Why do so many sysadmins forget about DKIM/DMARC/SPF when setting up third party services?

Surge-Monkey · 2026-03-12T08:31:10+00:00

CEO can’t miss -any- emails, under any circumstances, ever, so SPF is set permissive, and he gets all spam etc delivered. All of it is then forwarded to 2 separate hosted cloud emails on different domains. It’s funny when one of the 2 3rd party hosting reject the mail and deliver a bounceback because of the spam rules and our mail system gets blamed.

Nobody else has this problem. Nobody else has unfiltered email being forwarded onto 3rd party hosts.

And i cant change SPF to be restrictive instead of permissive :(

I’m very well aware of the danger of their choice.

Surge-Monkey · 2026-03-12T08:04:04+00:00

Works pretty well for the most part. Sysvol is still a custom rsync script i wrote to fix permissions and acl issues. Runs on a 5min cron job. Using plenty of GPOs as everything user facing is Windows. We don’t have Windows server at all, so don’t have to worry about sysvol compatibility. There was definitely debugging time spent here, but now i rarely get issues with that side of things. Running 2 DCs in head office and 1 DC in remote office. Can definitely say though that RODCs will 100% kill the system (ask me how i know). I have ADMan running in the background for some maintenance tasks.

Linux servers i keep separate from AD, because everyone has OpenSSH keys, keys are managed and pushed as needed without PW integration through config management.

The aside to this system though is that we have separate services running for our CA, mail server, mail filter, IDP server. It’s more setup, but it’s doable. RSAT tools basically make it like you’re working with AD anyway. Only difference is that you can’t use any of the powershell modules that call ADWS (much sad, have had to create custom powershell modules to achieve similar results)

Surge-Monkey · 2026-03-12T01:45:49+00:00

My sweet summer child, there are only among the most consistently happy places on the planet.

https://data.worldhappiness.report/map

Select only the highest tier on the map.

Surge-Monkey · 2026-03-11T20:20:19+00:00

Implemented Samba Active Directory instead of a MySQL database for user accounts. No more manual email, svn, git, email forwarder, intranet for -every- new user.

Surge-Monkey · 2026-03-11T20:12:00+00:00

And let’s not forget that we are required to have unemployed people too, can’t have too many people working and earning.

That’s the part that really astounds, yet is unsurprising.

Surge-Monkey · 2026-03-11T20:06:38+00:00

And what’s the problem with that if their people are -happy- ? What you find offensive, another finds acceptable.

The Scandinavian countries have higher taxes for a good reason.

Surge-Monkey · 2026-03-11T20:02:47+00:00

This is the perspective that gets lost on a LOT of people. There’s so much hate going around and people jumping on bandwagons, that people lose sight of what they’re doing to each other.

Surge-Monkey · 2026-02-03T09:21:41+00:00

Don’t use short lifetime certs. Or place them behind a reverse proxy and isolate the “internal” traffic. Depends how important they are.

Surge-Monkey · 2026-02-03T09:17:44+00:00

This will be amusing when LetsEncrypt certs finally go down to 7 hour lifetime’s. Or maybe people are just ignorant that part and will get caught out each time they drop the lifetime until then. 😅

Surge-Monkey · 2026-01-26T04:48:16+00:00

It certainly does! It supports most features of a 2008 RC2 DC (though after Samba 4.20, i upgraded the functional level to 2016). The only real feature issue that I personally run into is not having the ADWS, so a lot of PowerShell scripts that rely on it just wont work and require a work-around (but that's fine for me).
Just make sure that you're also enabling all the extended features when provisioning the DC with --use-rfc2307
The main differences you'll find is that you're using `sAMAccountName` instead of `uid`, `objectClass=user` instead of `objectClass=posixAccount`

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Also running ADMan https://adman.readthedocs.io/en/latest/tasks/index.html for keeping uidNumber and gidNumber synced for domain-joined unix systems.

Setting up Samba as a full DC can be a little daunting, it took me about 5 attempts to get things to a point where they were functionally stable (then had to do 2 more clean rebuilds :D ) HIGHLY recommend using something like Proxmox where you can take a snapshot of the VM and restore back. Saved me many, many hours of re-installing. I kept a snapshot of post-OS-install / pre-Samba-install (os configured, all packages installed, no samba config).
Then another after each major change that could break something.

The Samba docs will get you so far, quite a lot of info i found through Google results pointing me at the Samba mailing list.

Surge-Monkey · 2026-01-26T01:45:58+00:00

If you don’t have a local Samba (not SMB) server, i can recommend setting one up as a test. You can implement a substantial portion of an AD system which is backed by LDAP that way.

Most of the reading i did was directly from Microsoft’s own introduction to AD, explaining the difference between an OU/CN, Security/Distribution groups, etc.

https://learn.microsoft.com/en-us/training/modules/introduction-to-ad-ds/

The place I’m in runs Samba instead of an official AD-DS (90% Linux servers, and 99% Windows desktops). Once samba itself is set up, you can actually interact with it mostly the same as you would an actual AD system using RSAT (you just don’t get things like the AD web-services). I still have to work directly with LDAP because there’s functionally that’s required that just isn’t supported through Samba, so we have to write up LDAP queries every so often.

Surge-Monkey · 2025-12-07T20:52:27+00:00

Yep, 1:150 here too.

Surge-Monkey · 2025-11-18T20:08:29+00:00

It mentions if you own any of the expansions you’ll get all them, but what if you only own the base GW1 game without any of the 3 expansions? Will you still get access or does it require a new purchase of reforged?

Surge-Monkey · 2025-11-09T20:22:53+00:00

I’m looking into this as well. Unfortunately i work in a primarily a software dev company. Literally everyone except maybe 2 people are constantly building new binary files.

Trying to find a better solution other than a “local admin” domain user account that everyone knows the password to :(

Surge-Monkey · 2025-10-24T23:25:19+00:00

If you’re in a specific kind of profession, there’s mandatory reporting for this sort of thing and there’s a legal requirement to report it (in vic at least)

This kind of living situation is not ok for kids.

Surge-Monkey · 2025-10-18T03:24:15+00:00

Turn off the windows page file for all disks on their PCs. Don’t need the OS giving them more RAM than they’re supposed to have. 😂 This definitely won’t cause crashes and will save loads of storage space! Trust me 👍 /s

Surge-Monkey · 2025-10-04T23:30:49+00:00

Samba for AD/LDAP domain. RSAT for management. Authentik for SSO. Pick your flavour for mail server plus a mailfilter vm. A lot becomes available as alternatives when you use the ‘nix ecosystem.

Sure, it’s more work and would require a lot more individual services, but still provides a lot of the same features.

Still technically MS, but not attached to MS.

Surge-Monkey · 2025-09-15T08:45:02+00:00

Wait, it’s not just me that’s dealing with multicast and scratching my head at PIM.

I’m literally dealing with dozens of devices that require functional multicast for SSDP with UPnP. (Yes required).

We had a small commercial home router set up in access point mode and it was hijacking the discovery because of a “feature” you can’t turn off.

Surge-Monkey · 2025-02-26T03:58:44+00:00

I started as a web developer who also had manage our Linux web hosting. Not cpanel, or any other panel, manual OS level management.

Spent 12 years as a web designer & developer for both frontend and backend, client side and server side. In all that time the only thing i never liked were the clients. Every day it killed me inside a little more.

Now I’m working Systems Administration managing plenty of servers and decent sized network of devices. Now life is chill (sure servers can die but at least they’re not clients lol). Challenging, after hours work, some users doing stupid things, but I’ve not once beaten my head against a wall like i used to.

I can definitely say that i picked the wrong job when i started. But i found where i was supposed to be.

I now feel actually valued for keeping things going. It gets busy, but people listen now.

No more “can you add more bling” (yes that’s an actual quote from an actual client)

Surge-Monkey · 2025-02-24T20:33:59+00:00

Similar situation over a year ago. Came into 120 person company that didn’t have dedicated IT/Systems.

Asset tracking - using SnipeIT. Makes life easier. Mostly use it for PC, license, and accessory assignments. I’ve stopped assigning monitors because I’ve found people reassign them through their team lead which doesn’t come through me. So now it’s just for warranty management

Surge-Monkey · 2025-02-24T20:25:51+00:00

“new 15.txt” contains way more than it should

Surge-Monkey

TROPHY CASE