Given how much weight “Gmail”, “Outlook”, and “Yahoo” email providers pull, I have always wondered about a different type of attack on business entities: “targeted failed deliverability”

Basically in this attack, a victim (particularly a business or mailing list or NGO) is sending out bulk emails to which the attacker owns. Even sourcing this out to shady off shore click farms would work too.

Attacker then marks the victim’s emails as spam in Gmail/Yahoo/Outlook. The “AI spam filters” pick up on this new “spam activity” and will then mark future emails as spam or even delete them before reaching real customers.

After a year, company bleeds money on a quarterly basis. Ad departments wonder why there is decreased engagement through email. Technical departments are bamboozled.

Maybe a big company will be able to weather the storm or just ditch email altogether. But small companies would definitely take a hit. Even smaller NGO or political mailing lists would lose donations (assuming email was a significant source of new donations).

Probably a very low vector of attack tbh, but something that has lingered in my mind.

This change was necessary and long overdue. Requiring domain owners who send significant volumes of email to properly sign their messages allows receivers to more clearly delineate good from bad based on domain reputation rather than IP address reputation.

As more domains send email through shared IP space on transactional and marketing services, having the ability to attach reputation reliably to the sender domain is incredibly helpful in reducing abuse.

Spam is indistinguishable from malicious content.

You did not sign up for the "newsletter". Your email address was harvested and given to malicious actors hell-bent on screwing you. Clicking on anything will take you to a website where your best interest is not at all what the company is going to do with your information. At best you might just remove one source of junk in your inbox. At worst, you end up clicking on something that turns out to install malware on your machine.

So what should you do?

1. Don't click on unsubscribe links.

2. Click the spam report button

3. Stop using big email services that ignore spam reports. Gmail panders to other big businesses by letting them spam you without giving you the option to blacklist the entire domain yourself. Malicious content will continue to enter your inbox until you move to an email provider that takes your privacy and security seriously.

I'm surprised how many big companies fail the one-click unsubscribe test. Whether it's Cloudflare or Akamai blocking the connection, pages that take 5+ seconds to load, pages that require you to sign in or input your email address again... don't be surprised when customers reach for the Report Spam button instead.

One thing the April changes break is forwarding between e-mail services. If you currently forward from say an old university address at foo@school.edu to a personal GMail account at bar@gmail.com that will no longer work. This must be relatively uncommon if the major providers are charging ahead with these changes but it's pretty annoying for the people affected.

I'm surprised anyone's been getting through at all without perfectly configured SPD, DKIM, and DMARC. I've had a well configured self-hosted personal email server for years and still struggle to get through sometimes, though it does seem to be getting better.

The thing that kills me about DMARC is how often is fails with Microsoft specifically. And also with any use case involving the recipient forwarding mail (which breaks SPF alignment)

I want to follow best practices it recently changed p=quarantine to p=none after fear that legitimate emails aren’t passing DMARC despite properly configured DKIM and SPF.

Hell, I would love p=reject but not until recipients fix their incoming mail servers to handle edge cases like email forwarding breaking DMARC

The worst is when they accept the mail but silently tag it spam and put it some place the intended receipient will never see it. Google's gmail is the worst about this. Corporate email isn't email anymore. It's a walled garden / silo like Facebook.

My personal VM has just been placed in some RBL because the entire /24 address space was blacklisted.

Someone (allegedly) sent SPAM and now my machine that sends maybe 3 emails a week is blacklisted

I think you mixed envelope (RFC5321) and headers (RFC5322) in your text.

The domain name in the From: field in the email envelop header is inspected and aligned with other domains authenticated by either SPF or DKIM:

The envelope does not have any header, the headers are in the content/body of the email. Also your screenshot of the "Here’s an example email envelop from an organization that passes all of the email security guidelines:" are the mail headers and not the envelope information.

Great presentation on this topic from dmarc.org

https://dmarc.org/presentations/Email-Authentication-Basics-...

Roughly 50% of my daily Spam comes from @gmail & @hotmail/@outlook accounts.

What exactly are they doing about that ?

I ran my own mail server for more than a decade. Same IP the entire time, never sent spam (for personal use only.) Finally threw in the hat last year and moved to a paid service - it was a pain to tell every person I sent mail to to check their spam box and mark me as not spam or add me to contacts. Beyond that, gmail smtp servers kept getting onto spam blocklists, so I wasn't receiving mail from gmail at times.

Speaking as someone in an industry that receives a lot of unwanted and seemingly un-unsubscribable marketing emails. I have never ever bought anything from a company that has sent me an email cold. I have my inbox set to show the first two lines and I delete them without opening them pretty much all the time. The only thing marketing emails do is annoy me.

So what any competent sysop has been doing for years?

1. GMail will block your email if you don’t allow one-click unsubscribe. But this is very insecure since anyone can unsubscribe you if you forward your email

Easy Unsubscribe: Implement easy unsubscribe options (One-click Unsubscribe). Gmail users have tools to report spam, unsubscribe from unwanted emails and control their inbox experience. If it is too difficult to unsubscribe from your emails, customers will be more likely to flag your email as spam. Additional links provided in the ‘References’ section at the end of this article.

2. At the same time, Apple’s ITP will start removing all the information from the URL and only leave the domain, if it classifies your site as a “bounce tracker”. This means you won’t even know who to unsubscribe on one click! So all your emails will be blocked.

https://getcake.com/apples-intelligent-tracking-prevention-2...

Then there's the other side - receivability. IDrive is supposed to send me an email each day reporting backup status as seen by the backup servers. Those messages have been flaky since mid-February. Logs indicate the backups run; it's just the completion emails that fail.

Their support people blame me, although they admit others have the same problem. They're not using a mail delivery service - the emails come directly from an IDrive server.

They're sending to my web site, which forwards to my personal address. There's no filtering at the first stage, and a division into Accept/Greymail/Junk at the next stage. Neither Google nor Yahoo is involved at any point.

I’ve gotten some emails from Gmail about delaying my emails to Gmail users because I apparently send too many emails. I use git-send-email(1) which might send a cover letter plus X patches right after each other. These Gmail users are then in the CC. So I’m not a mailing list. The email list is the To recipient.

I’ve been wondering if this was the cause. I don’t send out 5000 emails (I’m not 10X). But there’s this part:

> While these guidelines primarily affect bulk senders, senders with less volume per day can also be affected if they are not adhering to these guidelines.

I haven’t looked into it yet but I guess I should.

I use my own domain and I’m hosted by a not-Gmail provider.

https://github.com/trusteddomainproject/OpenARC/issues/163

https://github.com/trusteddomainproject/OpenDKIM/issues/186

OpenARC/OpenDKIM don't parse email headers to spec. Help wanted.

I wonder how this ends up impacting government agencies and especially courts and law firms. My experience has been all three struggle with these things.

As usual in any email thread about email deliverability, the amount of FUD in these comments is absolutely mind-boggling to me. I’m not unusually smart or intelligent or capable. I wouldn’t consider myself a deliverability expert. It’s only a small small part of my job. I’ve never worked for any organisation that sells email delivery services to third parties. Why the hell can I understand this stuff, and get it to work, while there are so many people here that very clearly indicate (via what they’re saying in their comments) that they DON’T get it yet have a serious axe to grind?

I’m left feeling like homegrown email delivery is some sort of lightning rod for stuck-in-the-past faux-sysadmin types that can’t get past the fact that it’s not 2003 anymore and lazily / maliciously comply with SPF / DKIM.

IT’S NOT THAT HARD.

This looks like a good document, but the author made it political by referencing "Hilary" Clinton and her emails and linking to some Trump stuff. I can't take tech stuff seriously that's dropping in political crap. Go away!

I run an email forwarding service[0] and it's damn hard to get into inbox of any major provider if SPF/DKIM aren't config properly. DMARC or ARC might be optionally but an email without SPF/DKIM, good luck having it hit any inbox.

Office365 is the toughest, email just randomly land on spam no matter what I do. Icloud, actually it's ProofPoint is tough sh*t too.

So I'm so surprise these guide just pop-up now like it's a new thing.

---

[0]: https://mailwip.com

No mention of BIMI (either for or against)? I'm surprised...

Isn't there any open source project that solves the e-mail delivery problem? If not, why not? This sounds like something that can be fixed by software.

I wish we could solve the unsolicited SMS problem.

Just a freindly reminder. I wrote a thorough guide on email hygeine here, includes validation tools to help troubleshoot & straighten things out.