From an email list on 2022-04-02, some bits and pieces that should be in place for making mail flow:
- IP -> PTR lookup -> that hostname lookup, and match to IP again
- SPF
- DKIM - one possible implementation: OpenDKIM - opendkim is an excellent tool, which
helped find the real problem with a simple "Diagnostics yes" in the config file.
- DMARC
- ARC (for mailinglists)
- SRS (When forwarding, rewrite the From and resign DKIM, and then ARC-sign that)
- Decent TLS
- MTA-STS
- DANE
Use a site like internet.nl for testing mail server configuration and capabilities
Follow up comment: Google at least adds ARC headers in Gmail, and did the editing of RFC8617. ARC – Authenticated Received Chain
Follow up comment: Bimi Group - is snakeoil, or well, a scam is more like it: if you can pay and they like you, you get a logo, anybody else is out... marketing companies of the world (and the once earning money for bits ala domains and worse EV SSL certs... rejoice)
Follow up link: mailing lists are the ugly stepchild
Settings for mailing list:
We have SPF, DKIM signing, and a DMARC policy that sets p=none.
We're not setting p=reject, considering the number of mailing lists our users are on that are outdated or based on EOL software (including this one which depends on python 2.7, and including our own which have the same problem). It's impossible to know, from the outside, how mailing lists are configured. Mailman3 is...special. That's a rant for another time.
We get about an email a week from someone emailing security-officer@ trying to get a bug bounty telling us we should set p=reject. There's an ecosystem for this stuff.
Note: Yup. Gmail has made it quite clear that they will not accept v6 mail that
isn't SPF or DKIM authenticated. DKIM is more work but works more reliably.
ARC: It's certainly not a magic ticket into an inbox but it is slowly
helping undo DMARC mailing list damage. It's not important unless
you forward mail like a mailing list does.
What ARC does:
ARC addreses the problem that mailing lists do a lousy job of spam
filtering, A list that usually sends lovely clean mail sometimes
doesn't, since a typical list forwards anything with a subscriber's
address on the From line including spam from cleverish spammers who
take pairs of from/to addresses from stolen mailboxes.
ARC lets the recipient system look back and do what we might call
retroactive filtering, using info about messages as they arrived at
the previous forwarder. While it would be nice if lists did a better
job of spam filtering, they don't, and ARC is a reasonable remedy for
that.
Additional protection settings:
I run my own mail server and have no trouble at all delivering mail to Gmail over IPv6.
I do have SPF, DKIM, DNSSEC and DANE on my mail servers. My DMARC policy is p=none.
If it matters, the MTA is a heavily hacked version of qmail.
Someone mentioned nullmailer as a small mail program that allows you (or your system) to send mails through an existing email account (using an SMTP server).
In response to "Clearly, someone used the reputation of ImprovMX.com to deliver emails by forging them before delivery., "DKIM replay attacks preventative measures
2022/04/24 added - DMARC Domain Checker
2022/06/12 added - Email Audit - Check the DNA of your email against important best practices.