Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Make sure to configure DKIM/SPF with Fastmail
48 points by whichdan on March 27, 2022 | hide | past | favorite | 24 comments
I've been using Fastmail since 2007, so I haven't touched the DNS of several of my domains in years. All of my email has been getting flagged as spam by GMail recently, and it's likely because I never added DKIM/SPF records to my older domains. I know there are a bunch of old Fastmail users here so figured I'd do a quick PSA



Not unique to Fastmail. Any domain that sends email should have DKIM/SPF/DMARC. SPF is quickly becoming irrelevant, but it is an easy configuration item.

Recommend mxtoolbox for validating configurations https://mxtoolbox.com/

Specifically send a test email to ping@tools.mxtoolbox.com and it will advise you of your current settings.

Dmarcian has good resources on DMARC specifically, and can act as an RUA report reader as a paid service. https://dmarcian.com/alignment/


When you manage your domains through Fastmail it does it automatically. I certainly haven't had to configure it myself.

There is a neat website to check your email settings that was on the HN front page earlier this year:

https://www.learndmarc.com/


Amusing :) Although I have to admit that I am even less sure after using that site. There doesn't seem to be an indication that DKIM "FAIL" in red is a good or bad thing after it attempted to spoof a domain I own. I assume it's good?


A spoofed message should FAIL DMARC. It could PASS DKIM and if the signature came from a domain that is owned by the attacker. But DMARC will fail when the DKIM domain and the HEADER.FROM domain do not align.

Please read my blog here: https://www.uriports.com/blog/introduction-to-spf-dkim-and-d...

It will explain how SPF, DKIM, and DMARC work together to prevent spam.


Not sure, I can't say I'm super familiar with this. Which I guess is part of the reason I'm having it configured through Fastmail.

This is the original submission where the link came from if it helps:

https://news.ycombinator.com/item?id=29869266


In general, never have an MX configured in your authoritative DNS zonefile without proper SPF and DKIM. Deliverability to outbound SMTP destinations will be very poor.

Not fastmail specific.


A side issue here is that if you don't have an MX record configured (say, you figured a domain isn't used for mail), it doesn't mean "we don't accept mail". You'll be surprised at how much spam ends up being directed at your apex A record, because according to the RFC that's where it goes in the absence of an MX record. Use

MX 0 .

For such domains.


This is true of any mail service and is not at all unique to Fastmail.


Also add DMARC to the list aswell, and make sure to warm up the domain again once you're done.


What does "warm up" mean in this case? Send a few emails?

Also, what policy do you recommend fro DMARC: none, quarantine, or reject?


This is what mailgun recommends for warming up email / email reputation. https://www.mailgun.com/blog/domain-warmup-reputation-stretc...

If you're just starting out, start with none. Quarantine or reject needs to be carefully monitored over time.


DMARC: Set is as p=none and read your reports from the RUA tags.

Once you are confident that all the legitimate mail is aligned, then go straight to p=reject. Many will recommend quarantine, but it's better to have an email bounce back immediately vs silently get lost in a spam folder. Outside of troubleshooting there isn't much use for P=Quarantine in DMARC or '~all' in SPF.


~all in SPF is a different beast, since -all breaks forwards. There's still an unreasonably large amount of people heavily reliant on forwards, so I'd not go as far as to recommend ~all to people who are not 100% certain of the consequences.


Agreed, and thank you for the PSA.

This hit me a week ago. After a friend let me know, configuring DKIM/SPF did the trick in minutes.


I added DKIM/SPF over a year ago, and they still sometimes get flagged. It doesn't help that one sad/spiteful person marked it as spam in his Yahoo account (at least I was notified that someone did, and because I'm not actually a spammer, I quickly figured out who it was).


I have a custom domain on shared hosting, and apparently the hoster does not support DKIM.

Is that really bad?

I sent a mail from it to a gmail account, and it was not flagged as spam

Also, when I send a mail from my university address, it says, the DKIM user identifier does not match the from header


This happened to me, starting a few days ago. It appears to be fixed after adding the DKIM/SPF records.


I know nothing about DKIM/SPF. Is there a reason this only applies to older Fastmail users?


Originally, Fastmail only had you add MX records. The DKIM/SPF change was more recent (as in, sometime in the past 16 years :) due to changing standards around email deliverability.


I noticed this recent change too. Deliberate degradation of service via competitors (Fastmail is objectively not a spam relay and I'm sure the folks at GMail know that) is just more fodder for the coming anti-trust case.


DKIM has been around for close to 2 decades now and fastmail has been rolling out out by default since 2009 [1]. This change only affects fastmail users who manage their own DNS rather than letting fastmail manage it and either set it up a very long time ago or chose not to implement all the recommended settings.

Gmails changes are not deliberately affecting fastmail at all.

[1] https://fastmail.blog/historical/all-outbound-email-now-bein...


I signed up for Fastmail only 9 years ago, and my email started being sent to spam just this week.


Exactly. I've been using Fastmail for eleven years, and the records I had set up had been deemed sufficient for that long. They still are, for everyone else. Google just decided all on their own, without even any announcement (which I'm pretty sure I would have seen here and elsewhere), to start being extra-picky about something they had previously been fine with. It comes across as an excuse, not a sincere attempt to improve anyone's security or UX.


thanks




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: