Technology @lemmy.world higgsboson @dubvee.org 8 mo. ago

Google now blocks spoofed emails for better phishing protection

www.bleepingcomputer.com Google now blocks spoofed emails for better phishing protection

Google has started automatically blocking emails sent by bulk senders who don't meet stricter spam thresholds and authenticate their messages as required by new guidelines to strengthen defenses against spam and phishing attacks.

As announced in October, the company now requires those who want to dispatch over 5,000 messages daily to Gmail accounts to set up SPF/DKIM and DMARC email authentication for their domains.

41 comments

Yay, does this mean that Google is going to stop saying the masked email address is the sender and hide the true email address?

You know, like MS has done for over 15 years now?
- Yeah...but have you considered how much "cleaner" the interface is without that information "cluttering" the UI up?
  
  In my experience it’s been more like…
  
  UX: “users said they want these three pieces of info”
  
  DEV: “I typically only look for one of those pieces of info, so I built this to just show the one”
  
  UX: “users said they want three things for these reasons… only one isn’t as helpful and it’s not hard to add the other 2”
  
  DEV: “well how’s that supposed to fit?”
  
  UX: “like the designs already show”
  
  DEV: “well I’ll put a ticket in the backlog and someone can come back to it, if they have time.”
  
  PM: “I see no reason to prioritize slight “UX improvement” tickets over shit like new features or bug fixes…”
  
  REPEAT X1000.
  
  Then sit through months of user testing where people keep saying exactly what you are saying. “Why not add x? I guess someone thought it’s cleaner that way” but all these little pains add up to “death by a thousand cuts”
  
  Then everyone complains and scapegoats design.
- What do you use for MS? I know live.com still struggles with this. Though I did create a rule that junked every email with no valid SPF record, so that helps.
  
  It was a work issue about a decade ago. Client wanted certain emails from automation to be masked as coming from him.
  
  Most email boxes, including Gmail, didn't have an issue. Outlook(the one that shipped with Office) laughed at it and displayed the original sender in giant bold letters.
I.e. it's now even harder to run your own mail server. If it was crypto-related the argument would be Think of the children™, since it's email the excuse is spam.
- Having managed an exchange instance for my old job, I can safely say that DKIM and DMARC are just some extra DNS entries for out-of-band verification. They can be boiled down to a pair of checkboxes on a compliance sheet.
  I can also say that most of the companies we got emails from didn't have DKIM, and even fewer had DMARC. Or worse, they had DMARC set to p=ignore. Which is honestly even more infuriating.
- Is it though? Is your self hosted mail server sending 5,000+ emails to various Gmail inboxes daily? If not, this doesn’t seem like it would affect you. And even if it did, all they appear to be asking is that you enable DKIM and DMARC for your mail server, which is something both trivial to do and you should be doing anyway.
  
  I’m not going to claim that a company like Google wouldn’t love to make life harder for the consumer, but I don’t see how anything related to this change would do that.
- I know a there are a lot of issues with self-hosting email, but I just don't thing this is one of them. First, it probably won't affect a self-hosted servers anyway unless you send a lot of emails, this requirement is only for servers sending 5,000 messages daily to Gmail. And even if you are, the requirements are not that harsh, it's a couple DNS records and a DKIM signing daemon, and if you are using a pre-build email package like mailcow it's probably already doing it.
- If you can't set DKIM and DMARC records you shouldn't be hosting email.
  
  You can't anyway because your whole address block is blackholed in every spam filtering list in existence for "reasons".
- I'm sure they won't do this because it's too community friendly but they should just require all emails be digitally signed. If you don't sign it goes to spam and if you do sign, and abuse the system, it'll be much easier to find out who you are.
  
  TLS has become too easy to acquire for it to have any effect, I'm afraid. Didn't Chromium remove the padlock signifying HTTPs connection due to just that? That it doesn't really mean anything anymore in terms of illegitimate websites (still obviously crucial against MitM)?
- Without SPF and DKIM, I could send messages pretending to be from you to anybody. Average user has no way to know that the "From:" field does not really mean what it says.
Amazing...

...that they have only just now done this.
- It's a slow rollout to give legitimate businesses time to get their settings in order. And believe me, there are a lot of them that still haven't.
  
  In my experience, organizations don't change things until after it stops working and not a minute sooner. :(
  
  You don't need to tell me lol, there have been dozens of companies still asking us to whitelist their shit and everything time, "We don't do that here."
Meanwhile, Microsoft's Exchange platform blatantly ignores DMARC failures for senders and relays on its "Good PTR list". Bit of a glaringly large hole for spam to pass through.
- Don't forget that Microsoft will also process forwarding rules before it finishes the "is this bad" scan.
Good.
Why does the article only mention Google? I know yahoo had its heyday already, but they are still a common email platform and made the same requirements at the same time as Google.
- It blows my mind that some of the largest email services in the world were accepting mail without all the antispam authentication. Everybody had been doing their best to keep it in check and they were simply ignoring all of it?
  
  It's a really pain in the rear to configure for anyone who doesn't have a dedicated IT or an MSP. You have to get these DKIM and DMARC records from your exchange provider and then you have to configure them on your DNS host. If your DNS host isn't modifiable you have to send requests to their support to get those records put in place and then they want to verify your records from your provider as well as a security measure. I've had clients that took us a week because of all the song and dance of DKIM and DMARC all because I couldn't go in and add the records myself.
  
  Fuck you LOGIX you garbage company from the stone age. Let me manage my clients DNS records. 😤
I wonder how Google will define spoofed...
- it's in the article. more than 5000 messages to gmail users per day without dkim
  
  I meant if they'll also define mail from competitors as spam, wouldn't surprise me
Gmail sucks so much that I made my own email service. But at least this is good.
- does it have some sort of cardgames or intimate services vending?
  
  In fact, forget the email service.
Neat 👍
i love the thumbnail
But what about freedom of speech???

/s

You've viewed 41 comments.