provide instructions to the receiving server on how to AUTOMATICALLY handle emails that pass or fail SPF, or DKIM or SPF & DKIM checks. The DMARC policy can also enable a (DMARC compliant) receiving server to report back email successes and failures - i.e. you can find out AUTOMATICALLY if people are spoofing your emails.)
Unlike SPF, DMARC can also apply to a subdomain of the domain at which the DMARC record is stored - as long as the "sp=" modifier is set.
SPF is another matter. If you have a www.something.com A record but DO NOT have an SPF record that matches the name of that subdomain, then there is NO SPF applying to that subdomain and people can spoof your emails..
This is the tip of the iceberg.
Biting the hand that feeds IT
