Fix #1228 - Separate DNS docs and add notes on MX, FCrDNS/SPF/DKIM/DMARC #1298
Conversation
|
|
||
| example.com. TXT "v=spf1 a -all" ; The "a" mechanism is needed for the mail test (see rfc7208, section-2.3). | ||
| _domainkey.example.com. TXT "v=DKIM1; p=" ; empty DKIM to score 100% for this non-sending subdomain that does have SPF "a" mechanism which is needed for mail test. | ||
| _dmarc.example.com. TXT "v=DMARC1; p=reject; sp=reject;" |
There was a problem hiding this comment.
sp=reject can be removed (since p=reject is already present), is it a best practice to be explicit?
There was a problem hiding this comment.
Yes, it is not needed. However, I believe it is good to be explicit for subdomains here. Also, because someone who sets up their own instance might choose to have a more relaxed general DMARC policy ("quarantine") e.g. when they start sending 'helpdesk mail' from the instance-domain.
documentation/Docker-DNS.md
Outdated
| For a domain that does not otherwise send email, use: | ||
|
|
||
| example.com. TXT "v=spf1 a -all" ; The "a" mechanism is needed for the mail test (see rfc7208, section-2.3). | ||
| _domainkey.example.com. TXT "v=DKIM1; p=" ; empty DKIM to score 100% for this non-sending subdomain that does have SPF "a" mechanism which is needed for mail test. |
There was a problem hiding this comment.
maybe better to use *._domainkey? (see https://www.cloudflare.com/learning/dns/dns-records/protect-domains-without-email/)
There was a problem hiding this comment.
Yes, although not necessary, we could do so. I will also change this in our own DNS (https://github.com/internetstandards/internet.nl-DNS-zone-file/issues/85).
Note that it is more or less a vanity record to score 100% for the instance-domain in the mailtest itself. (Note that the instance-domain does need the "a" in the SPF record for the working of the mailtest. Therefore, the Internet.nl mailtest does not see the instance-domain as a non-sending domain and requires a DKIM record.)
Furthermore, note that M3AAWG previously promoted *._domainkey for parked domains. However, they have changed their advice into not publishing a DKIM record at all for parked domains. The latter is in line with our own advice (https://internet.nl/mail/example.nl/1176003/#control-panel-9). For the M3AAWG docs see:
|
Maybe also add TLSA + CNAME's? |
|
This now also includes dropping the IPv6 subdomains from the certbot request on batch, consistent with this new documentation. The always present subdomains are now www/nl/en, with more in the single test instance. |
Yes, we could do so. We could add the TLSA/DANE values for Lets Encrypt (that we also have in our own DNS zone), but someone could of course choose to use a certificate from a different certificate provider. Furthermore, we could also add CAA. |
I do not think our documentation should include specific TLSA values, but only suggest it, like this PR does for CAA now. Otherwise we're just duplicating and it risks getting outdated. |
Signed-off-by: Sasha Romijn <[email protected]>
Signed-off-by: Sasha Romijn <[email protected]>
|
@bwbroersma @baknu I think the current version of Docker-DNS.md is good - can you check? If it is, then I will update certbot.sh in this PR, and we can update our own zone to match this doc. |
Some suggestions, mainly for clarity Signed-off-by: baknu <[email protected]>
Replaced "internal" and "external" with other more verbose wordings. Signed-off-by: baknu <[email protected]>
mxsasha
added
the
release blocker
No description provided.