Hacker News new | past | comments | ask | show | jobs | submit login

What about only explicitly allowing domains that have DKIM enabled?

Having that form of validation should help since DKIM was made to specifically stop email spoofing; and anyone serious about implementing Portier would understand that need.

Outlook/Gmail etc aren't likely to be flagged by ESP's for the most part as those have reputation and rudimentary spoofing protection, at least more than a@a.com anyway.

Persons using custom domains are usually the admins of those domains, and Office 365/GApps/Registrars etc. provide simple ways to enable DKIM.

In response to your other (dead) comment, "SPF" records actually are TXT records.

In the past, there was an SPF RR type but that's been deprecated.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact