GMail just sent my vaccine appointment information to spam.
It looks like the folks sending vaccine emails haven't set up DMARC.
14
45
310
Conversation
I'm not 100% sure how to read it as a recipient, but I believe it's just not set up. (DKIM is noted as passing, for example.)
1
4
That's fair - it's tricky to keep up with all the email auth standards. As someone who works a lot with auth and delivery, I'd probably place more blame on Gmail's side - there may come a time when lack of DMARC is likely to result in filtering, but that day is not today.
1
6
I wouldn't think it an automatic fail by any means, but I could see it being a factor. Regardless, a mass vax site registration organization should have all their i's cross and t's dotted.
2
2
Yes. But at the same time, I think the people who work on email auth standards could think a bit more about the complexity they introduce, since more complexity means it's harder for small orgs to do auth "right".
1
2
If they don't have DMARC, it's possible their domain is being spoofed for spam emails resulting in it having a bad reputation. It's possible that an enforcing DMARC policy is used as a heuristic but I doubt not having one really results in a much of a penalty.
2
1
SPF and DKIM are enough to prevent spoofing most of the time, which is why Gmail gives more reputation weight to mail with authenticated domains. But you're right, DMARC is almost never the determining factor for delivery.
2
1
DKIM is only involved if the mail is signed. There's no way to mark the domain as requiring DKIM aside from using DMARC.
The whole point of DMARC is requiring that either SPF or DKIM is valid and aligned to the domain. They don't really work meaningfully without having it.
2
I work with all three standards professionally, so I can tell you that failing DKIM in practice is enough to cause rejections a lot of the time, and lack of DKIM is usually a much stronger spam signal than lack of DMARC.
2
I'm a security researcher and email security is part of what I work on. You're hardly an authority on the subject.
Absence of a DKIM signature is not DKIM failing. That's not how DKIM works. The whole point of DMARC is enforcing that either SPF or DKIM is passing + aligned.
No, now you're misreading me. Lack of DKIM and failing DKIM are two different conditions, with two different outcomes.
I'm telling you what the practical impact is at scale. I do have considerable experience there.
1