> but for most services out there, having missing/invalid anti-spoofing measures will result in your mail ending up in spam or not delivered at all.

You would think so.. but its remarkable how easy it still is to forge email.

My mum was recently the target of such a campaign. She's in the executive team at an international NGO. An attacker found her email address and a bunch of her contacts via the NGO's webpage. Then they forged emails from her email address, with a gmail address set up in the reply-to field. The emails all said it was an emergency, and asked for her colleages to transfer money.

As far as we can tell, most of the emails were delivered and lots of people were fooled - at least for awhile.

Her email address has DKIM and SPF set up, but (like most email providers) it has a lax DMARC policy. It turns out thats all it takes to be vulnerable to this sort of attack.

> That's obviously false if you bothered to do a bit of searching

Technically correct, best kind of correct.

Sure, it is not plaintext, but anyone with the access to the wire could MITM the connections. Maaaaybe something changed in the last ten years, but I never seen someone not accepting a connection with a self-issued certificate and any warnings (to the end user) if the receiver uses self-issued cert. Which makes the whole point quite moot.

TLS is unaffected by any government laws. What I assume OP is referencing is a law that makes end to end encryption problematic in Australia but Fastmail has never offered end to end encryption. Neither do most email providers so it doesn't matter.