←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 2 comments | 25 Mar 25 08:14 UTC | HN request time: 0.424s | source
Show context
upofadown ◴[25 Mar 25 11:51 UTC] No.43470130[source]
SPF/DKIM is really about mail server reputation. So it mostly benefits larger servers like the ones run by Google, Microsoft and Yahoo. Unfortunately, that means that attempts by those larger providers to combat spam using such reputation will naturally hurt smaller providers. So the actual effects of SPF/DKIM are on the whole negative.

The root problem is that we don't actually need to keep track of email server reputation. No one says to themselves "Huh, this is from a Gmail address, it must be legit". We really want to keep track of sender reputation. We need to be able to treat anonymous email differently than email from people we actually know. That implies that we have some work to do on the problem of identity. As it is, there is not even a way for a known email sender to securely introduce an unknown email sender. You know, the way that regular human people normally are able to transfer identities from one to the other.

replies(10): >>43470222 #>>43470231 #>>43470355 #>>43470363 #>>43470411 #>>43470421 #>>43470529 #>>43470539 #>>43470682 #>>43471471 #
1. xg15 ◴[25 Mar 25 13:02 UTC] No.43470682[source]
> We need to be able to treat anonymous email differently than email from people we actually know.

The simplest solution to that would be an "only show me emails from people in my address book" filter. That would mostly echo how we treat user trust on all other platforms. Genuinely surprised this doesn't exist in most email clients (or does it and I have just overlooked it so far?)

Of course that's only a partial solution and wouldn't work for accounts where you expect unsolicited mails from people you don't know. I'd see it more as a "low-hanging fruit" solution. You could also expand the heuristic, e.g. also consider previous conversations, mailing lists, etc.

(Interestingly, the "introduce a friend" functionality would come for free: You can already send contact details as a VCard in an attachment. When receiving such a mail, some email clients will show a button to quickly add the contact to the address book.)

replies(1): >>43472959 #
2. x0x0 ◴[25 Mar 25 16:11 UTC] No.43472959[source]
> only a partial solution and wouldn't work for accounts where you expect unsolicited mails from people you don't know.

I actually think this would work fine. Imagine a quarantine inbox for new emailers that the user must scan and approve/block. This is exactly what hey has implemented.