No DMARC in this day and age!?!?
That's just like theregister.co.uk
and let's not mention the issues with SPF...
Incidentally while the password reset emails are not signed with DKIM,
they are at least delivered with TLS...
26 posts • joined 8 Jun 2007
IANAL... but unless I'm mistaken...
a continuous 12 day period falls within a 14 day period,
with a period of 24 hours rest on day 1 and day 14...
thus the first 6 days of work fall within a 7 day period with 24 hours rest on the first day, and the last 6 days fall within a 7 day period with 24 hours rest on day 7....
Feel free to hide this post until you have resolved the issues with your DNS records.
On the subject of SPF:
tescobank.com doesn't have SPF,
tescobank.com DOES have DMARC.(nothing about strictness of aspf or adkim...)
tescobank.com DOES NOT have PCI DSS compliant MX
- thought this was a requirement for a bank?...
theregister.co.uk DOES have SPF - but it's broken: "too many DNS lookups" and two a: mechanisms that point to FQDNs that don't have any A records....
theregister.co.uk DOES NOT have PCI DSS compliant MX
theregister.co.uk DOES NOT have DMARC
forums.theregister.co.uk DOES NOT have DMARC or SPF
openspf.org has a good guide about the 10 dns lookup limit
- near the bit about reducing the risk of DOS attacks.
To fix TheRegister's SPF record, remove the following:
(you don't need this! - your mx are google and you include:_spf.google.com .......)
(no a record published in DNS)
(no a record published in DNS)
You could simply use "a" if you wanted to allow future domains without having to publish each individual one, but please remember:
EACH SUBDOMAIN REQUIRES IT'S OWN SPF RECORD.
KEEP -all on the end, it's a good bit.
Have you considered DMARC, DKIM, DNSSEC and DANE?
Would you like a quote?....
- one of my favourites is "lobbest thou thy Holy Hand Grenade"
TheRegister's password reset page allows the enumeration of registered email addresses (different message given if email address is not registered....)
- you might want to take a closer look at this too, I think it was a DPA issue, and I'm pretty sure GDPR could say similar.
Re: "It's still legal to go through rubbish I think."
- it's not been legal for a very long time - have a quote:
"One precedent-setting example from 1877 was the case of a diseased buried pig. According to legal text Archbold's Pleading, Evidence, and Practice in Criminal Cases, even if someone discards something and does not intend to use it again, they can retain ownership of it."
DKIM is NOT "encrypting emails" it is simply DIGITALLY SIGNING THEM using a public key.
SPF is (can) say "these servers are allowed to send my emails, everthing else cannot ( -all )
DMARC says "if an email passes SPF and DKIM checks, it's genuine, otherwise do x,y, or z.
The issue with uptake of SPF, DKIM and DMARC is primarily that I.T. people that understand it seem to have difficult explaining it to a layman, or implementing it....
not only does your www. lack an SPF record but your DMARC policy at microsoft.com does not contain an "sp=" value, so DOES NOT apply to ANY subdomains of www.microsoft.com
- so you (or a malicious third party) could send emails from any address ending @www.microsoft.com addresses - because they cannot be validated as genuine....
If microsoft added "sp=reject;" to their DMARC record it would fix this. (sp is subdomain policy!)
is no better - in fact their DMARC record is worse. "p=none;"
(p is "policy - i.e. the primary domain policy - is no policy at all)
www.ubuntu.com is worst.
Letting the side down guys.
With DKIM the emails remain in plain text and the sending server uses a private key to digitally sign the email in such a way that the receiving server can mathematically compare the digital signature against a public key that the sender's domain has published as a TXT record in that domains public DNS records.
If the sending domain also has a strict(ish) SPF record and publishes a DMARC record then those emails can (in some cases) Automatically be validated as genuine.
(DMARC is essentially a policy - published as another TXT record in the sending domain's DNS - that can* provide instructions to the receiving server on how to AUTOMATICALLY handle emails that pass or fail SPF, or DKIM or SPF & DKIM checks. The DMARC policy can also enable a (DMARC compliant) receiving server to report back email successes and failures - i.e. you can find out AUTOMATICALLY if people are spoofing your emails.)
Unlike SPF, DMARC can also apply to a subdomain of the domain at which the DMARC record is stored - as long as the "sp=" modifier is set.
SPF is another matter. If you have a www.something.com A record but DO NOT have an SPF record that matches the name of that subdomain, then there is NO SPF applying to that subdomain and people can spoof your emails..
This is the tip of the iceberg.
but increased carbon emissions (at least in the form of co2) could lead to global greening - where plant life can grow more efficiently as a result - so surely reducing carbon emissions would have the opposite effect?...
As an example, the carbonatite emissions of the Volcano of Ol Doinyo Lengai in Africa have an interesting effect:
"The carbonatite ash spread over the surrounding grasslands leads to a uniquely succulent, enriched pasture. This makes the area a vital stage on the annual wildebeast beast migration, where it becomes the nursery for the birth of several thousand calves."
(and whilst I don't always treat wikipedia without a pinch of salt, in this case there is the science to back it up)
This is such an inconsequential amount I can't see the tories gaining any votes with this policy. Why can't they just talk about REAL policy, like putting an upper limit on local government wages, and limiting local government pensions to a reasonable amount.
Quote "Plutonium is actually pretty safe, you can even handle it safely for short periods of time as it only really throws out alpha particles"
Don't forget plutonium is actually VERY POISONOUS even if it's not, radioactively speaking, that dangerous.
and if you dropped it on your toe and didn't have safety boots on, it could really hurt....
Biting the hand that feeds IT © 1998–2021