* SPF: Tell the world which servers are allowed to send email for your domain
* DKIM: Weak version of digitally signed email, add a header that only mailservers that have the private key you supply can generate. Tampering invalidates the signature (for example when an email gets relayed for a second time). The private key used counts for your whole domain.
* DMARC: Tells other mailservers what to do when the SPF and/or DKIM check fails, and also allows you to set an address where to send reports to. These reports contain counts of messages that failed the SPF and/or DKIM checks.
The thing missing is that DMARC ensures alignment with the From header as well which SPF and DKIM don’t do.
SPF is about the domain in the envelope address.
DKIM signatures can reference any DKIM selector on any domain.
But DMARC also checks that the domains used match the domain of the From header. DMARC passes when at least one of the two is aligned. It’s possible to require strict alignment (exact domain) or allow subdomains as well.
> DMARC: Tells other mailservers what to do when the SPF and/or DKIM check fails
It's only "and" in this statement. You can't use DMARC to tell mailservers what to do when only one of them fails, as DMARC passes if at least one passes. The report will say which ones pass or not though.
...and everything you mention doesn't help shit for mitigation of spam because all spamming domains have SPF entries meanwhile, too. Which, by definition of its concept, can also be a lie that no receiving server cares about.
SPF, DKIM, DMARC are even more useless than the dbl protocol of spamhaus.
Also: this DMARC action is used for tracking whether or not an email was received, without the client of the receiving address needing to do any action.
>...and everything you mention doesn't help shit for mitigation of spam because all spamming domains have SPF entries meanwhile, too.
It does help stop false attribution of spam mail, though; spammer@example.net can't pretend to be sending mail from example.org.
It does lose its effectiveness when huge mail domains (e.g. GMail) can pump out so much spam, though, or when domains share email hosts (and therefore different tenants will be sending from the same IP addresses - another reason why IPv4 exhaustion is bad, isolation would work better with IPv6).
> Also: this DMARC action is used for tracking whether or not an email was received, without the client of the receiving address needing to do any action.
>
> So yep, it's also a privacy invasion.
Isn't it just the receiving mail SERVER acknowledging receiving the message? That says nothing about mailbox access or reading. I would not consider it a privacy invasion.
Most modern communication apps have a similar process of separating "sent", "received" and "displayed to user" which is super useful. Apart from the last part I would not consider them a privacy violation and you can usually turn that off. Similarly, if I download my mail to a local client, the server never knows if or when I read it and definitely not the sender.
But maybe I am missing your point, could you elaborate if that is the case?
* SPF: Tell the world which servers are allowed to send email for your domain
* DKIM: Weak version of digitally signed email, add a header that only mailservers that have the private key you supply can generate. Tampering invalidates the signature (for example when an email gets relayed for a second time). The private key used counts for your whole domain.
* DMARC: Tells other mailservers what to do when the SPF and/or DKIM check fails, and also allows you to set an address where to send reports to. These reports contain counts of messages that failed the SPF and/or DKIM checks.