Notices by Taylor R Campbell (riastradh@mastodon.sdf.org)

@steve @ryanc Probably has this UTF-8 decoder instead of a vectorized one so it doesn't interfere with the AVX unit which is busy doing LLM computations to analyze your culinary choices with food2vec for targeted advertising.

It's gotta do a lot of computation to generate heat, but as an induction stove it also has to be responsive to the controls so it had better make responsible use of the different computational units in its CPU (cooking processing unit).

@dalias Caveat: Gotta remember to make the signature the cover X-DKIM-Private-Key header field! Otherwise the leaker could just strip it off.

(Also, I suspect that if a lot of senders started doing this, Google might not find the idea as amusing as you and I do!)

2/3. The domain of the envelope sender you use must have SPF policy in the DNS that doesn't exclude your mail server's IP address, like:

example.com. IN TXT "v=spf1 ?all"

If your mail server is at, say, 198.51.100.42, you might improve odds of delivery by including it explicitly:

example.com. IN TXT "v=spf1 ip4:198.51.100.42 ?all"

(This one isn't new—you probably already had to do this a long time ago.)

3/3. The domain of your ”From: ...@example.com” header fields must have a DMARC policy in the DNS, like:

_dmarc.example.com. IN TXT "v=DMARC1; p=none"

And as a reward for all your hard work to implement this rigmarole, this will do absolutely nothing to reduce anyone's spam!

At best, you can tighten the SPF and DMARC policies to restrict phishing attempts made using your domain, but there are foot-guns…

Bonus: DKIM creates a leak incentive because the mail server cryptographically attests to every message you write, in signatures that anyone in the world can verify—even on private messages not meant for public consumption.

So you might want to rotate your DKIM keys and publish the old ones periodically:

https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/

How can you use this to shoot yourself in the foot and make your mail undeliverable to Goohoo! users?

- skip DKIM signature
- exclude your IP from SPF policy
- send mail where “From” doesn't match sender or DKIM domain—e.g., write to a mailing list that forwards your message—and set “p=quarantine” or “p=reject” in DMARC

You can also inundate yourself with extra mail from your recipients by adding “rua=mailto:postmaster@example.com”, because who doesn't thirst for more mail?

Do you run a mail server, or own a domain example.com that you send mail from?

PSA about the Coming DKIMpocalypse on Thursday when Google and Yahoo tighten mail rules:

https://support.google.com/a/answer/81126?hl=en
https://senders.yahooinc.com/best-practices/

1/3. The mail server must sign outgoing mail with DKIM. You generate a key pair called “foo” (e.g., with opendkim-genkey), configure your mail server to use it, and publish the public key in the DNS like:

foo._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; "
"p=..."
)