✨ Feature Suggestion | Warn against using custom domains for email providers that don't have SPF+DKIM+DMARC support for custom domains

[djoate]

Description

The minimum criteria for listing an email provider includes this requirement:

Valid SPF, DKIM and DMARC, with the policy p value set to either none, quarantine or reject.

We should warn against email providers offering custom domain support that do not provide clear documentation/steps on how to setup SPF, DKIM, and DMARC for custom domains and why they are needed. They are all used to prevent other people from sending emails as someone else. So, if a custom domain doesn't have all of those set up, it is easier to spoof emails from that domain.

For example,

• ProtonMail has an entire page on it https://protonmail.com/support/knowledge-base/anti-spoofing/, and as we can see on the page, they include SPF, DKIM, and DMARC options in their setup flow for adding a custom domain
• Tutanota provides instructions in their custom domains FAQ https://tutanota.com/howto/#custom-domain
• Disroot only mentions setting up an SPF record at https://disroot.org/en/forms/domain-linking-form, without talking about DKIM or DMARC and without telling the user why it is important.

Furthermore, I think the email providers page should talk about the importance of SPF, DKIM, DMARC, along with DNSSEC, MTA-STS, etc.

[dngray]

I did speak to some of the providers about their DMARC policies.

Some of them were setting them to none because of issues regarding mailing lists.

I think they were waiting on ARC to help with that.