←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 1 comments | 25 Mar 25 08:14 UTC | HN request time: 0.21s | source
1. dathinab ◴[25 Mar 25 13:00 UTC] No.43470663[source]
honestly my take away is the opposite

we by far don't enforce them strict enough, because if we where people would make sure to get it right

it's all a question about effort/turnout

if you make it so that most times you mails still somehow end up with the user even if you mess them up there is much less insensitive for companies to fix their mail or force their provider to fix it

so IMHO if all of SPF,DKIM and DMARC are not correct setup mails should just be directly discarded and not even delivered to spam

while being more flexible was reasonable when this tech was new, that was 10 years ago. If being flexible mean that you also will sometime deliver outright cyber attacks like spear phishing and similar to your user and everyone had 10 years to fix their systems then there is really no reason to still be flexible.

Also "scammers get it right so it's useless" is such a huge red hearing argument, yes they do get it right _for their domains_. It sill makes it harder (and if strictly enforced impossible, except if you give them permissions to do that*) for them to impersonate your domains.

And yes that doesn't fix scammers from using their own domains, but it also was never intended to do so. Doing so is a very different problem one which probably needs some form of reputation system which isn't something you can just solve technically as it touches on a lot of subtle social political issues. Also given that all of the huge mail vendors have insensitive to use their "intern proprietary obscure" reputation system I don't expect there to be a technical solution provided/adopted tbh.

(and yes SPF/DKIM/DMARC are all tech wise quite "meh", but we are kinda stuck with them, through that never was the issue IMHO, the issue is missing insensitive to bring the adoption up and missing insensitive for large mail providers to enforce it strictly)

EDIT: PS: In one point they are fully right so, that is, with how things are you can't give SPF/DKIM/DMARC a large weight for calculating reputation. Also they where always only meant to tell you if someone can't be trusted, but never if someone can be trusted.