this post was submitted on 02 Apr 2024
146 points (95.6% liked)

Technology

59192 readers
2452 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Google has started automatically blocking emails sent by bulk senders who don't meet stricter spam thresholds and authenticate their messages as required by new guidelines to strengthen defenses against spam and phishing attacks.

As announced in October, the company now requires those who want to dispatch over 5,000 messages daily to Gmail accounts to set up SPF/DKIM and DMARC email authentication for their domains.

top 35 comments
sorted by: hot top controversial new old
[–] Toes@ani.social 38 points 7 months ago
[–] Kbin_space_program@kbin.social 35 points 7 months ago (2 children)

Yay, does this mean that Google is going to stop saying the masked email address is the sender and hide the true email address?

You know, like MS has done for over 15 years now?

[–] deweydecibel@lemmy.world 12 points 7 months ago (1 children)

Yeah...but have you considered how much "cleaner" the interface is without that information "cluttering" the UI up?

[–] Beetschnapps@lemmy.world 9 points 7 months ago* (last edited 7 months ago) (1 children)

In my experience it’s been more like…

UX: “users said they want these three pieces of info”

DEV: “I typically only look for one of those pieces of info, so I built this to just show the one”

UX: “users said they want three things for these reasons… only one isn’t as helpful and it’s not hard to add the other 2”

DEV: “well how’s that supposed to fit?”

UX: “like the designs already show”

DEV: “well I’ll put a ticket in the backlog and someone can come back to it, if they have time.”

PM: “I see no reason to prioritize slight “UX improvement” tickets over shit like new features or bug fixes…”

REPEAT X1000.

Then sit through months of user testing where people keep saying exactly what you are saying. “Why not add x? I guess someone thought it’s cleaner that way” but all these little pains add up to “death by a thousand cuts”

Then everyone complains and scapegoats design.

[–] expr@programming.dev -1 points 7 months ago (1 children)

I mean, you're scapegoating developers right now. Developers don't determine priorities. That's a product/business direction problem.

Also, UX doesn't get to say what is hard to do or not (that's the job of a developer, you really don't have any way of knowing without familiarity with the implementation details), so that's certainly at least part of your problem right there.

[–] Beetschnapps@lemmy.world 1 points 7 months ago* (last edited 7 months ago)

Bullshit and it’s right there in your comment: devs are not the only ones capable of assessing difficulty. The entire team should be doing that COLLABORATIVELY well before any dev touches a keyboard. Code isn’t some arcane black magic and we’ve all built products before, heard these excuses before… so stop saying “that’s not your job, that’s not my job”. Not a good look.

Suddenly declaring something is too hard and ignoring specs during the build phase is not a part of any dev’s fucking job, though you’d be surprised by the way they act.

Which is encapsulated perfectly in your comment. You mention it’s someone else’s job to handle business direction problems while ignoring how the problem is actually the dev not doing their job to begin with. The product meets its goals by showing three points of data, but a dev said fuck it and only showed one. That’s not a business issue, it’s a “I don’t want to” problem. Just like in your comment, any issues with “business direction” did not exist until you cited it to cover up for not doing the work that was already planned.

It’s not scapegoating to point out actual behavior. Behavior I’ve seen for 15 years and behavior you reinforced with your comment. You completely ignore the role of collaboration. It’s insulting to have a dev define your job in order for them to justify making decisions in a vacuum.

It’s especially maddening to hear this after I’ve spent over a year working directly with the CEO and CPO on a new product, lead focus groups, spoken with 100’s users on the issue, designed prototyped and validated solutions with additional testing… all alongside dev leads to expose any concerns early on. The board is happy, the c-suite is happy, the users like it, and we’re all set except some jackass developer thinks that since they know C# no one else can weigh in on all of their reasons to just not build what the TEAM designed.

[–] ObsidianZed@lemmy.dbzer0.com 2 points 7 months ago (1 children)

What do you use for MS? I know live.com still struggles with this. Though I did create a rule that junked every email with no valid SPF record, so that helps.

[–] Kbin_space_program@kbin.social 2 points 7 months ago

It was a work issue about a decade ago. Client wanted certain emails from automation to be masked as coming from him.

Most email boxes, including Gmail, didn't have an issue. Outlook(the one that shipped with Office) laughed at it and displayed the original sender in giant bold letters.

[–] 0x0@programming.dev 19 points 7 months ago* (last edited 7 months ago) (6 children)

I.e. it's now even harder to run your own mail server. If it was crypto-related the argument would be Think of the children™, since it's email the excuse is spam.

[–] shininghero@kbin.social 21 points 7 months ago

Having managed an exchange instance for my old job, I can safely say that DKIM and DMARC are just some extra DNS entries for out-of-band verification. They can be boiled down to a pair of checkboxes on a compliance sheet.
I can also say that most of the companies we got emails from didn't have DKIM, and even fewer had DMARC. Or worse, they had DMARC set to p=ignore. Which is honestly even more infuriating.

[–] EncryptKeeper@lemmy.world 17 points 7 months ago* (last edited 7 months ago)

Is it though? Is your self hosted mail server sending 5,000+ emails to various Gmail inboxes daily? If not, this doesn’t seem like it would affect you. And even if it did, all they appear to be asking is that you enable DKIM and DMARC for your mail server, which is something both trivial to do and you should be doing anyway.

I’m not going to claim that a company like Google wouldn’t love to make life harder for the consumer, but I don’t see how anything related to this change would do that.

[–] thomasdouwes@sopuli.xyz 15 points 7 months ago* (last edited 7 months ago)

I know a there are a lot of issues with self-hosting email, but I just don't thing this is one of them. First, it probably won't affect a self-hosted servers anyway unless you send a lot of emails, this requirement is only for servers sending 5,000 messages daily to Gmail. And even if you are, the requirements are not that harsh, it's a couple DNS records and a DKIM signing daemon, and if you are using a pre-build email package like mailcow it's probably already doing it.

[–] BrianTheeBiscuiteer@lemmy.world 5 points 7 months ago (1 children)

I'm sure they won't do this because it's too community friendly but they should just require all emails be digitally signed. If you don't sign it goes to spam and if you do sign, and abuse the system, it'll be much easier to find out who you are.

[–] Opisek@lemmy.world -1 points 7 months ago

TLS has become too easy to acquire for it to have any effect, I'm afraid. Didn't Chromium remove the padlock signifying HTTPs connection due to just that? That it doesn't really mean anything anymore in terms of illegitimate websites (still obviously crucial against MitM)?

[–] cooopsspace@infosec.pub 4 points 7 months ago (1 children)

If you can't set DKIM and DMARC records you shouldn't be hosting email.

[–] AnUnusualRelic@lemmy.world -1 points 7 months ago

You can't anyway because your whole address block is blackholed in every spam filtering list in existence for "reasons".

[–] deafboy@lemmy.world 1 points 7 months ago

Without SPF and DKIM, I could send messages pretending to be from you to anybody. Average user has no way to know that the "From:" field does not really mean what it says.

[–] DudeImMacGyver@sh.itjust.works 14 points 7 months ago (1 children)

Amazing...

...that they have only just now done this.

[–] deweydecibel@lemmy.world 6 points 7 months ago (1 children)

It's a slow rollout to give legitimate businesses time to get their settings in order. And believe me, there are a lot of them that still haven't.

[–] Toes@ani.social 6 points 7 months ago

In my experience, organizations don't change things until after it stops working and not a minute sooner. :(

[–] mypasswordis1234@lemmy.world 13 points 7 months ago
[–] shininghero@kbin.social 12 points 7 months ago (1 children)

Meanwhile, Microsoft's Exchange platform blatantly ignores DMARC failures for senders and relays on its "Good PTR list". Bit of a glaringly large hole for spam to pass through.

[–] PlantJam@lemmy.world 9 points 7 months ago

Don't forget that Microsoft will also process forwarding rules before it finishes the "is this bad" scan.

[–] invertedspear@lemm.ee 8 points 7 months ago

Why does the article only mention Google? I know yahoo had its heyday already, but they are still a common email platform and made the same requirements at the same time as Google.

[–] therealjcdenton@lemmy.zip 1 points 7 months ago (1 children)

I wonder how Google will define spoofed...

[–] federatingIsTooHard@lemmy.world 8 points 7 months ago (1 children)

it's in the article. more than 5000 messages to gmail users per day without dkim

[–] therealjcdenton@lemmy.zip 1 points 7 months ago (1 children)

I meant if they'll also define mail from competitors as spam, wouldn't surprise me

[–] Jyek@sh.itjust.works 2 points 7 months ago (1 children)

DKIM is the standard for verification right now. This isn't an anti-competition play. I manage DKIM records for my clients all the time. Yahoo, SB global, and At&t enforced DKIM requirements a few months back and it's been a headache but it has made a huge difference in spam emails.

For anyone who doesn't know what DKIM is, it's a method of an email provider getting a sort of green flag from the host domain name. So if you have an email address whatever@mybusiness.com and your email provider is Microsoft 365 and your domain provider is goDaddy, Microsoft says to goDaddy, "hey I'm sending this email, can you verify that I have permission to send from the domain my business.com?" And go daddy checks for DKIM records from Microsoft and sees it and says "yes sir, this is approved." Then M365 sends the email, and if the recipient requires DKIM to receive the email at whomever@yahoo.com, Yahoo looks at the domain and asks, "hey goDaddy, it says you host this, is this email legit?" And goDaddy says "yep it's all legit, give it to the recipient."

This effectively eliminates messages sent from a domain without DKIM records as well as spoofed emails because those spoofed emails never checked in when sending.

I appreciate the skepticism but this is a security play, not a business one.

[–] therealjcdenton@lemmy.zip 1 points 7 months ago

Alright thanks for the clarification, I learned something new today

[–] hal_5700X@sh.itjust.works 0 points 7 months ago
[–] hperrin@lemmy.world 0 points 7 months ago (1 children)

Gmail sucks so much that I made my own email service. But at least this is good.

[–] HubertManne@kbin.social 2 points 7 months ago (1 children)

does it have some sort of cardgames or intimate services vending?

[–] hperrin@lemmy.world 1 points 7 months ago

In fact, forget the email service.

[–] federatingIsTooHard@lemmy.world 0 points 7 months ago

i love the thumbnail

[–] ObviouslyNotBanana@lemmy.world -3 points 7 months ago

But what about freedom of speech???

/s