←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 4 comments | 25 Mar 25 08:14 UTC | HN request time: 0s | source
Show context
upofadown ◴[25 Mar 25 11:51 UTC] No.43470130[source]
SPF/DKIM is really about mail server reputation. So it mostly benefits larger servers like the ones run by Google, Microsoft and Yahoo. Unfortunately, that means that attempts by those larger providers to combat spam using such reputation will naturally hurt smaller providers. So the actual effects of SPF/DKIM are on the whole negative.

The root problem is that we don't actually need to keep track of email server reputation. No one says to themselves "Huh, this is from a Gmail address, it must be legit". We really want to keep track of sender reputation. We need to be able to treat anonymous email differently than email from people we actually know. That implies that we have some work to do on the problem of identity. As it is, there is not even a way for a known email sender to securely introduce an unknown email sender. You know, the way that regular human people normally are able to transfer identities from one to the other.

replies(10): >>43470222 #>>43470231 #>>43470355 #>>43470363 #>>43470411 #>>43470421 #>>43470529 #>>43470539 #>>43470682 #>>43471471 #
dig1 ◴[25 Mar 25 12:22 UTC] No.43470355[source]
> That implies that we have some work to do on the problem of identity. As it is, there is not even a way for a known email sender to securely introduce an unknown email sender.

There is: gpg/pgp signature, but many people find it complicated, primarily because they are reluctant to read the documentation. And it’s popular to criticize it, especially here on HN, in favor of various half-baked alternatives.

replies(3): >>43470420 #>>43470599 #>>43470634 #
simiones ◴[25 Mar 25 12:57 UTC] No.43470634[source]
I think everyone can agree that any technology that "isn't complicated if you read the documentation" is by definition complicated. I don't need to read the documentation for Gmail to use Gmail successfully.

Could I, as a trained programmer, use PGP and GPG? I'm sure I could if I spent some time reading about it. Could my 90 year old grandmother, who is otherwise quite comfortable with email and whatsapp? No, not to any meaningful extent.

replies(2): >>43470665 #>>43471229 #
johnisgood ◴[25 Mar 25 13:00 UTC] No.43470665[source]
I highly disagree with this.

I just left a couple of comments regarding the use of "strtok". Its use is straightforward, just RTFM. Those were the golden days when people were less reluctant to read documentation. You could not even install Linux back then without an installation guide of some sort. You still need it for Gentoo, perhaps even Arch or Void. Are they wrong? No, just different target audience. If you do not want to become a "power user", that is fine.

My grandma can barely handle the TV controller. So what? I am really against dumbing things down, called "ease-of-access" or whatever they call it these days.

I agree on that, however, that GPG / PGP signatures should be more visible and whatnot, just add some visual feedback (verified? legit?, etc.), and some e-mail service providers actually do this.

replies(1): >>43471897 #
1. simiones ◴[25 Mar 25 14:39 UTC] No.43471897[source]
> Are they wrong? No, just different target audience. If you do not want to become a "power user", that is fine.

Complicated doesn't mean bad. I'm not claiming that PGP or GPG are bad technologies because they are complicated to use.

> My grandma can barely handle the TV controller. So what? I am really against dumbing things down, called "ease-of-access" or whatever they call it these days.

The "so what" is simple: PGP is not the right anti-spam solution for your grandma, or mine, or any users like them. This is the context of this conversation: is PGP a good-enough answer for how to establish identity for email in the interest of anti-spam and anti-scam efforts? And the answer is a clear and resounding no, not for the vast majority of users of email.

This, again, doesn't mean that PGP/GPG are bad technologies - they are very good for certain use cases and certain users.

replies(1): >>43471917 #
2. johnisgood ◴[25 Mar 25 14:40 UTC] No.43471917[source]
So what is a good-enough answer for my grandma? :P
replies(1): >>43472029 #
3. simiones ◴[25 Mar 25 14:49 UTC] No.43472029[source]
There's no great answer, unfortunately. Gmail and other off-the-shelf email providers handle much of the spam and some of the scam prevention for you, but you still need to exercise caution on your own.
replies(1): >>43472171 #
4. johnisgood ◴[25 Mar 25 15:00 UTC] No.43472171{3}[source]
I agree, and even less so for my grandma, honestly.