Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

386
active users

toad.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

Public
jwz

Taking a stroll through my spam folder, I saw a bunch of legitimate messages from people and companies with their own domains, that are not publishing DMARC and SPF records. Surely everyone (and by everyone I mean Google) is rejecting their mail? How do they not realize this?

Then I noticed that one of them was received *from* gmail, so their mail probably works fine so long as they only mail gmail users. But another was via Yahoo, so that doesn't track.
jwz.org/b/ykk8

Public
🆘Bill Cole 🇺🇦

@jwz The stats we collect for the project (mass-scan results from participating sites) have long shown that spammers are more consistent at making SPF, DKIM, and DMARC correct than are legitimate senders. DMARC in particular has no discernible benefit for most senders, so it is a useless signal.

Rejecting mail based solely on authentication failures of those deeply flawed authentication methods does more harm than good.

Public
Chris Siebenmann

@grumpybozo @jwz Bonus round: GMail themselves effectively requires 'DMARC' (aligned DKIM and/or SPF) for any sending domain that wants to reliably reach GMail users, including through forwarding. This is really fun when domains don't do that, send email to professors in my university department, and said professors forward their email to GMail.

I'm not sure these domains set out to create unforwardable email but they sure achieved it. (We don't do SRS because that's a hack on top of SPF.)

🆘Bill Cole 🇺🇦

@cks @jwz The only ways to do forwarding that doesn't break SPF is to use SRS or encapsulate every message as a message/rfc822 inside of a container message sent by the forwarder's domain. Or have the user set up GMail to fetch via POP3 instead of you forwarding via SMTP

DKIM is usually undamaged by simple forwarding, unless you modify the body or headers (including re-encoding.)

Mar 23, 2025, 09:04 PM·Public·Mona for Mac
0boosts·0favorites
Public
Chris Siebenmann

@grumpybozo @jwz The un-forwardable place we encountered had set up SPF but wasn't DKIM signing email (and had no DMARC, but GMail didn't care). So their email was (presumably) accepted when sent directly to GMail, passing SPF checks, but not forwarded through us (no SPF pass, no DKIM signature to pass). I gave them a 'very clever -5 points' award.

ExploreLive feeds
About