I am just having this problem. Actually getting SPF, DKIM and DMARC right and having a domain with a 0 spam score will still land you in the spam directory. It turns out, you need to have a "reputation"? before your email gets accepted into gmail. My head was spinning as to how that reputation will be built if your email just goes straight to spam.
But sure, Linkedin emails are definitively not spam and their dark-patterns at adding you at n+1 emailing list doesn't get them banned from the big (or any?) provider.
For me, as someone with their own mail server, these technologies mostly serve to inform me that Russian IP addresses are still trying to send email in the name of my domain for some stupid reason.
It makes sense that people whose business is sending email know how to set up email correctly. I'm mostly surprised at how many legitimate sysadmins struggle with getting the basics correct. Surely those dozens of DMARC emails you get that your sendgrid email has been refused because of a bad SPF signature should set in motion some kind of plan to ask if maybe marketing is using them legitimately?
Automated signatures are of limited value but I rarely see rejections based on SPF and DKIM that are a mistake. Things are probably worse for big organizations but as a small email server, technical rejections are usually the right call. The only exception is mailing lists, but the dozens of people who still use those can usually figure out how to add an exception for them.
Naively I thought that one value proposition of SPF, DKIM and DMARC is that reputation shifts from based on IP to be based on domain, once you set these up correctly. So as long as you can maintain a good reputation for your domain and have SPF, DKIM and DMARC correctly set up, then you can host your SMTP server at any IP and your emails will get delivered.
Is there actually an "domain reputation as a service" provider, which controls a couple thousand gmail addresses, sends itself the emails and manually unmarks them as spam? Asking for a friend……….
Trouble is, this is simply not true. My SPF and DKIM are fine. This makes me wonder whether the email ingestion system is simply broken for everyone.
—⁂—
2. I got involved in setting up a Google Workspace for someone a few months back, and the entire tool that their own documentation instructs you to use to check things, https://toolbox.googleapps.com/apps/checkmx/, has been laughably broken for years, sometimes not working at all, but mostly producing misleading nonsense results (e.g. claiming domains have no mail server set up when they do).
SPF/DKIM is really about mail server reputation. So it mostly benefits larger servers like the ones run by Google, Microsoft and Yahoo. Unfortunately, that means that attempts by those larger providers to combat spam using such reputation will naturally hurt smaller providers. So the actual effects of SPF/DKIM are on the whole negative.
The root problem is that we don't actually need to keep track of email server reputation. No one says to themselves "Huh, this is from a Gmail address, it must be legit". We really want to keep track of sender reputation. We need to be able to treat anonymous email differently than email from people we actually know. That implies that we have some work to do on the problem of identity. As it is, there is not even a way for a known email sender to securely introduce an unknown email sender. You know, the way that regular human people normally are able to transfer identities from one to the other.
Providers should really stop using spam folder and refuse email at the session lvl, that alone would fix the false positive issue. I had a rant [1] about it a while ago.
To be clear, I'm not necessarily a fan of DMARC, particularly how it was introduced. But it is very obvious that spammers will eventually do everything to not be flagged as spammers.
What DMARC gives you is that it makes it less likely that your phishing mail will come from contact@yourbank.com. It will rather come from contact@y0urbank.com or some other domain.
How much of an improvement that is and how many people will notice is certainly debatable. But that's what DMARC can give you. Nothing more, nothing less.
I know very little about these protocols, except for having to deal with them a bit on those few sad occasions I need to get a server to send email. From those experiences I had a strong sense that Google pushes out all these complicated and difficult procedures on everyone just as a means of discouraging people from using email servers in the first place…."just use google, we control the whole thing anyway".
Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.
Our site uses cookies. Learn more about our use of cookies: cookie policyACCEPTREJECT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
17 Comments
mbb70
I'm sure regular airline passengers trip the metal detectors more often than terrorists, doesn't mean we should get rid of the metal detectors.
csomar
I am just having this problem. Actually getting SPF, DKIM and DMARC right and having a domain with a 0 spam score will still land you in the spam directory. It turns out, you need to have a "reputation"? before your email gets accepted into gmail. My head was spinning as to how that reputation will be built if your email just goes straight to spam.
But sure, Linkedin emails are definitively not spam and their dark-patterns at adding you at n+1 emailing list doesn't get them banned from the big (or any?) provider.
magicalhippo
Moved my mail over to Proton and they had a very nice process that made it easy to add the required DNS entries and verify that they were correct.
I was dreading this step as I hadn't done it before but turned out to be a breeze thanks to that.
jeroenhd
For me, as someone with their own mail server, these technologies mostly serve to inform me that Russian IP addresses are still trying to send email in the name of my domain for some stupid reason.
It makes sense that people whose business is sending email know how to set up email correctly. I'm mostly surprised at how many legitimate sysadmins struggle with getting the basics correct. Surely those dozens of DMARC emails you get that your sendgrid email has been refused because of a bad SPF signature should set in motion some kind of plan to ask if maybe marketing is using them legitimately?
Automated signatures are of limited value but I rarely see rejections based on SPF and DKIM that are a mistake. Things are probably worse for big organizations but as a small email server, technical rejections are usually the right call. The only exception is mailing lists, but the dozens of people who still use those can usually figure out how to add an exception for them.
riobard
The point of SPF/DKIM/DMARC is to bind emails to domains, so no more spoofing. It is naive to expect authentication alone can reduce spams.
badmintonbaseba
Naively I thought that one value proposition of SPF, DKIM and DMARC is that reputation shifts from based on IP to be based on domain, once you set these up correctly. So as long as you can maintain a good reputation for your domain and have SPF, DKIM and DMARC correctly set up, then you can host your SMTP server at any IP and your emails will get delivered.
I wonder why it doesn't work this way.
apeters
You may have success checking for common tracking and advertising elements in a mail. Good chance it's spam if there's not 100 trackers. Frustrating.
tomw1808
Is there actually an "domain reputation as a service" provider, which controls a couple thousand gmail addresses, sends itself the emails and manually unmarks them as spam? Asking for a friend……….
chrismorgan
Google are bad at SPF and DKIM.
—⁂—
1. I tried responding to a Chromium bug tracker message by email a couple of months ago, and it failed me:
> Unfortunately, your email to create/update an issue was not processed.
> Reason: SPF/DKIM check failed. Please ensure your domain supports SPF (https://support.google.com/a/answer/178723) and DKIM (https://support.google.com/a/answer/174124). If your domain does not support them, please use the Google Issue Tracker UI (https://issuetracker.google.com).
Trouble is, this is simply not true. My SPF and DKIM are fine. This makes me wonder whether the email ingestion system is simply broken for everyone.
—⁂—
2. I got involved in setting up a Google Workspace for someone a few months back, and the entire tool that their own documentation instructs you to use to check things, https://toolbox.googleapps.com/apps/checkmx/, has been laughably broken for years, sometimes not working at all, but mostly producing misleading nonsense results (e.g. claiming domains have no mail server set up when they do).
Then, to make it even more absurd, the feedback link they give you, https://toolbox.googleapps.com/apps/main/feedback?toolname=c…, iframes https://docs.google.com/a/google.com/forms/d/e/1FAIpQLSdnlp8…, but you haven’t been allowed to iframe such documents for I don’t know how long so it doesn’t load, and even if it did, it’s a private form that only Googlers, I suppose, can fill in. And there have been plenty of reports about all of this for years, and it’s still broken.
upofadown
SPF/DKIM is really about mail server reputation. So it mostly benefits larger servers like the ones run by Google, Microsoft and Yahoo. Unfortunately, that means that attempts by those larger providers to combat spam using such reputation will naturally hurt smaller providers. So the actual effects of SPF/DKIM are on the whole negative.
The root problem is that we don't actually need to keep track of email server reputation. No one says to themselves "Huh, this is from a Gmail address, it must be legit". We really want to keep track of sender reputation. We need to be able to treat anonymous email differently than email from people we actually know. That implies that we have some work to do on the problem of identity. As it is, there is not even a way for a known email sender to securely introduce an unknown email sender. You know, the way that regular human people normally are able to transfer identities from one to the other.
cowfarts
[dead]
bell-cot
SPF, DKIM, DMARC, IP reputation, whitelists, blacklists, graylists, spam filters, …
https://xkcd.com/927/
kuon
Providers should really stop using spam folder and refuse email at the session lvl, that alone would fix the false positive issue. I had a rant [1] about it a while ago.
[1]: https://www.kuon.ch/post/2024-09-16-email-rant/
hannob
This is missing the point.
To be clear, I'm not necessarily a fan of DMARC, particularly how it was introduced. But it is very obvious that spammers will eventually do everything to not be flagged as spammers.
What DMARC gives you is that it makes it less likely that your phishing mail will come from contact@yourbank.com. It will rather come from contact@y0urbank.com or some other domain.
How much of an improvement that is and how many people will notice is certainly debatable. But that's what DMARC can give you. Nothing more, nothing less.
nubinetwork
> Surely everyone (and by everyone I mean Google) is rejecting their mail? How do they not realize this?
Not sending email to google helps.
nextn
Spammers are worse at something no one tried to use AFAIK: require a fee to deliver email.
zzzeek
I know very little about these protocols, except for having to deal with them a bit on those few sad occasions I need to get a server to send email. From those experiences I had a strong sense that Google pushes out all these complicated and difficult procedures on everyone just as a means of discouraging people from using email servers in the first place…."just use google, we control the whole thing anyway".