Basically in this attack, a victim (particularly a business or mailing list or NGO) is sending out bulk emails to which the attacker owns. Even sourcing this out to shady off shore click farms would work too.
Attacker then marks the victim’s emails as spam in Gmail/Yahoo/Outlook. The “AI spam filters” pick up on this new “spam activity” and will then mark future emails as spam or even delete them before reaching real customers.
After a year, company bleeds money on a quarterly basis. Ad departments wonder why there is decreased engagement through email. Technical departments are bamboozled.
Maybe a big company will be able to weather the storm or just ditch email altogether. But small companies would definitely take a hit. Even smaller NGO or political mailing lists would lose donations (assuming email was a significant source of new donations).
Probably a very low vector of attack tbh, but something that has lingered in my mind.
Meanwhile the first victim is left to pick up the mess where none of their email gets through anywhere.
Might be a drop in the bucket, but it doesn't take many votes to make a difference in the spam world.
I'm sure this will evolve soon enough and email delivery might increasingly become pay-to-play with all sort of backroom agreements, if it isn't already.
Spammers want us to think there’s a significant difference between their newsletter or marketing notes we may have technically signed up for (certainly not willingly) and I don’t feel bad about reporting both of them. If this forces spammers to consider whether recipients will want their messages, good.
I'm not sure how larger orgs mitigate it.
1. Don't trick people into signing up for mailinglists.
2. Don't spam.
3. Don't use mailinglists.
My small business is fine.
So an attack like this would be very obvious very quickly, even leaving aside that we'd notice a huge spike in email sign-ups and probably kill their accounts (especially since they're not going to be buying anything from those sock puppet accounts!).
Every couple of months I end up checking its spam folder and it's just a daily barrage of spam from both DNC and RNC, 1-2 emails per day like clockwork. None of them ever got through to the inbox though.
Now you have me rooting for the bad guys.
As more domains send email through shared IP space on transactional and marketing services, having the ability to attach reputation reliably to the sender domain is incredibly helpful in reducing abuse.
Google states that the new requirements are mandatory only when you send at least 5000 messages per day.
This is a lie. I send at most a few messages per day and usually less than one per day was towards a gmail account and I had implemented a part of the requirements, but not all of them.
Nevertheless, Google has started to reject my messages, so I was forced to waste time with the implementation of all requirements, even if they are somewhat redundant.
At the beginning of March, I started getting temporary rejections from gmail. Not all of my outgoing messages, maybe 1 in 10. Most of these messages were to one individual, to whom I've been sending for years. My domain has existed continously since 2002, and has never sent spam. The rejection message was startling: words to the effect of "Your message has been rejected because of the awful reputation of the sending domain". The reputation of my domain is spotless, according to various testing tools.
There have been no new rejections in the last two weeks.
According to TFA, Google started rejecting a proportion of mail from bulk senders in February. I wonder if I got caught up in some half-baked roll-out of this new (old) policy.
Starting February 1, 2024, all email senders who send email to Gmail accounts must meet the requirements in this section.
- Set up SPF or DKIM email authentication for your sending domains.
- Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more
- Use a TLS connection for transmitting email. For steps to set up TLS in Google Workspace, visit Require a secure connection for email.
- Keep spam rates reported in Postmaster Tools below 0.3%. Learn more about spam rates
- Format messages according to the Internet Message Format standard, RFC 5322.
- Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
- If you manage a forwarding service, including mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify you as the forwarder. Mailing list senders should also add a List-id: header, which specifies the mailing list, to outgoing messages.
https://apps.google.com/supportwidget/articlehome?hl=en&arti...
Agreed it’s a net positive, but it kills me when the reason emails land in spam is misconfiguration at the recipient’s end. (Like forwarding emails which breaks SPF)
Thank god.
Otherwise I'd drown in cold email spam.
edit: But on a serious note — I'm using Gmail for all companies because I gave up trying to run and administer our own server. It's a travesty that this has become so hard. I feel if you're not on a well-configured Gmail Workspace there's no chance your email gets through, even if legit.
i would love some insights in how smart spammers are in actually leveraging such information. most spam seems to be hammering attempts that don't take failure feedback into account.
in my mail server, messages classified as junk keep getting temporarily rejected with a generic error message. at least the (legitimate misclassified) sender gets a delayed dsn, and finally feedback that a message wasn't received.
it seems many mail servers/services think it's more important to not give a signal to spammers than it is to give a useful signal to legitimate but misclassified users. perhaps they think their classification is really great and doesn't misclassify...
Gmail's spam filter (and promotions filter) works with >99% reliability as a user, with really trivial numbers of false positives.
Customer requests for quotes, Paypal/Stripe security messages, lots of other important emails go to spam.
See e.g. https://github.com/nh2/gmail-spamfilters-paypal-security-mes...
For a while now I suspect that GMail has some bug with its own group email addresses:
When somebody sends an email to our GMail group email address team@example.com, it shows up in GMail as "Sombody via team@example.com". Of course, teamexample.com receives both spam and non-spam.
I suspect that when we mark spam that comes "via team@example.com", GMail learns that as "things 'via team@example.com' are often Spam", even though info@example.com is a Google Groups email.
And by now, everything that comes 'via team@example.com' is marked as Spam.
So it seems that when we mark an email that arrived at team@example.com as Spam, Google punishes its own Group email address, instead of the sender.
If it wasnt walled, it would be completely unusable.
It sounds like stiffer penalties are necessary for sending spam, both to consumers and to businesses.
I’m left feeling like homegrown email delivery is some sort of lightning rod for stuck-in-the-past faux-sysadmin types that can’t get past the fact that it’s not 2003 anymore and lazily / maliciously comply with SPF / DKIM.
IT’S NOT THAT HARD.
A problem is that you can do everything technically right, and sitll land in spam, because some big players don't play by the usual rules.
For example, Microsoft apparently has an allowlist for IPv4 -- or equivalenty, blocks all IPv4 by default, until you manually de-list them at sender.office.com. At least I haven't found an IP yet for which I didn't have to do that (self-hosting email for 15 years).
(Imagine every provider did it like MS; you'd be sitting there and filling out web forms with 1000s of providers.)
So you have a technically perfect setup and MS stil rejects you.
--
That said, using some provider to send emails for you doesn't solve deliverability either. There, many customers share the same sender IP. If one of them sends marketing/spam, the entire IP gets bad reputation. In such cases, providers recommend to upgrade to "bring your own IP", which then needs to "gather reputation" [0]. Great, might as well have self-hosted in the first place, as repuation is the only thing I bought the service for.
[0]: Example: https://www.mailgun.com/blog/deliverability/dedicated-shared... -- Especially entertaining is "Use a shared IP if: Your shared IP partners have built a good reputation." As if you had any control over that.
That applies to really all email providers. Part of fighting spam is (somewhat unfortunately) not telling the spammer what you're detecting.
Well-established organizations that have a long history of sending steady volumes of high quality content with low complaints have a huge leg up. So if you work at such a place, or you contract with such a vendor, you’re going to feel like it’s obvious that the DNS entries work well.
EDIT: Admittedly this post is also about bulk sending where other metrics like unsubscribe links and spaminess matter. But for the self hosted crew it really just comes down to DMARC, DKIM and SPF.
What type of "FUD" are you talking about? The objections in the thread seem pretty well founded (eg. being shadowbanned despite complying with SPD/DKIM, or this requirement breaking email forwarding), and there aren't really any that are against implementing SPF / DKIM.
The most annoying this is when email senders use click tracking on domains that are blocked by those AdBlock lists. I keep a separate browser instance to copy-paste those links into, but then I have to login again.
I prefer sending unsubscribe emails instead of clicking links. Gmail can automate it.
Just having them perfectly configured doesn't mean that the receiving servers will also see it that way.
Microsoft servers are particularly prone to randomly failing perfectly fine dkim setups for no reason whatsoever.
It's important but have very little connection to deliverability in real world.
Someone (allegedly) sent SPAM and now my machine that sends maybe 3 emails a week is blacklisted
Running an outbound smtp server on a customer ip-range is going to be problematic anyway. All such ranges can be considered suspicious since the spammers who use them don't care about their standing.
But I've had my IP for years and it was originally clean as well.
i do think mail servers/services are using ip-based blocklists wrong. yes, you can use it as one of many signals. give it some more weight for first-time senders. but if you've been mailing (with spf/dkim/dmarc-authenticated messages/transactions), from an ip that suddenly gets on a blocklist, the previous positive reputation should be stronger than that blocklisting, and you should be able to keep communicating with your known correspondents (until they mark your message as spam after which future deliveries can be rejected/junked). it seems those mail servers/services cheap out and apply ip blocklists early in the smtp process. good for their system load, bad for their analysis performance.
in general, it seems even bigfreemail services are bad at using existing reputation in their ham/spam decisions. i recently switched an online webservice i made (that is about sending certain notification by email) to signups via email (like how you can signup to mailing lists: by sending an email to an address). the idea: if you send my service an email, i'm in your list of known correspondents. so the confirmation reply from my mail server (spf/dkim/dmarc-aligned) should certainly be accepted by yours (you much more opt-in do you want?). i tested with some bigfreemails, and yahoo put my reply with confirmation (that even references the original message) in the junk folder. to people who think you can't compete with bigmail: the bar isn't as high as you may think.
Any half decent marketer will 100% use a different domain for outbound sales (or any use case where spam rate might be abnormally high).
Email on a personal machine and domain has been dead for over 10 years.
You just can't own your data.
You can receive it, no problem. But you can't send it.
Aplogies if you do, but it sounds like you misunderstand how email works.
The problems are stricly in policy, not in software. So there is nothing an open source project can do. The problem is that "too big to fail" megacorporations like microsoft just randomly decide to block incoming email from most of the Internet.
If email was fully decentralized (everyone runs their own server) this centralized power could not exist and there wouldn't be any problem.
(That all said, I run my own email infrastructure since long ago and it works fine. But I know some people struggle, which is contrary to the intent of the Internet.)
You would have different problems though. Spam would still be hard, or arguably even harder, because you would have lots of small mail servers with no idea if they are trustworthy or not. Is this uncle Bob, who I havent spoken to for 30 years, sending me a heartfelt message about the family? Or is it a scammer trying to cream some cash out of me?
When you forward an email, unless the email forwarder modifies the message content, it should still match the DKIM signature, so it still passes.
Because as you say, you break SPF if you don't touch the envelope from. There's SRS to fix this. But if you do that, you break DMARC alignment.
So... something is always broken? It appears to me there's no way to make mail forwarding that works with full SPF/DKIM/DMARC setups.
"In April 2024, Google will start rejecting a percentage of non-compliant email traffic and gradually increase the rejection rate. For example, if 75% of a sender’s traffic meets our requirements, Google will start rejecting a percentage of the remaining 25% of traffic that isn’t compliant."
What exactly are they doing about that ?
Nothing at all, because they are too big to care.
Aggressive decentralization is the only way to save the Internet. Host your own email, get everyone you know to host their own email.
The result is that outgoing hotmail/outlook smtp servers are added to blacklists until they start content filtering their own users.
plenty of bigfreemail spam is actually sent from their network, they're an interesting target for spammers, and at least some of them put a lot of effort in preventing abuse.
Easy Unsubscribe: Implement easy unsubscribe options (One-click Unsubscribe). Gmail users have tools to report spam, unsubscribe from unwanted emails and control their inbox experience. If it is too difficult to unsubscribe from your emails, customers will be more likely to flag your email as spam. Additional links provided in the ‘References’ section at the end of this article.
2. At the same time, Apple’s ITP will start removing all the information from the URL and only leave the domain, if it classifies your site as a “bounce tracker”. This means you won’t even know who to unsubscribe on one click! So all your emails will be blocked.
https://getcake.com/apples-intelligent-tracking-prevention-2...
If I forward your newsletter, that’s not a bulk email and it won’t include that header.
This is an important distinction that seems to get glossed over in a lot of the coverage and guides about the recent Gmail and Yahoo changes.
>https://getcake.com/apples-intelligent-tracking-prevention-2...
Your source doesn't actually say that "ITP will start removing all the information from the URL", only that it will "limit it the same way as third-party cookies" and will be "purging website data in such instances".
that's a rhetorical question - you already answered it.
Office365 is the toughest, email just randomly land on spam no matter what I do. Icloud, actually it's ProofPoint is tough sh*t too.
So I'm so surprise these guide just pop-up now like it's a new thing.
---
[0]: https://mailwip.com
It’s recently started happening with iCloud too. For 5.5 weeks any email I sent would either get bounced or land straight in Junk, until yesterday when the powers that be decided my mail was worth delivering again.
I’ve somehow never had an issue with Gmail or Yahoo, and of course never with any other non-big-three mail servers.
And that's a decent thing.
Someone that doesn't do that has no business sending email.
The problem is that even doing that and even sending only a couple of emails a day is still usually considered SPAM.
1) Blocking numbers (which is pointless because they rotate them and spoof residential numbers).
2) Whitelisting numbers and blocking everyone else (this would cause me to miss legitimate calls).
3) Blocking entire ranges (this doesn't work because of the spoofing).
4) Using one of those spam screening services (currently looking into this). Still a bit concerned about missing valid calls and the privacy issue with this.
I want to follow best practices it recently changed p=quarantine to p=none after fear that legitimate emails aren’t passing DMARC despite properly configured DKIM and SPF.
Hell, I would love p=reject but not until recipients fix their incoming mail servers to handle edge cases like email forwarding breaking DMARC
This is the most important part. Exchange (due to its history as an X.400 server, not as an SMTP server) does sometimes mangle the message to the point that DKIM simply breaks. This both breaks origin-incoming and forwarded messages.
BTW, Apple also sometimes mangle messages that it fails DKIM, although I do not know why is this the case (as I doubt they use Microsoft Exchange for their mail service).
for incoming email on mailing lists i'm subscribed to, i don't enforce the dmarc policy. i think this is what the parent post hints at. i'm not sure how easy this is to configure with the various mail server software out there. i'm also not aware how you would configure this with sieve scripts (i looked, didn't find it, but it seems like a basic case).
if you're running a mailing list, hoping for all subscribers to not enforce dmarc policy enforcement doesn't seem like a great strategy.
the forwarding case should be easier to keep working.
Hotmail/yahoo/aol all still seem to shove our transactional emails into spam pretty often (judging purely on the amount of those users who fail to confirm their accounts).
And Apple sends no dmarc reports nor do they implement any actionable feedback loop.
You did not sign up for the "newsletter". Your email address was harvested and given to malicious actors hell-bent on screwing you. Clicking on anything will take you to a website where your best interest is not at all what the company is going to do with your information. At best you might just remove one source of junk in your inbox. At worst, you end up clicking on something that turns out to install malware on your machine.
So what should you do?
1. Don't click on unsubscribe links.
2. Click the spam report button
3. Stop using big email services that ignore spam reports. Gmail panders to other big businesses by letting them spam you without giving you the option to blacklist the entire domain yourself. Malicious content will continue to enter your inbox until you move to an email provider that takes your privacy and security seriously.
https://github.com/trusteddomainproject/OpenDKIM/issues/186
OpenARC/OpenDKIM don't parse email headers to spec. Help wanted.
The domain name in the From: field in the email envelop header is inspected and aligned with other domains authenticated by either SPF or DKIM:
The envelope does not have any header, the headers are in the content/body of the email. Also your screenshot of the "Here’s an example email envelop from an organization that passes all of the email security guidelines:" are the mail headers and not the envelope information.
Great presentation on this topic from dmarc.org
https://dmarc.org/presentations/Email-Authentication-Basics-...
I use seperate emails for each service much like a seperate password so I'm heavily invested in keeping my own server at least for recieving.
But yes if it's a recent setup, or email is a core part of the product, any competent sysadmin should have been doing this.
Their support people blame me, although they admit others have the same problem. They're not using a mail delivery service - the emails come directly from an IDrive server.
They're sending to my web site, which forwards to my personal address. There's no filtering at the first stage, and a division into Accept/Greymail/Junk at the next stage. Neither Google nor Yahoo is involved at any point.
I’ve been wondering if this was the cause. I don’t send out 5000 emails (I’m not 10X). But there’s this part:
> While these guidelines primarily affect bulk senders, senders with less volume per day can also be affected if they are not adhering to these guidelines.
I haven’t looked into it yet but I guess I should.
I use my own domain and I’m hosted by a not-Gmail provider.
