[dmarc-discuss] Suggested DMARC policy for PEC (Italian certified e-mail)

Denis Salicetti denis at salicetti.it
Thu Feb 22 12:27:08 PST 2018


Hi guys,
I think I can consider both suggestions, but I need to know whether what I
think is a good solution.

As I already said I set up SPF, DKIM and DMARC for salicetti.it (Google is
the standard email provider) and the actual policy is (sp=reject; p=reject).

PEC email provider (obviously is not Google but another one certified by
the government) told me that I can set up SPF record for sub-domain
pec.salicetti.it but no DKIM.

Said that I've been thinking to proceed that way:

   1. keep for salicetti.it (sp=reject; p=reject) to preserve sub-domains
   close and safe.
   2. publish an explicit record SPF for pec.salicetti.it as suggested by
   PEC email provider (v=spf1 include:pec.spf.kqi.it -all).
   3. publish an explicit record DMARC for pec.salicetti.it (v=DMARC1;
   p=reject; pct=100; fo=1; rua=xxx at zzz.yy; ruf=xxx at zzz.yy;).

Is this a good solution? More suggestions?

*Denis Salicetti <http://linkedin.salicetti.it/>*

2018-02-15 16:47 GMT+01:00 Al Iverson via dmarc-discuss <
dmarc-discuss at dmarc.org>:

> On the flip side of that, you might want to consider implementing p=reject
> on the PEC sub-domain, since perhaps you don't want to deliver mail
> claiming to be PEC mail if authentication fails. Wouldn't the three primary
> reasons for DMARC failure be, DKIM signature mangling, email forwarding, or
> spoofing? Only one of those (email forwarding) are likely to be legit/safe
> messages.
>
> Cheers,
> Al Iverson
>
> On Thu, Feb 15, 2018 at 9:40 AM, Todd Weltz via dmarc-discuss <
> dmarc-discuss at dmarc.org> wrote:
>
>> Hi Denis,
>>
>> For now, rather than leaving all sub-domains open, I would recommend
>> publishing an explicit record for pec.salicetti.it with a p=none and
>> setting salicetti.it back to sp=reject.  This will put the reject policy
>> back in place for all other potential sub-domains, but the explicit record
>> for pec.salicetti.it will mean that it will not inherit the sub-domain
>> policy from salicetti.it
>>
>> It sounds like deliverability is absolutely critical on these messages so
>> possibly you wouldn't move forward with a stronger DMARC policy on this
>> sub-domain.  But potentially you could check with the Certified Email
>> Provider to see if they have options to authenticate the mail.
>>
>> Regards,
>> Todd Weltz
>>
>> On Thu, Feb 15, 2018 at 9:02 AM, Denis Salicetti via dmarc-discuss <
>> dmarc-discuss at dmarc.org> wrote:
>>
>>> Hi,
>>> I need a suggestion about a particular thing.
>>>
>>> In Italy, there is a "special" type of e-mail called PEC (certified
>>> e-mail). This is the equivalent of a traditional registered mail with
>>> return receipt. It is mandatory for all companies (legal stuff between them
>>> or government). Basically, you get an electronic receipt every time a
>>> message has been received by recipient's domain server (as a proof that you
>>> got the message). More info here: https://en.wikipedia.org/wiki/
>>> Certified_email
>>>
>>> The address format must be email at pec.domain.it
>>>
>>> I always used this configuration for salicetti.it (sp=reject; p=reject)
>>> with no problem, but now I have to decide what to do for
>>> pec.salicetti.it. For the moment I've changed it with (sp=none;
>>> p=reject).
>>>
>>> Said that I would like to know how to setup correctly DMARC policy for
>>> this subdomain (pro and con). What do you suggest? Did any Italian members
>>> of this list do that so far?
>>>
>>> I'm looking forward to your kind reply.
>>>
>>> Best regards.
>>>
>>> Denis Salicetti
>>>
>>> _______________________________________________
>>> dmarc-discuss mailing list
>>> dmarc-discuss at dmarc.org
>>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>>
>>> NOTE: Participating in this list means you agree to the DMARC Note Well
>>> terms (http://www.dmarc.org/note_well.html)
>>>
>>
>>
>>
>> --
>> Todd Weltz, Customer Success Engineer
>> tweltz at agari.com  l M: 416.471.8633 <(416)%20471-8633> l www.agari.com
>> Changing Email Security For Good
>>
>> _______________________________________________
>> dmarc-discuss mailing list
>> dmarc-discuss at dmarc.org
>> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>>
>> NOTE: Participating in this list means you agree to the DMARC Note Well
>> terms (http://www.dmarc.org/note_well.html)
>>
>
>
>
> --
> al iverson // wombatmail // miami
> http://www.aliverson.com
> http://www.spamresource.com
>
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well
> terms (http://www.dmarc.org/note_well.html)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20180222/4f0a8c82/attachment.html>


More information about the dmarc-discuss mailing list