[HN Gopher] Email Authentication: A Developer's Guide
___________________________________________________________________
Email Authentication: A Developer's Guide
Author : zenorocha
Score : 88 points
Date : 2023-08-25 16:34 UTC (6 hours ago)
(HTM) web link (resend.com)
(TXT) w3m dump (resend.com)
| csharpminor wrote:
| To be honest I found this article to be a bit blog spammy. It's
| for developers because they used a startup accelerator analogy? I
| didn't see anything particularly differentiated from the
| equivalent SendGrid/Mailgun/etc blogs that come up.
|
| This is probably the best demo for understanding SPF/DKIM/DMARC
| that I've come across (I am not affiliated):
| https://www.learndmarc.com/
|
| If you really want to understand DMARC check it out.
| thereald0tt wrote:
| Can someone tell me what is it that resend provides over their
| wrapper (AWS) that makes them this famous?
| hashstring wrote:
| Anyone willing to share opinions on BIMI?
|
| I'm wondering if it is worth it for most medium-large
| organization or if this is specifically worth it if you are doing
| a lot of commerce and sending e-mails to customers etc.
|
| Furthermore, (stating the obvious) DKIM, SPF and DMARC are also
| implemented by malicious parties and only authenticate that the
| server was allowed to send using a particular domain name. BIMI
| seems to require a VMC (Verified Mark Certificate). Is this
| verified and is it effective in preventing unauthorized parties
| from BIMI verifying their domains using stolen brand logo's etc.
|
| Also, is Microsoft Outlook (still) not supporting/adopting BIMI?
| jeroenhd wrote:
| BIMI solves various problems DMARC/DKIM/SPF still leave open.
| In that sense, I applaud the initiative.
|
| The $1000 certificate makes it unusable for anyone but the most
| annoying marketeers, though. Any EV certificate would've worked
| to serve the "business verified by a trusted third party"
| requirement, but CAs being CAs, they had to invent a new
| certificate for business reasons.
|
| The process is further complicated by leaving it open to
| recipient servers whether or not they actually trust you after
| buying the special certificate. This does make sense for the
| small number of companies actually using BIMI, but it does hurt
| the scalability of the solution.
| albertgoeswoof wrote:
| Here's what we wrote about BIMI. Some selected excerpts:
|
| > To ensure that logos are actually truly representative of the
| brand involved, and more cynically, to make money and penalize
| small senders, an optional Verified Mark Certificate can be
| added to the DNS records, which some mailboxes will validate
| before showing the logo.
|
| > Unfortunately VMC certificates cost upwards of $1000 USD to
| purchase. Which puts them out of reach for casual or small
| senders (of which we are big supporters here at MailPace), and
| undermines the BIMI effort overall.
|
| https://blog.mailpace.com/blog/what-is-bimi/
| chedabob wrote:
| While there's multiple competing standards I'm ignoring it. At
| least with MTA-STS and DANE you didn't have to fork out $1000+
| to support both.
|
| There was also this which showed up a month after Google
| started their rollout of the BIMI checkmark:
| https://twitter.com/chrisplummer/status/1664075886545575941
| Avamander wrote:
| MTA-STS and DANE are not fulfilling an even remotely similar
| purpose.
|
| Plus nobody significant really follows/uses DANE, because how
| shit DNSSEC is.
| starfox64_ wrote:
| I think it's a good initiative, it's obviously there for CAs to
| make a buck but it's finally a way to arguably curb phishing
| emails that rely on similar domain names or IDN characters all
| the while making your brand identity more prominent.
|
| It seems to also have learned from one of Extended
| Certificate's shortcomings by relying on trademark instead of
| company name. I actually wish something similar was created to
| replace EV certificates as it's easier than ever to perform
| phishing attacks now that everyone and their grandmas has a DV
| certificate on their site (which is a good thing).
| brightball wrote:
| Happy to.
|
| BIMI is worthless. It's a carrot to get your marketing
| department on board with setting up DMARC because they are the
| most likely to push back due to fears of the project affecting
| their email deliverability. You have to fully deploy DMARC to
| setup BIMI.
|
| Now, BIMI and the costs to "verify" your mark is pushed by
| exactly the same people who tried to sell you extended
| validation SSL that would turn your browser address bar green
| when you visited a site that had gone through this
| verification.
|
| Just like with EV SSL, BIMI has no positive impact on user
| security. They're just as likely to open / not open an email
| with BIMI as they are to visit a site with or without EV SSL.
| In some cases, it's actually worse.
|
| The only benefit to BIMI is it gives you another place for the
| marketing department to stick the logo so they'll stop fighting
| the DMARC rollout. That's it. Otherwise it's total waste of
| money and time.
|
| Wrote about it here:
| https://www.brightball.com/articles/enterprise-challenges-wi...
| Avamander wrote:
| It's helpful to raise the priority on fixing DMARC in an
| organization.
|
| It is annoyingly expensive, but I'm expecting it to change with
| additional CAs entering the market. Very "EV" vibes though, but
| it is literally for that, so.
|
| End users might also appreciate something nicer than
| autogenerated one-letter icons. Matter of taste.
|
| It also makes phish stand out more than usual, if the user has
| grown accustomed. We'll see its efficacy long-term though, too
| early to say.
| layer8 wrote:
| As an end user, this is gimmicky to me, and I wouldn't want to
| use an email client that causes the respective emails to appear
| more prominent by showing their BIMI logo. It would be
| similarly annoying as emojis in the subject line.
| Avamander wrote:
| A lot of mail clients do display it though. Plus it does help
| the average user differentiate between rnicrosoft.com and
| microsoft.com, I'd guess.
| arcade79 wrote:
| I'm trying to understand why all BIMI-mail shouldn't be simply
| rejected on the SMTP layer ..
| PreInternet01 wrote:
| Note that this is about the use case 'authenticating whether the
| given mail server is authorized to send mail for the given
| domain', not the use cases 'authenticating whether the given user
| of this mailbox actually sent this email' or 'authenticating
| whether the given message is spam or not', which is probably the
| reason you clicked on this article :).
|
| The former use case is pretty much solved (in that you can safely
| ignore email from servers/domains that don't follow best
| practices), the latter (combining the 2, since they're pretty
| similar, really) is not, even given recent advances in AI (OpenAI
| cannot tell you if a message is spam, sorry, unless your prompt
| engineering skills are much better than mine).
| hashstring wrote:
| > OpenAI cannot tell you if a message is spam, sorry, unless
| your prompt engineering skills are much better than mine.
|
| Sometimes an e-mail message itself does not even contain enough
| information to accurately classify it as spam or phish. To a
| degree, spam is subjective. And classifying a phish may not be
| trivial at all (e.g. message may include legit marketing links,
| open redirects and server side logic to serve certain pages
| only to targets, etc.).
| bruce343434 wrote:
| Yup, when I order something I get really annoyed that I get
| an email for every fart that the delivery driver lets out.
| I'll hear the doorbell, I don't need 500 anticipatory emails.
| It's not a scam, not a phish, and it's 100% factual and
| "informative". But still junk.
| stuckinaloop wrote:
| Hey Resend team! Love your product!
|
| I was wondering when / if you'll be supporting inbound email
| parsing / webhooks. It's the one thing that's preventing me from
| switching over.
|
| Love what you're doing - keep it up!
| zenorocha wrote:
| Inbound emails is definitely one of the most frequent feature
| requests we get.
|
| We already started to investigate it and I hope we can ship
| something in the next couple months.
| stuckinaloop wrote:
| Awesome! Will keep my eyes peeled
| charamis wrote:
| I'm trying to setup my own domain for my email address since
| yesterday and this really hit the spot.
| jeroenhd wrote:
| One additional (non-security) feature that this guide missed is
| a reverse PTR record for your server's IP address. You'll have
| to set this on the side where you get your IP address from
| rather than in your own DNS, but lacking it will get your email
| classified as spam even if you implement all the other
| protocols. Basically, when your mail server says "EHLO
| mail.chamaris.tld", the other side will try to validate that
| the IP address you're connecting from actually points to
| mail.chamaris.tld.
|
| Furthermore, you need to pick a host that takes action when
| their IP addresses appear on blacklists. Microsoft,
| particularly, uses UCEPROTECT as a blacklist source, and that
| particular company will blacklist and entire ASN if they
| receive too much spam from a particular IP address block (that
| doesn't get resolved in time).
| Avamander wrote:
| > Microsoft, particularly, uses UCEPROTECT as a blacklist
| source, and that particular company will blacklist and entire
| ASN if they receive too much spam from a particular IP
| address block (that doesn't get resolved in time)
|
| They absolutely do not use that crap.
| zenorocha wrote:
| So happy to see this was useful!
| [deleted]
| upofadown wrote:
| This is new:
|
| >BIMI (Brand Indicators for Message Identification) is this kind
| of access in the inbox. It sets you apart from all the others by
| showcasing your brand and legitimacy to your users in the inbox
| by displaying your logo and, in some cases, a verified checkmark.
|
| Apparently this can help me promote my brand. Unfortunately I
| don't have a brand so I fear that this would be used to promote
| the brands of others at my expense.
| Systemmanic wrote:
| I liked the look of this:
|
| >BIMI (Brand Indicators for Message Identification) is this kind
| of access in the inbox. It sets you apart from all the others by
| showcasing your brand and legitimacy to your users in the inbox
| by displaying your logo and, in some cases, a verified checkmark.
|
| Until I looked at the cost of a Verified Mark Certificate (1-year
| plan):
|
| >$1,499.00 USD [1]
|
| Yikes.
|
| Small money for big players, but small businesses with valid
| brands not so much.
|
| [1]https://order.digicert.com/step1/vmc_basic
| donmcronald wrote:
| $1500 USD / year for something that collides with the logo
| functionality of Gravatar if the user isn't hovering over the
| logo?
|
| We used to emphasize domains and everyone understood them. Then
| the large tech companies de-emphasized domains to the point
| where people stopped understanding them. Now big tech is going
| to sell domain validation back to us at a premium? Wow! What
| innovation.
|
| I know there's trademark verification too, but I've _never_ met
| a normal person that could tell you a difference between a
| Gravatar logo like the one I see in my mail client and a VMC
| logo like the one I see in the screenshots, so what good is
| showing a trademarked logo? Also, most small businesses I 've
| seen don't even have trademarks, so they'll be completely
| excluded from this system.
|
| I wonder if this is going to turn out like code signing
| certificates where they're super expensive for small
| developers, so they get excluded, but they're totally
| attainable for scammers and scumbags, so there's plenty of
| malware and garbage signed by certificates from fly-by-night
| companies.
|
| Does BIMI help you pass spam filters like EV code signing
| certificates help you bypass SmartScreen? I can't be the only
| one that thinks all these things feel like a scam.
|
| One thing I'm certain of based on what we see with SSL
| certificates. Government agencies will be racing to light money
| on fire buying them. Every year I watch my taxes get spent on
| overpriced DigiCert OV certificates and it enrages me. For all
| intents and purposes, all certificates are identical to normal
| users. It doesn't matter if DigiCert is taking my DNA for
| validation, all my mom sees is the lock icon. Nothing else
| matters.
___________________________________________________________________
(page generated 2023-08-25 23:00 UTC)