undefined | Better HN

0 pointsbad_user7y ago0 comments

SPF/DKIM are designed to prevent spam and not to prevent spoofing of From. There is a difference.

SPF has nothing to do with the From header. And the DKIM signature does not have to match the sender’s domain, the signature can be that of any domain. This means that for practical purposes, anybody can send spoofed emails. That an email is signed with DKIM, that doesn’t mean much and it is meant to build a web of trust between servers, but otherwise it is useless for the users themselves.

They wrote a blog post about how SPF/DKIM work: https://fastmail.blog/2016/12/24/spf-dkim-dmarc/

If you want to let people know which emails are from you, the From address is very weak. This is because the From/To headers tell you nothing about the source and the destination of the message, according to the email standard. Read that blog post for details.

You need a proper signature via PGP or S/MIME if you want to ensure that the receiver knows the message is from you. And unfortunately this requires education and email clients with support for such signatures (most desktop clients do), but that’s email for you.

0 comments

eggsampler7y ago

Sure, I get that. I get there is a whole weird and wacky world of email use that is considered legitimate and needs to work that way for a myriad of reasons. I don't get why their MTA cannot at least have an option to reject mail from your domains if it's not being sent using your account credentials.

The average layperson will not get that. I'm fairly sure if my mother received an email that wasn't delivered to a their spam folder saying "Hey, remember that old copy of my birth certificate you have floating around? Could you send that. Also, CC my good friend bad_user@fastmail.com" that she would call me first - if I was reachable. Also is totally ignorant of digital signatures and most likely unable to verify any present anyway.

As much as I dislike Google and try to avoid their products and services at all cost, at least I have confidence this wouldn't happen with them. Not that I would go back, but it's still concerning.

bad_userOP7y ago

But that’s the point, you can send a spoofed email to your mother that will not go into her spam folder, even if she uses Gmail.

The only way Google could protect you is if the From address is from @gmail.com (maybe, not completely sure). But if you have your own domain, you can’t have that protection. Sure, you might not be able to use Google’s own servers to send that email, but email is federated so you can use somebody else’s servers.

The only thing that stops spammers from doing more of this is the web of trust happening between email services. This is precisely why if you setup your own server, you’ll start off with a negative reputation and your emails will end up tagged as spam depending on the destination.

eggsampler7y ago

> But that’s the point [...]

No, that's not the point.

> Sure, you might not be able to use Google’s own servers to send that email

That is the point. Why does Fastmail allow this where Google doesn't. At best, it's ignorant and intentionally misleading. At worst, downright malicious and ripe for abuse.

1 more reply

ryanlol7y ago

FWIW you can inbox mails from spoofed @gmail addresses on gmail.

toast07y ago

At this point, none of the mainstream email websites or applications even show the From address, just the name that came on the email, or what matches from your address book. So, I fully expect people to get mail from webmaster@johnssportsupplyemporium.example.org with a From name vaguely related to me and assume I sent it.

j / k navigate · click thread line to collapse

0 pointsbad_user7y ago0 comments

SPF/DKIM are designed to prevent spam and not to prevent spoofing of From. There is a difference.

They wrote a blog post about how SPF/DKIM work: https://fastmail.blog/2016/12/24/spf-dkim-dmarc/

0 comments

eggsampler7y ago

As much as I dislike Google and try to avoid their products and services at all cost, at least I have confidence this wouldn't happen with them. Not that I would go back, but it's still concerning.

bad_userOP7y ago

But that’s the point, you can send a spoofed email to your mother that will not go into her spam folder, even if she uses Gmail.

eggsampler7y ago

> But that’s the point [...]

No, that's not the point.

> Sure, you might not be able to use Google’s own servers to send that email

That is the point. Why does Fastmail allow this where Google doesn't. At best, it's ignorant and intentionally misleading. At worst, downright malicious and ripe for abuse.

1 more reply

ryanlol7y ago

FWIW you can inbox mails from spoofed @gmail addresses on gmail.

toast07y ago

j / k navigate · click thread line to collapse