Emails bounce back from Gmail.

@trevm999 Thank you, someone gets it. You need BOTH. The distinction is subtle, but critical.

@YeOldeStonecat There is a difference between publishing an authorized list of equipment, and digitally signing stuff so we know it came from an authorized device. It's possible to fail one or the other, and when that happens the mail should be rejected.

And the rest is exactly what I typed in, which is substantially different than what you mentioned before. But yes you're correct you need all 3 to be baseline configured these days.

Then this ARC thing showed up...

Now... if we could just figure out why Microsoft made SPF copy paste brain dead, but buried DKIM and ARC where no one would find it unless they knew to look AND make DKIM require so much TIME to implement. Push button, get records, wait 24 hours is just terrible.
 
Last edited:
The difference is subtle enough for me...to me they're both similar in function, different in approach. I still call DKIM "spf version 2". They all work together. I won't rely on one, or the other....I choose the team of all 3. And back to my original point...any IT person managing business email should have those in place. If they're not yet in place....stop eating, stop sleeping, stop going to the bathroom...and get them all done.

Re:"DKIM...so much time to implement". Uhm...jeeze the vastly improved how you do it....it used to take a few minutes to set up. When is the last time you had to set one up? About a year..."ish"...maybe 2 ago...they really made it so easy a caveman can do it. It is indeed copy/paste now. No it is not over in the DNS records setup....yes it would be cool to have it there all in one spot. BUT...I can literally get it done in under 30 seconds once I'm logged into a tenant and logged into the domains CPanel. Just type in DKIM in the 365 admin portal search bar...the correct page under security.microsoft.com comes up...which if you want to go there manually is under email & collab, policies & rules, threat policies, email auth settings. But save yourself 20 seconds of clicking and just type "DKIM" in the search.

Select the domain, slide button to enable...and it now presents a window to you that you can copy and paste into the DNS manglement of the domain. You're 99.9% done, the rest is just...waiting approx 30 minutes for "things to cook" in the background..and BOOM it's done. They did make it darned easy. Where's that red staples button?
 
YeOldeStonecat said:
to me they're both similar in function, different in approach.
Click to expand...

Same here.

Yes, I am aware of the differences already mentioned, but the overarching umbrella they're under is the same. All of these have as their broad intended purpose as "presenting credentials of authenticity" from the sending end to the receiving end. It's the exact hows that differ.

Just set 'em all up. How they do what they do is not the relevant part for most of us, what they do more broadly is.
 
YeOldeStonecat said:
"not even related to the same thing?" Who ****** in your cheerios? Are you seriously going to stand on a podium and try to say that?
Click to expand...

@Sky-Knight doesn't seem to get that throwing insults around, in a group of technical professionals, when someone is giving a "bird's eye view" of a thing, rather than the nuts and bolts details, doesn't strengthen an argument. Nor does it encourage the people so targeted from accepting what's said, even when it's 100% accurate.

The old saw, "You catch more flies with honey than with vinegar," applies. Alienating your intended audience by being a prick is counterproductive.
 
  • Like
Reactions: GTP
@YeOldeStonecat @britechguy

You can say DKIM is SPFv2 but you'd be wrong.

One is an inventory.
The other is an authentication engine.

It's like trying to compare a username to an authentication token.

The former can be used to create or access the latter, but it doesn't have to. And yes, that technical gap is substancial enough to define them both as very different things. Understanding them as the same is dangerous.

The overly simplistic and correct view is that you need both in this case. If DKIM was SPF v2.0 we'd only need concern ourselves with setting up DKIM. Without SPF DKIM alone simply proves a system that has a key attached to it signed the mail. Now, this SHOULD indicate authorization better than SPF does. BUT without the public list provided by SPF there's no way for anyone to notice DKIM's key is compromised. That's why you need both. Together they form a solid authentication framework. Individually they both have holes.

And @britechguy You can not like how I communicate all you want, but this is absurd. StoneCat was lamenting ignorance of vendors that setup only SPF while conflating a related technology that's utterly different. Once can and should make the case that deploying both is essential, but understanding both as the same thing, or even actively working in the same ways is not.

Ignorance is ignorance, I'm going to call it out. If that's a personal insult to you then so be it.

@YeOldeStonecat It takes 24 hours for the DKIM error to clear after the DNS records are corrected out here. My process is the same as yours, you're waiting 30min, that's not enough. I've had one take TWO WEEKS!
 
Last edited:
Because you may interpret things differently is not my problem or concern. And equally I suppose...how I do, is not yours.
Regardless, I linked a link to an email security service that also 'splained it in English.

To me.....saying it''s "v2".well, it builds ON TOP of v1. That's how I look at it, not that it matters, done with this, my cheerios taste fine this week and my wife didn't kick me out of bed so I'll keep on a happy mood.
 
Sky-Knight said:
It takes 24 hours for the DKIM error to clear after the DNS records are corrected out here. My process is the same as yours, you're waiting 30min, that's not enough. I've had one take TWO WEEKS!
Click to expand...

Where is the hold up on the ones that take so long? Is it the propagation of the DNS or the tenant not recognizing that those new DNS records exist? I do a few of these every month and I've not had one delay that I can remember. Admittedly, I see a lot of Cloudflare clients (super fast changes) so maybe I'm just lucky... Almost without fail, as soon as I see that the DNS propagation has completed, I go back to the tenant and flip the switch.
 
HCHTech said:
Where is the hold up on the ones that take so long? Is it the propagation of the DNS or the tenant not recognizing that those new DNS records exist? I do a few of these every month and I've not had one delay that I can remember. Admittedly, I see a lot of Cloudflare clients (super fast changes) so maybe I'm just lucky... Almost without fail, as soon as I see that the DNS propagation has completed, I go back to the tenant and flip the switch.
Click to expand...

It depends... the one that took two weeks was a combination of DNS propagation delays, along with a crappy UI. But even if I have Cloudflare DNS in the mix, which changes near instantly I'm still waiting at least 12 hours before the switch in the M365 admin panel reports success.

Worse... if I push that button too soon, I swear it starts the timer all over again and I get to wait ANOTHER block of time. So I just set the DNS and come back tomorrow, that's always worked.
 
You must log in or register to reply here.

Similar threads

HCHTech
M365 can send but not receive email
2
Replies
20
Views
763
callthatgirl
callthatgirl
Blue House Computer Help
[REQUEST] Gmail hacked (again)
Replies
19
Views
1K
Blue House Computer Help
Blue House Computer Help
britechguy
Which Outlook has touched your Google Account, and when, makes a difference in what Microsoft apps & services can access
Replies
3
Views
479
John Kennedy
John Kennedy
thecomputerguy
Wide-Spread Yahoo/AOL/SBCGlobal issue? (O365)
Replies
10
Views
628
YeOldeStonecat
YeOldeStonecat
callthatgirl
Weird hack I can't figure out
2
Replies
21
Views
2K
Sky-Knight
Sky-Knight
Back
Top