GMail just sent my vaccine appointment information to spam.
It looks like the folks sending vaccine emails haven't set up DMARC.
14
45
310
Conversation
I'm not 100% sure how to read it as a recipient, but I believe it's just not set up. (DKIM is noted as passing, for example.)
1
4
That's fair - it's tricky to keep up with all the email auth standards. As someone who works a lot with auth and delivery, I'd probably place more blame on Gmail's side - there may come a time when lack of DMARC is likely to result in filtering, but that day is not today.
1
6
I wouldn't think it an automatic fail by any means, but I could see it being a factor. Regardless, a mass vax site registration organization should have all their i's cross and t's dotted.
2
2
Yes. But at the same time, I think the people who work on email auth standards could think a bit more about the complexity they introduce, since more complexity means it's harder for small orgs to do auth "right".
1
2
If they don't have DMARC, it's possible their domain is being spoofed for spam emails resulting in it having a bad reputation. It's possible that an enforcing DMARC policy is used as a heuristic but I doubt not having one really results in a much of a penalty.
2
1
SPF and DKIM are enough to prevent spoofing most of the time, which is why Gmail gives more reputation weight to mail with authenticated domains. But you're right, DMARC is almost never the determining factor for delivery.
2
1
DKIM is only involved if the mail is signed. There's no way to mark the domain as requiring DKIM aside from using DMARC.
The whole point of DMARC is requiring that either SPF or DKIM is valid and aligned to the domain. They don't really work meaningfully without having it.
Gmail could learn that a domain nearly always sends emails with DKIM and mark mails as suspicious if they don't have it. However, if there's no DMARC policy, then that usually implies they send plenty of mail without DKIM. That's the reason people have trouble deploying DMARC.
1
SPF also doesn't work without DMARC. Passes based on the MAILFROM address. It's not what end users check, and Gmail displaying that the mail was sent via another server doesn't really help users.
Most SPF policies are soft fail and even hard fail ones are commonly violated.
I work with all three standards professionally, so I can tell you that failing DKIM in practice is enough to cause rejections a lot of the time, and lack of DKIM is usually a much stronger spam signal than lack of DMARC.
2
I'm a security researcher and email security is part of what I work on. You're hardly an authority on the subject.
Absence of a DKIM signature is not DKIM failing. That's not how DKIM works. The whole point of DMARC is enforcing that either SPF or DKIM is passing + aligned.
1
Show replies