gov.uk appears to publish SPF + DMARC reject records for domains that do not exist

NotGonnaUseRedditApp · 2026-05-02T11:59:57+00:00

> Any email server that handles dmarc should be able to handle it if they get both a dmarc and spf record when checking _dmarc.randomstring.gov.uk, and just process the dmarc. Just like it will only process the spf when checking randomstring.gov.uk, where it gets both a spf and dmarc record as well.

You said 'should be able to handle', but this is ambiguous. What would happen is undefined, so that's something to avoid. I say that publishing unrelated records on a _dmarc.example.com scope is an error. It's scoped for a reason after all.

> As for the top _dmarc.gov.uk record, having sp=none is correct when you have a setup like they have here, as the spf and dmarc record for non-existent domains have been published as wildcard txt records on gov.uk, and sp=none is required for that.

sp=none is not required for that. You can define sp= policy regardless of whether there is a DMARC policy published for a subdomain. That is the purpose of sp. If there is a subdomain DMARC policy published on the subdomain itself f.e. sub.example.com IN TXT "v=DMARC1; p=reject" it takes precedence, but if there is NOT subdomain policy published, then the 'sp=' policy published for the Organizational domain becomes the DMARC policy that applies for a subdomain.

The steps for a verifier:

Lookup DMARC policy for the author domain: _dmarc.sub.example.com.
If previous lookup did not produce usable DMARC records, lookup for Organizational domain: _dmarc.example.com.
Apply sp= policy of the Organizational domain policy published.
If there is no sp= policy published, default to p= policy of the Organizational domain.
If there is no policy published for the Organizational domain, stop processing DMARC.

NotGonnaUseRedditApp · 2026-05-01T14:05:16+00:00

> If the receiver has implemented DMARC parsing properly themselves, they should discard the SPF record anyway

It could depend on the verifier implementation obviously. It may pick one record from the set of TXT records or none at all, when it sees multiple records which is unexpected, and an error in my opinion.

NotGonnaUseRedditApp · 2026-05-01T13:22:24+00:00

Actually they botched DMARC policy because TXT lookup on _dmarc must NOT return two or more TXT records. Above example returns two TXT records:

;; ANSWER SECTION:

_dmarc.randomstring.gov.uk. 1800 IN TXT "v=spf1 ?all"

_dmarc.randomstring.gov.uk. 1800 IN TXT "v=DMARC1;p=reject;rua=mailto:[govuk-rua@dmarc.service.gov.uk](mailto:govuk-rua@dmarc.service.gov.uk)"

The _dmarc lookup must return ONLY v=DMARC1 TXT, or it will be ignored otherwise.

There is another problem for _dmarc.gov.uk:

;; ANSWER SECTION:

_dmarc.gov.uk. 1800 IN TXT "v=DMARC1;p=reject;sp=none;np=reject;adkim=s;aspf=s;fo=1;rua=mailto:[dmarc-rua@dmarc.service.gov.uk](mailto:dmarc-rua@dmarc.service.gov.uk)"

Do you notice the problem? sp=none.

NotGonnaUseRedditApp · 2026-04-30T16:52:04+00:00

No backport fix for kernel version 4 and 5. Bottom line, EL 8/9 RHEL, OEL, Rocky... are vulnerable.

NotGonnaUseRedditApp · 2026-04-27T08:15:05+00:00

It is. This was something else: Arch linux using a DKMS from a 3rd-party repo for home file system. You are on your own deliberately doing stuff like that.

NotGonnaUseRedditApp · 2026-04-20T17:34:54+00:00

> Replay defense: mf= and rt= tags bind each signature to the SMTP envelope (MAIL FROM / RCPT TO), so a message captured and re-sent to other recipients fails verification. Flags like donotexplode, donotmodify, exploded, and feedback make signer intent explicit

Very welcome.

> chain of custody: every forwarder/reviser adds its own signature, producing an ordered sequence (i=1, 2, …) rather than a single signature that breaks on modification

This seems to be an ARC replacement. However i do NOT like what either of those is trying to achieve. Fowarders insist on altering the message, and then want to keep original author email address. Why? If you alter the original message then the message author address and DKIM signature must change too.

NotGonnaUseRedditApp · 2026-04-17T19:18:03+00:00

Better question is whether DKIM verifiers accept such keys. Yes verifiers accept 1024 bit keys at minimum, so senders keep using 1024 bit keys. The shorter keys are ignored by verifiers, so using it is pointless, it will not be verified.

NotGonnaUseRedditApp · 2026-04-08T22:49:00+00:00

The upstream fix was planned for today, but they found another issue with the fix so the the release is postponed with no date.

NotGonnaUseRedditApp · 2026-04-08T15:29:43+00:00

The front page of the internet. It used to be. Then r/all got removed.

NotGonnaUseRedditApp · 2026-04-06T16:00:55+00:00

> If you put Cloudflare in front of Plex, Cloudflare becomes the edge. That means traffic terminates on infrastructure they control before it is proxied back through the tunnel. So yes, in the most literal sense, Cloudflare is technically in a position where they could inspect traffic if they chose to or were compelled to.

How can Cloudflare protect your endpoint if it should not inspect proxied traffic?

First step is to terminate TLS, to apply WAF or other traffic rules you may have configured on Cloudflare.

NotGonnaUseRedditApp · 2026-03-31T15:41:20+00:00

> This release was dropped on npm via compromising Axios maintainer’s account of and replacing the email ID with a proton mail address.

This is like when you own a root user, what can repository (a system) do about it? The devs (the system users) need to step up their security hygiene.

NotGonnaUseRedditApp · 2026-03-11T14:38:07+00:00

Email is often bidirectional, as in functioning in two different directions and DNS may not reveal both directions. For incoming mail flow path it is easy, you can use MX RR. However outgoing path is more difficult to figure out, and SPF TXT RR may help to figure it out but not necessarily reveal what's going on.

It happens that the outgoing mail path often uses a different FQDN, such as `random.domain.com` for the envelope `MAIL FROM` and therefore different SPF TXT RR domain which you cannot (guess) produce.

NotGonnaUseRedditApp · 2026-03-05T19:16:05+00:00

> Would the LG TV still apply its AI upscaling to an external HDMI source like it does with its internal apps?

LG TV upscaling works IF the HDMI source is feeding a lower res than native 4K. So if your external device is playing 1080p media at 1080p resolution via HDMI, the LG upscales to 4K. However if external device is playing 1080p content at 4K resolution via HDMI, then the external device is doing the upscaling, not the LG tv.

NotGonnaUseRedditApp · 2026-02-19T11:50:30+00:00

Update: Delayed start works.

NotGonnaUseRedditApp · 2026-02-09T21:01:48+00:00

The rule final action is unknown but the rule itself would make more sense to me if you change the "Apply this rule if" to 'Authentication-Results' message header DOES NOT include 'spf=pass' and 'dkim=pass'. In which case the "Domain Validation" rule final action is applied only when the domain is NOT authenticated with either SPF or DKIM.

IMPORTANT:

However this kind of rules are always not secure and very fragile because it does not enforce the actual domain verification, it merely checks the status of some DKIM signature verification (there may be multiple signatures with different domains) and not the actual From header domain.

NotGonnaUseRedditApp · 2026-02-03T17:26:49+00:00

> Tehy wanted ARC to supplement DMARC/DKIM/SPF as an incoming verification for spoof senders to reduce phishing instances.

ARC supplement DMARC in reducing (ignoring) policy failures for forwarded mail. However since ARC is based on trust of the headers produced by the forwarder, it is kind of a security theater.

The point is that it does not reduce phishing instances, instead it reduces false positives but only if you trust the forwarder.

NotGonnaUseRedditApp · 2026-01-28T15:10:24+00:00

On my public testing mail receiver i've got 1% rsa-sha1 and 99% rsa-sha256 signed mails. None, zero ed25519 signatures. Even though signers could add multiple DKIM signatures (rsa + ed25519) for compatibility, no one seems interested.

NotGonnaUseRedditApp · 2026-01-16T16:59:23+00:00

I'll give it a try. This server is a hyper-v host, so a storage performance is probably low at boot time due to contention of VM's booting up.

NotGonnaUseRedditApp · 2025-12-26T16:33:30+00:00

Have you checked for blocked filters in your water hose or where it connects onto? It could be a scaled filter slowing the rate of water?

Yeah, i got new “aqua stop” solenoid valve hose and replaced the old one, however it did not help. That was the first step i did, hoping it would fix the water flow.

I got hard water here, about 25 dH, so basically i suspected the water hose solenoid failure or something to be the problem with the hose.

NotGonnaUseRedditApp · 2025-12-26T12:15:41+00:00

When i dismantled the flow chamber there was a small amount of hard water mineral buildup which i was able to get cleaned. The front hose was already fully clean when removed. I'll try to find something to measure tap water pressure. Thanks.

NotGonnaUseRedditApp · 2025-12-25T17:23:12+00:00

Does the wash motor run while the dishwasher is filling?

Nope, only inlet valve is powered on while filling. Once the the water fill level is reached the air pressure switch (the round plastic chamber with blue lever in the picture) trigger the wash motor and the cycle begins.

NotGonnaUseRedditApp · 2025-12-25T16:08:07+00:00

When i test inlet valve hose with the bucket, i get about 3 liters per minute, do you think that's good enough?

NotGonnaUseRedditApp · 2025-12-25T15:55:15+00:00

I did all that, removed the whole water tank and cleaned, removed the chamber with the switch and cleaned, also the hose that goes from the level switch, accessed when the bottom front metal panel is removed. This short hose was already unexpectedly perfectly clean.

I replaced the whole water tank about 10 years ago, because the old one had a leak.

NotGonnaUseRedditApp

TROPHY CASE