On 6/17/20 1:50 PM, Robert L Mathews via mailop wrote: > Several months ago I suggested (among other things) that SendGrid block > "From" headers matching prominent domain names until the messages have > been manually reviewed. The fact that "don't let random customers send > mail saying it's from @microsoft.com" hasn't been implemented in that > time frame is disappointing.
More to the point: why should *any* ESP send "From" *any* domain without having explicit DMARC aligned authorization via SPF or DKIM? At the very least, an ESP shouldn't allow their customers use domains that have a published DMARC policy that would result in quarantine or reject for the ESP's mail. I know the answer is that small businesses commonly use freemail providers, and they still want to send marketing as their brand, and if the ESP takes hard line on authorization their prospective customer might choose to do business with a competing ESP... But maybe those freemail domains should be the exception to the rule. We also saw a round of phishing sent from SendGrid that was "spoofing" some arbitrary .com domain. And I mean to say "spoofing" lightly, since I'm fairly confident that SendGrid (as would any responsible ESP) did verify their customer's ability to receive mail at an address within that domain, so either: 1) a mailbox was compromised and used to authorize SendGrid to use the domain 2) a SendGrid customer account was compromised and the attacker was piggybacking on a prior authorization. If the former: all the more reason to have a slightly higher bar for ESPs achieving domain authorization. If the later: much tougher challenge. Jesse _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop