Skip to main content


Taking a stroll through my spam folder, I saw a bunch of legitimate messages from people and companies with their own domains, that are not publishing DMARC and SPF records. Surely everyone (and by everyone I mean Google) is rejecting their mail? How do they not realize this?

Then I noticed that one of them was received *from* gmail, so their mail probably works fine so long as they only mail gmail users. But another was via Yahoo, so that doesn't track.
jwz.org/b/ykk8

in reply to jwz

Google has private deals with Yahoo and other big mail providers like Sendgrid etc, that allow them to bypass some of the usual scanning etc. So a Gmail user using a private domain without DMARC might still be able to send mail to and from a Yahoo user without triggering round-filing.
in reply to jwz

The stats we collect for the #SpamAssassin project (mass-scan results from participating sites) have long shown that spammers are more consistent at making SPF, DKIM, and DMARC correct than are legitimate senders. DMARC in particular has no discernible benefit for most senders, so it is a useless signal.

Rejecting mail based solely on authentication failures of those deeply flawed authentication methods does more harm than good.

in reply to 🆘Bill Cole 🇺🇦

@grumpybozo Bonus round: GMail themselves effectively requires 'DMARC' (aligned DKIM and/or SPF) for any sending domain that wants to reliably reach GMail users, including through forwarding. This is really fun when domains don't do that, send email to professors in my university department, and said professors forward their email to GMail.

I'm not sure these domains set out to create unforwardable email but they sure achieved it. (We don't do SRS because that's a hack on top of SPF.)

in reply to jwz

@grumpybozo just one more public key in a TXT record, that'll fix email, just gotta add one more TXT record bro
⇧