Allan Wallace's blog - blog.allanwallace.uk

allanwallace.uk : Blog

20200814:

theregister.co.uk is now a .com

- but they still have a broken SPF record at the .co.uk
(different errors now from when I 1st (and 2nd) reported it to them in 2018...)

- and they now have a broken SPF record at the .com too.

They could confirm this with the author of RFC7208's SPF Record Testing Tools at:
https://www.kitterman.com/spf/validate.html

- but I guess they must have been busy... Maybe one day they will fix it?

Please theregister.co.uk and theregister.com fix your SPF records.
Why not read the NCSC Guidance too?...

I'm not great at this blogging thing, I have other things on my mind - what can I say?
- This looks like a changelog.

Previously I wrote some text heavy beginners guides

A beginners guide to SPF
Sender Policy Framework

A beginners guide to DKIM
DomainKeys Identified Mail

A beginners guide to DMARC
Domain-based Message Authentication, Reporting & Conformance

and some information about potential email related issues...

Microsoft Office365 Mailservers with no dns / no rdns
DNS / rDNS are ways of proving that a mailserver exists AND that the mailserver is the mailserver it says it is...
It appears not all Office 365 mailservers comply with the RFCs in this case.

Office 365 mailhop SPF - a small problem
If you use Office 365 AND mailhop and are having problems sending emails this may be a solution.

Most Recently

20190623:

• Enforced encryption for email delivery to my mx.
I believe under GDPR it is required to protect PII data ("Secure by design" / "Secure by default")
(Articles 25(1) and 25(2) of GDPR)
- and PII data is typically inside of emails.
- therefore I feel it is necessary to ensure that email delivery is via TLS at a minimum
- and ideally TLSv1.2 at that.

Apple, Google and others are likely to deprecate support for TLSv1.1 in March 2020, I may as well be ready for that now.
As for the SMTP RFCs, well, ok my mx no longer comply in that area, and I feel that the RFCs should be updated so that they no longer require internet facing servers to accept unencrypted email delivery.
This is already impacting on email delivery to me, luckily this mostly seems to involve a reduction in SPAM.

• Started working on the forthcoming TLS hall of shame...
I get really bored with 3rd party mailserver administrators trying to tell me that TLSv1.0 as the highest encryption standard their mx support is acceptable...
- If I've raised this issue with you, and you ignore me, you are going to end up on this list after an appropriate period of time has lapsed.

20190622:

• Made some further minor improvements to my Tools
- primarily removing vulnerabilities I had unintentionally introduced
- confirmation it is wise to test for these things...

• Started considering disabling DANE for some domains I have enabled it on.
- more consideration required.

20190615:

• Made some minor improvements to my Tools
- but unfortunately they only have partial IPv6 support, which is still a work in progress.

• Fixed DANE (temporarily) for three of my subdomains and made some minor changes to look and feel of a few pages.
- if you don't know what it is, DANE uses DNSSEC to help prove DNS records are genuine.

Last Updated 2022/04/12 21:50 CET.

Cookie Policy
Privacy Policy
Security Policy
Terms & Conditions

© 2020 Allan Wallace