Change to Mail Infrastructure - SPF and DKIM verification will now be enforced

[Boudhayan Gupta]

Hi all,

I'm going recount a personal experience here. I have my own domain
(BaloneyGeek.com) and I use Google Apps for Business for my E-Mail.

A couple of months ago I shifted DNS providers and took the
opportunity to properly set up E-Mail verification and signing. Using
Google's documentation, I enabled SPF, and then tested. Then I enabled
DKIM and tested.

So far, everything was fine.

Then I enabled DMARC and all hell broke loose. Even though Google's
configuration checker gave me a green tick on DMARC configuration, I
couldn't send mail to any non Google-handled e-mail ID, without it
being sent to spam. I know this because I tested with one Windows Live
Mail (or whatever they call it these days) account and one Yahoo
account. Both of them had a history of receiving e-mails from me.

I would also get an XML file delivered to my inbox from every single
e-mail server that handled my mail, with stats of how many mails they
handled, how many passed auth, how many failed and how many were sent
to spam. Apart from the annoyance of receiving tens of these mails per
day, I noted that every single provider (other than Google) was
failing auth on all my mails and sending them to spam.

I dug around multiple docs (including RFC 7489, Google's docs, etc)
and couldn't find any configuration errors I'd made.

In they end I had to roll back DMARC (which took two days to propagate
across all DNS caches, btw), while keeping SPF and DKIM enabled.
Everything has been fine since then.

So here's my two cents - SPF **should** always be enabled, that's the
bare minimum you can do. DKIM enforces SPF using signing, so if you
guys can implement that well, awesome. But be very careful when
dealing with DMARC. From what I saw when I tried to set it up, no
e-mail provider other than Google knows what to do with it.

-- Boudhayan