Google has started automatically blocking emails sent by bulk senders who don’t meet stricter spam thresholds and authenticate their messages as required by new guidelines to strengthen defenses against spam and phishing attacks.
As announced in October, the company now requires those who want to dispatch over 5,000 messages daily to Gmail accounts to set up SPF/DKIM and DMARC email authentication for their domains.
I.e. it’s now even harder to run your own mail server. If it was crypto-related the argument would be Think.if the children™, since it’s email the excuse is spam.
Without SPF and DKIM, I could send messages pretending to be from you to anybody. Average user has no way to know that the “From:” field does not really mean what it says.
I know a there are a lot of issues with self-hosting email, but I just don’t thing this is one of them. First, it probably won’t affect a self-hosted servers anyway unless you send a lot of emails, this requirement is only for servers sending 5,000 messages daily to Gmail. And even if you are, the requirements are not that harsh, it’s a couple DNS records and a DKIM signing daemon, and if you are using a pre-build email package like mailcow it’s probably already doing it.
If you can’t set DKIM and DMARC records you shouldn’t be hosting email.
You can’t anyway because your whole address block is blackholed in every spam filtering list in existence for “reasons”.
Mine works fine
I’m sure they won’t do this because it’s too community friendly but they should just require all emails be digitally signed. If you don’t sign it goes to spam and if you do sign, and abuse the system, it’ll be much easier to find out who you are.
Having managed an exchange instance for my old job, I can safely say that DKIM and DMARC are just some extra DNS entries for out-of-band verification. They can be boiled down to a pair of checkboxes on a compliance sheet.
I can also say that most of the companies we got emails from didn’t have DKIM, and even fewer had DMARC. Or worse, they had DMARC set to p=ignore. Which is honestly even more infuriating.
Amazing…
…that they have only just now done this.
Meanwhile, Microsoft’s Exchange platform blatantly ignores DMARC failures for senders and relays on its “Good PTR list”. Bit of a glaringly large hole for spam to pass through.
Yay, does this mean that Google is going to stop saying the masked email address is the sender and hide the true email address?
You know, like MS has done for over 15 years now?
Yeah…but have you considered how much “cleaner” the interface is without that information “cluttering” the UI up?
In my experience it’s been more like…
UX: “users said they want these three pieces of info”
DEV: “I typically only look for one of those pieces of info, so I built this to just show the one”
UX: “users said they want three things for these reasons… only one isn’t as helpful and it’s not hard to add the other 2”
DEV: “well how’s that supposed to fit?”
UX: “like the designs already show”
DEV: “well I’ll put a ticket in the backlog and someone can come back to it, if they have time.”
PM: “I see no reason to prioritize slight “UX improvement” tickets over shit like new features or bug fixes…”
REPEAT X1000.
Then sit through months of user testing where people keep saying exactly what you are saying. “Why not add x? I guess someone thought it’s cleaner that way” but all these little pains add up to “death by a thousand cuts”
Then everyone complains and scapegoats design.
I mean, you’re scapegoating developers right now. Developers don’t determine priorities. That’s a product/business direction problem.
Also, UX doesn’t get to say what is hard to do or not (that’s the job of a developer, you really don’t have any way of knowing without familiarity with the implementation details), so that’s certainly at least part of your problem right there.
Bullshit and it’s right there in your comment: devs are not the only ones capable of assessing difficulty. The entire team should be doing that COLLABORATIVELY well before any dev touches a keyboard. Code isn’t some arcane black magic and we’ve all built products before, heard these excuses before… so stop saying “that’s not your job, that’s not my job”. Not a good look.
Suddenly declaring something is too hard and ignoring specs during the build phase is not a part of any dev’s fucking job, though you’d be surprised by the way they act.
Which is encapsulated perfectly in your comment. You mention it’s someone else’s job to handle business direction problems while ignoring how the problem is actually the dev not doing their job to begin with. The product meets its goals by showing three points of data, but a dev said fuck it and only showed one. That’s not a business issue, it’s a “I don’t want to” problem. Just like in your comment, any issues with “business direction” did not exist until you cited it to cover up for not doing the work that was already planned.
It’s not scapegoating to point out actual behavior. Behavior I’ve seen for 15 years and behavior you reinforced with your comment. You completely ignore the role of collaboration. It’s insulting to have a dev define your job in order for them to justify making decisions in a vacuum.
It’s especially maddening to hear this after I’ve spent over a year working directly with the CEO and CPO on a new product, lead focus groups, spoken with 100’s users on the issue, designed prototyped and validated solutions with additional testing… all alongside dev leads to expose any concerns early on. The board is happy, the c-suite is happy, the users like it, and we’re all set except some jackass developer thinks that since they know C# no one else can weigh in on all of their reasons to just not build what the TEAM designed.
What do you use for MS? I know live.com still struggles with this. Though I did create a rule that junked every email with no valid SPF record, so that helps.
It was a work issue about a decade ago. Client wanted certain emails from automation to be masked as coming from him.
Most email boxes, including Gmail, didn’t have an issue. Outlook(the one that shipped with Office) laughed at it and displayed the original sender in giant bold letters.
I wonder how Google will define spoofed…
Why does the article only mention Google? I know yahoo had its heyday already, but they are still a common email platform and made the same requirements at the same time as Google.
It blows my mind that some of the largest email services in the world were accepting mail without all the antispam authentication. Everybody had been doing their best to keep it in check and they were simply ignoring all of it?
It’s a really pain in the rear to configure for anyone who doesn’t have a dedicated IT or an MSP. You have to get these DKIM and DMARC records from your exchange provider and then you have to configure them on your DNS host. If your DNS host isn’t modifiable you have to send requests to their support to get those records put in place and then they want to verify your records from your provider as well as a security measure. I’ve had clients that took us a week because of all the song and dance of DKIM and DMARC all because I couldn’t go in and add the records myself.
Fuck you LOGIX you garbage company from the stone age. Let me manage my clients DNS records. 😤