Google has started automatically blocking emails sent by bulk senders who don’t meet stricter spam thresholds and authenticate their messages as required by new guidelines to strengthen defenses against spam and phishing attacks.

As announced in October, the company now requires those who want to dispatch over 5,000 messages daily to Gmail accounts to set up SPF/DKIM and DMARC email authentication for their domains.

  • Kbin_space_program@kbin.social
    link
    fedilink
    arrow-up
    49
    arrow-down
    1
    ·
    9 months ago

    Yay, does this mean that Google is going to stop saying the masked email address is the sender and hide the true email address?

    You know, like MS has done for over 15 years now?

    • deweydecibel@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      ·
      9 months ago

      Yeah…but have you considered how much “cleaner” the interface is without that information “cluttering” the UI up?

      • Beetschnapps@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        2
        ·
        edit-2
        9 months ago

        In my experience it’s been more like…

        UX: “users said they want these three pieces of info”

        DEV: “I typically only look for one of those pieces of info, so I built this to just show the one”

        UX: “users said they want three things for these reasons… only one isn’t as helpful and it’s not hard to add the other 2”

        DEV: “well how’s that supposed to fit?”

        UX: “like the designs already show”

        DEV: “well I’ll put a ticket in the backlog and someone can come back to it, if they have time.”

        PM: “I see no reason to prioritize slight “UX improvement” tickets over shit like new features or bug fixes…”

        REPEAT X1000.

        Then sit through months of user testing where people keep saying exactly what you are saying. “Why not add x? I guess someone thought it’s cleaner that way” but all these little pains add up to “death by a thousand cuts”

        Then everyone complains and scapegoats design.

        • expr@programming.dev
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          9 months ago

          I mean, you’re scapegoating developers right now. Developers don’t determine priorities. That’s a product/business direction problem.

          Also, UX doesn’t get to say what is hard to do or not (that’s the job of a developer, you really don’t have any way of knowing without familiarity with the implementation details), so that’s certainly at least part of your problem right there.

          • Beetschnapps@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            edit-2
            9 months ago

            Bullshit and it’s right there in your comment: devs are not the only ones capable of assessing difficulty. The entire team should be doing that COLLABORATIVELY well before any dev touches a keyboard. Code isn’t some arcane black magic and we’ve all built products before, heard these excuses before… so stop saying “that’s not your job, that’s not my job”. Not a good look.

            Suddenly declaring something is too hard and ignoring specs during the build phase is not a part of any dev’s fucking job, though you’d be surprised by the way they act.

            Which is encapsulated perfectly in your comment. You mention it’s someone else’s job to handle business direction problems while ignoring how the problem is actually the dev not doing their job to begin with. The product meets its goals by showing three points of data, but a dev said fuck it and only showed one. That’s not a business issue, it’s a “I don’t want to” problem. Just like in your comment, any issues with “business direction” did not exist until you cited it to cover up for not doing the work that was already planned.

            It’s not scapegoating to point out actual behavior. Behavior I’ve seen for 15 years and behavior you reinforced with your comment. You completely ignore the role of collaboration. It’s insulting to have a dev define your job in order for them to justify making decisions in a vacuum.

            It’s especially maddening to hear this after I’ve spent over a year working directly with the CEO and CPO on a new product, lead focus groups, spoken with 100’s users on the issue, designed prototyped and validated solutions with additional testing… all alongside dev leads to expose any concerns early on. The board is happy, the c-suite is happy, the users like it, and we’re all set except some jackass developer thinks that since they know C# no one else can weigh in on all of their reasons to just not build what the TEAM designed.

    • ObsidianZed@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      What do you use for MS? I know live.com still struggles with this. Though I did create a rule that junked every email with no valid SPF record, so that helps.

      • Kbin_space_program@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        It was a work issue about a decade ago. Client wanted certain emails from automation to be masked as coming from him.

        Most email boxes, including Gmail, didn’t have an issue. Outlook(the one that shipped with Office) laughed at it and displayed the original sender in giant bold letters.

    • shininghero@kbin.social
      link
      fedilink
      arrow-up
      23
      arrow-down
      1
      ·
      9 months ago

      Having managed an exchange instance for my old job, I can safely say that DKIM and DMARC are just some extra DNS entries for out-of-band verification. They can be boiled down to a pair of checkboxes on a compliance sheet.
      I can also say that most of the companies we got emails from didn’t have DKIM, and even fewer had DMARC. Or worse, they had DMARC set to p=ignore. Which is honestly even more infuriating.

    • Encrypt-Keeper@lemmy.world
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      1
      ·
      edit-2
      9 months ago

      Is it though? Is your self hosted mail server sending 5,000+ emails to various Gmail inboxes daily? If not, this doesn’t seem like it would affect you. And even if it did, all they appear to be asking is that you enable DKIM and DMARC for your mail server, which is something both trivial to do and you should be doing anyway.

      I’m not going to claim that a company like Google wouldn’t love to make life harder for the consumer, but I don’t see how anything related to this change would do that.

    • Thomas Douwes@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      1
      ·
      edit-2
      9 months ago

      I know a there are a lot of issues with self-hosting email, but I just don’t thing this is one of them. First, it probably won’t affect a self-hosted servers anyway unless you send a lot of emails, this requirement is only for servers sending 5,000 messages daily to Gmail. And even if you are, the requirements are not that harsh, it’s a couple DNS records and a DKIM signing daemon, and if you are using a pre-build email package like mailcow it’s probably already doing it.

    • BrianTheeBiscuiteer@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      9 months ago

      I’m sure they won’t do this because it’s too community friendly but they should just require all emails be digitally signed. If you don’t sign it goes to spam and if you do sign, and abuse the system, it’ll be much easier to find out who you are.

      • Opisek@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        9 months ago

        TLS has become too easy to acquire for it to have any effect, I’m afraid. Didn’t Chromium remove the padlock signifying HTTPs connection due to just that? That it doesn’t really mean anything anymore in terms of illegitimate websites (still obviously crucial against MitM)?

        • BrianTheeBiscuiteer@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          Easy to acquire, yes, but not anonymously. The cert has to tie back to a domain or subdomain and there’s a process to prove a domain belongs to whomever requested the cert. Long story short, if you wanted to sue or file complaint against a spammer that signs their emails then it’s not really a challenge to trace back to the person or company doing the spamming.

          This still relies on domain name registrars, hosts (e.g. Gmail), and certificate authorities keeping proper records.

          • Opisek@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            9 months ago

            Not sure about that. Phishing scams make sure to hide their identity really well and while something like .com might require your personal information, I can imagine .ru allowing anonymous registration. Once you’ve got a domain, getting a certificate for it with Let’s Encrypt happen in seconds with no personal information iirc. Even if you’d need to disclose something, you could just lie. Let’s Encrypt is highly automatized and I doubt anyone would check the information for some random domain. Yeah that cert/domain will be taken down quickly, but they’re incredibly cheap and easy to create.

    • deafboy@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      9 months ago

      Without SPF and DKIM, I could send messages pretending to be from you to anybody. Average user has no way to know that the “From:” field does not really mean what it says.

    • deweydecibel@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      9 months ago

      It’s a slow rollout to give legitimate businesses time to get their settings in order. And believe me, there are a lot of them that still haven’t.

      • Toes♀@ani.social
        link
        fedilink
        English
        arrow-up
        8
        ·
        9 months ago

        In my experience, organizations don’t change things until after it stops working and not a minute sooner. :(

      • DudeImMacGyver@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        You don’t need to tell me lol, there have been dozens of companies still asking us to whitelist their shit and everything time, “We don’t do that here.”

  • shininghero@kbin.social
    link
    fedilink
    arrow-up
    13
    ·
    9 months ago

    Meanwhile, Microsoft’s Exchange platform blatantly ignores DMARC failures for senders and relays on its “Good PTR list”. Bit of a glaringly large hole for spam to pass through.

    • PlantJam@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      9 months ago

      Don’t forget that Microsoft will also process forwarding rules before it finishes the “is this bad” scan.

  • invertedspear@lemm.ee
    link
    fedilink
    English
    arrow-up
    10
    ·
    9 months ago

    Why does the article only mention Google? I know yahoo had its heyday already, but they are still a common email platform and made the same requirements at the same time as Google.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      It blows my mind that some of the largest email services in the world were accepting mail without all the antispam authentication. Everybody had been doing their best to keep it in check and they were simply ignoring all of it?

      • Jyek@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        It’s a really pain in the rear to configure for anyone who doesn’t have a dedicated IT or an MSP. You have to get these DKIM and DMARC records from your exchange provider and then you have to configure them on your DNS host. If your DNS host isn’t modifiable you have to send requests to their support to get those records put in place and then they want to verify your records from your provider as well as a security measure. I’ve had clients that took us a week because of all the song and dance of DKIM and DMARC all because I couldn’t go in and add the records myself.

        Fuck you LOGIX you garbage company from the stone age. Let me manage my clients DNS records. 😤

    • Sybil@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      9 months ago

      it’s in the article. more than 5000 messages to gmail users per day without dkim

        • Jyek@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          7
          ·
          9 months ago

          DKIM is the standard for verification right now. This isn’t an anti-competition play. I manage DKIM records for my clients all the time. Yahoo, SB global, and At&t enforced DKIM requirements a few months back and it’s been a headache but it has made a huge difference in spam emails.

          For anyone who doesn’t know what DKIM is, it’s a method of an email provider getting a sort of green flag from the host domain name. So if you have an email address whatever@mybusiness.com and your email provider is Microsoft 365 and your domain provider is goDaddy, Microsoft says to goDaddy, “hey I’m sending this email, can you verify that I have permission to send from the domain my business.com?” And go daddy checks for DKIM records from Microsoft and sees it and says “yes sir, this is approved.” Then M365 sends the email, and if the recipient requires DKIM to receive the email at whomever@yahoo.com, Yahoo looks at the domain and asks, “hey goDaddy, it says you host this, is this email legit?” And goDaddy says “yep it’s all legit, give it to the recipient.”

          This effectively eliminates messages sent from a domain without DKIM records as well as spoofed emails because those spoofed emails never checked in when sending.

          I appreciate the skepticism but this is a security play, not a business one.

  • hperrin@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    3
    ·
    9 months ago

    Gmail sucks so much that I made my own email service. But at least this is good.