To me, it’s idiocy to design a complex email security system consisting of spf and DKIM checks, leading to emails coming in from scammers that are screaming, I’M SPAM!!, but then get delivered anyway because the very same scammer sets up a dmarc record in their DNS that simply says, yes, my stuff is obvious dangerous spam, but deliver it anyway. And the mail clients go, OK, if you say so.

They gave scammers and spammers a spam detection kill switch?

Why have all this in place if a scammer can just tell my email client it must deliver their junk? Why don’t email clients at least put the email into the inbox in red if it fails spf and DKIM and the domain was created 10 minutes ago? Or at least give me the option to send email that fails spf to a special folder?

The Scam:
A scammer registers a new domain (e.g., totalBS.com).

They set up a DMARC record for that domain with p=none that instructs the email client to ignore the spf and DKIM failures.

They send out phishing emails from that domain, often spoofing legitimate addresses.

Even though SPF and DKIM checks fail, receiving mail servers honor DMARC and deliver it anyway, bypassing a significant layer of email security.

Why bother setting up this who complicated scheme then?

What got me started is that hotmail put one of these into my inbox today, and I just couldn’t believe they presented it to me like any other email when all security checks clearly failed because of spoofing.

#CyberSecurity #Phishing