Google has started automatically blocking emails sent by bulk senders who don’t meet stricter spam thresholds and authenticate their messages as required by new guidelines to strengthen defenses against spam and phishing attacks.

As announced in October, the company now requires those who want to dispatch over 5,000 messages daily to Gmail accounts to set up SPF/DKIM and DMARC email authentication for their domains.

  • Kbin_space_program@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    8 months ago

    Yay, does this mean that Google is going to stop saying the masked email address is the sender and hide the true email address?

    You know, like MS has done for over 15 years now?

    • ObsidianZed@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      What do you use for MS? I know live.com still struggles with this. Though I did create a rule that junked every email with no valid SPF record, so that helps.

      • Kbin_space_program@kbin.social
        link
        fedilink
        arrow-up
        1
        ·
        8 months ago

        It was a work issue about a decade ago. Client wanted certain emails from automation to be masked as coming from him.

        Most email boxes, including Gmail, didn’t have an issue. Outlook(the one that shipped with Office) laughed at it and displayed the original sender in giant bold letters.

    • deweydecibel@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      Yeah…but have you considered how much “cleaner” the interface is without that information “cluttering” the UI up?

      • Beetschnapps@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        8 months ago

        In my experience it’s been more like…

        UX: “users said they want these three pieces of info”

        DEV: “I typically only look for one of those pieces of info, so I built this to just show the one”

        UX: “users said they want three things for these reasons… only one isn’t as helpful and it’s not hard to add the other 2”

        DEV: “well how’s that supposed to fit?”

        UX: “like the designs already show”

        DEV: “well I’ll put a ticket in the backlog and someone can come back to it, if they have time.”

        PM: “I see no reason to prioritize slight “UX improvement” tickets over shit like new features or bug fixes…”

        REPEAT X1000.

        Then sit through months of user testing where people keep saying exactly what you are saying. “Why not add x? I guess someone thought it’s cleaner that way” but all these little pains add up to “death by a thousand cuts”

        Then everyone complains and scapegoats design.

        • expr@programming.dev
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          8 months ago

          I mean, you’re scapegoating developers right now. Developers don’t determine priorities. That’s a product/business direction problem.

          Also, UX doesn’t get to say what is hard to do or not (that’s the job of a developer, you really don’t have any way of knowing without familiarity with the implementation details), so that’s certainly at least part of your problem right there.

          • Beetschnapps@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            8 months ago

            Bullshit and it’s right there in your comment: devs are not the only ones capable of assessing difficulty. The entire team should be doing that COLLABORATIVELY well before any dev touches a keyboard. Code isn’t some arcane black magic and we’ve all built products before, heard these excuses before… so stop saying “that’s not your job, that’s not my job”. Not a good look.

            Suddenly declaring something is too hard and ignoring specs during the build phase is not a part of any dev’s fucking job, though you’d be surprised by the way they act.

            Which is encapsulated perfectly in your comment. You mention it’s someone else’s job to handle business direction problems while ignoring how the problem is actually the dev not doing their job to begin with. The product meets its goals by showing three points of data, but a dev said fuck it and only showed one. That’s not a business issue, it’s a “I don’t want to” problem. Just like in your comment, any issues with “business direction” did not exist until you cited it to cover up for not doing the work that was already planned.

            It’s not scapegoating to point out actual behavior. Behavior I’ve seen for 15 years and behavior you reinforced with your comment. You completely ignore the role of collaboration. It’s insulting to have a dev define your job in order for them to justify making decisions in a vacuum.

            It’s especially maddening to hear this after I’ve spent over a year working directly with the CEO and CPO on a new product, lead focus groups, spoken with 100’s users on the issue, designed prototyped and validated solutions with additional testing… all alongside dev leads to expose any concerns early on. The board is happy, the c-suite is happy, the users like it, and we’re all set except some jackass developer thinks that since they know C# no one else can weigh in on all of their reasons to just not build what the TEAM designed.

  • invertedspear@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 months ago

    Why does the article only mention Google? I know yahoo had its heyday already, but they are still a common email platform and made the same requirements at the same time as Google.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      It blows my mind that some of the largest email services in the world were accepting mail without all the antispam authentication. Everybody had been doing their best to keep it in check and they were simply ignoring all of it?

      • Jyek@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        It’s a really pain in the rear to configure for anyone who doesn’t have a dedicated IT or an MSP. You have to get these DKIM and DMARC records from your exchange provider and then you have to configure them on your DNS host. If your DNS host isn’t modifiable you have to send requests to their support to get those records put in place and then they want to verify your records from your provider as well as a security measure. I’ve had clients that took us a week because of all the song and dance of DKIM and DMARC all because I couldn’t go in and add the records myself.

        Fuck you LOGIX you garbage company from the stone age. Let me manage my clients DNS records. 😤

    • deweydecibel@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      It’s a slow rollout to give legitimate businesses time to get their settings in order. And believe me, there are a lot of them that still haven’t.

      • DudeImMacGyver@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        You don’t need to tell me lol, there have been dozens of companies still asking us to whitelist their shit and everything time, “We don’t do that here.”

    • Sybil@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      it’s in the article. more than 5000 messages to gmail users per day without dkim

        • Jyek@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          8 months ago

          DKIM is the standard for verification right now. This isn’t an anti-competition play. I manage DKIM records for my clients all the time. Yahoo, SB global, and At&t enforced DKIM requirements a few months back and it’s been a headache but it has made a huge difference in spam emails.

          For anyone who doesn’t know what DKIM is, it’s a method of an email provider getting a sort of green flag from the host domain name. So if you have an email address whatever@mybusiness.com and your email provider is Microsoft 365 and your domain provider is goDaddy, Microsoft says to goDaddy, “hey I’m sending this email, can you verify that I have permission to send from the domain my business.com?” And go daddy checks for DKIM records from Microsoft and sees it and says “yes sir, this is approved.” Then M365 sends the email, and if the recipient requires DKIM to receive the email at whomever@yahoo.com, Yahoo looks at the domain and asks, “hey goDaddy, it says you host this, is this email legit?” And goDaddy says “yep it’s all legit, give it to the recipient.”

          This effectively eliminates messages sent from a domain without DKIM records as well as spoofed emails because those spoofed emails never checked in when sending.

          I appreciate the skepticism but this is a security play, not a business one.

    • deafboy@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Without SPF and DKIM, I could send messages pretending to be from you to anybody. Average user has no way to know that the “From:” field does not really mean what it says.

    • BrianTheeBiscuiteer@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      I’m sure they won’t do this because it’s too community friendly but they should just require all emails be digitally signed. If you don’t sign it goes to spam and if you do sign, and abuse the system, it’ll be much easier to find out who you are.

      • Opisek@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        8 months ago

        TLS has become too easy to acquire for it to have any effect, I’m afraid. Didn’t Chromium remove the padlock signifying HTTPs connection due to just that? That it doesn’t really mean anything anymore in terms of illegitimate websites (still obviously crucial against MitM)?