Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)

429 points pabs3 | 3 comments | 25 Mar 25 08:14 UTC | HN request time: 0s | source

Show context

jeroenhd ◴[25 Mar 25 11:00 UTC] No.43469827[source]▶

For me, as someone with their own mail server, these technologies mostly serve to inform me that Russian IP addresses are still trying to send email in the name of my domain for some stupid reason.

It makes sense that people whose business is sending email know how to set up email correctly. I'm mostly surprised at how many legitimate sysadmins struggle with getting the basics correct. Surely those dozens of DMARC emails you get that your sendgrid email has been refused because of a bad SPF signature should set in motion some kind of plan to ask if maybe marketing is using them legitimately?

Automated signatures are of limited value but I rarely see rejections based on SPF and DKIM that are a mistake. Things are probably worse for big organizations but as a small email server, technical rejections are usually the right call. The only exception is mailing lists, but the dozens of people who still use those can usually figure out how to add an exception for them.

replies(6): >>43470005 #>>43470195 #>>43470668 #>>43471472 #>>43473790 #>>43482338 #

chillfox ◴[25 Mar 25 11:31 UTC] No.43470005[source]▶

>>43469827 #

In most organizations there is no point in a sysadmin to spend the effort in understanding how to set it up correctly as Marketing has got more authority on email. Marketing will simply demand changes to the config that they do not understand and there is nothing you can do to stop it as they will have the CEO on their side.

replies(7): >>43470020 #>>43470038 #>>43470121 #>>43470300 #>>43470650 #>>43471488 #>>43472049 #

stef25 ◴[25 Mar 25 11:37 UTC] No.43470038[source]▶

>>43470005 #

Marketing decides on DKIM and SPF ?

replies(3): >>43470082 #>>43470088 #>>43470115 #

selykg ◴[25 Mar 25 11:43 UTC] No.43470082[source]▶

>>43470038 #

The problem I personally ran into as a one person IT department was that the VP of marketing had more power over me, as a manager, and that meant more to my supervisor (the CEO) than me fighting to do things as correctly as possible. I was seen as a roadblock or speed bump. So, they may not decide on DKIM and SPF, but if marketing isn’t happy then their negativity could cause push back that forces changes that may technically not be good for the company.

I’ve abandoned that role and have gone back to an IC role and I’m much happier for it.

replies(1): >>43470136 #

1. seer ◴[25 Mar 25 11:53 UTC] No.43470136[source]▶

>>43470082 #

As long as you're not breaking the law / hurting people, does the struggle really matter? The best way I've been able to make people listen to me is by just presenting them with options and results.

If you do it this hacky way - we run this risk and this bad thing can happen etc. After a few times they see the consequence of their decisions people start paying attention to you. Do it a few more and now the company will have an "institutional knowledge" that you are usually right, and even if the manager leave, you still end up like the go-to guy on how to ship.

And sometimes the marketing people might end up being correct! I've once actually battled to "do the correct thing" (way back in the day it was a ruby on rails modeling I think) and the product owner was like - just do it this hacky way I don't care ... I did it the hacky way and you know what - it was the right call - we never changed it again and the business knowledge we got from it was actually valuable.

replies(2): >>43470527 #>>43473281 #

2. selykg ◴[25 Mar 25 12:46 UTC] No.43470527[source]▶

>>43470136 (TP) #

In the end, for me personally, I give people respect for their roles and the benefit of the doubt that they're in the position for the right reasons. But when I don't get that kind of thing in return then it just pisses me off. What I realized along the way is that I don't want to be in charge of things like this, it's simply not for me, at the very least it isn't on that team. Maybe that will change with the right people but the whole thing soured me on management in general and I will avoid it like the plague.

I'm pretty bitter about it all still, but it's a combination of a lot of things beyond this particular bit I shared. All I can say is I'm glad I am no longer in that role, it was slowly killing me.

3. freedomben ◴[25 Mar 25 16:42 UTC] No.43473281[source]▶

>>43470136 (TP) #

The biggest problem there is that it's a statistical gamble, and often times the damage isn't apparent for months or years later, which is plenty far enough removed from the decision that the manager isn't going to remember let alone realize "he told me so." And you reporting "I told you so" even in very easy, factual, and respectful professional language will typicall not be well received. There's also a decent chance that when the thing breaks or you get breached, you'll be blamed for it, or at least be on the defensive.

Now that said, I've worked with a lot of IT/engineering people who are pretty obstructionist to normal business operations and sometimes need to be told, "yeah, we're accepting the risk, move forward with the plan." Sometimes it's for good reasons, other times it's just our normal humanity asserting itself in different ways. It's a hard problem for sure.

↑