Spammers are better at SPF, DKIM, and DMARC than everyone else

Original Article ↗ Hacker News Discussion ↗

Role and Limits of SPF/DKIM/DMARC

  • Multiple commenters stress these mechanisms are for authentication and domain binding, not for blocking spam itself.
  • Main value: preventing direct domain spoofing (e.g., phishing that pretends to be from a bank/PayPal), greatly reducing convincing forged From: addresses and backscatter.
  • They don’t say whether a sender is “good”; they only assert the mail is authorized by that domain. Spammers can also correctly configure them.

Deliverability, Reputation, and Large Providers

  • People report that even with “perfect” SPF/DKIM/DMARC, new or low-volume domains often land in Gmail/Outlook spam, or are silently dropped.
  • Strong emphasis on IP reputation: residential and cheap VPS ranges are frequently distrusted; better luck with business-grade connections or reputable hosts that tightly control SMTP.
  • “Warming up” domains/IPs with gradual, consistent volumes and engagement (opens, users dragging from spam to inbox) is described as necessary.
  • Some argue providers’ behaviour looks opaque/pay-to-win; others counter that guidelines are published via industry groups and that competent “messaging admins” can avoid most issues.

Why Spammers Often Do Better

  • Spamming is a core business; they invest in getting SPF/DKIM/DMARC right for their own domains and infrastructure.
  • Legitimate orgs treat email hygiene as non-revenue overhead and under-resource it until there’s a painful incident (e.g., near-loss from CEO-impersonation scams).
  • End result: many small/medium legitimate setups are misconfigured, while spam operations are technically polished.

Operational Complexity and Internal Politics

  • Setting up DNS and keys is easy for individuals using providers like Proton/Fastmail, but hard in organizations with many siloed tools (marketing platforms, ticketing, forwarding services).
  • Marketing and sales frequently push for “whatever makes campaigns work now,” overriding cautious sysadmins; this leads to weak policies and broad allow-lists.
  • Consultants are often hired after deliverability breaks, only for their work to be undone by later careless DNS or gateway changes.

Forwarding, Strictness, and Standard Evolution

  • SPF is criticized as hostile to generic forwarding and mailing lists, since it ties authorization to IP addresses.
  • Some want strict rejection if SPF/DKIM/DMARC fail; others highlight real-world breakage from forwarding chains and middleware that rewrites headers, invalidating DKIM.
  • DMARC reports are seen mainly as a setup-validation tool; many disable them once stable.
  • There is active work on “DKIM2” and related improvements; some hope future mechanisms can let DMARC require both SPF and DKIM more safely.

Identity, Trust, and Alternative Models

  • Several participants argue reputation should be per-sender, not per-server, and that SPF/DKIM are just the identity layer underlying any such system.
  • PGP/web-of-trust and TOFU (trust on first use) are mentioned as conceptually ideal for identity transfer, but seen as far too complex for typical users.
  • Suggestions include client-side filters like “only show messages from contacts” or quarantining unknown senders until explicitly approved.

Spam Ecosystem, Abuse, and “Legitimate” Spam

  • Comments lament that WHOIS changes, CDNs, and large email/hosting platforms make abuse reporting slow and ineffective; large providers often ignore or funnel abuse reports into friction-heavy web forms.
  • Some admins now block entire high-risk countries at the network layer to reduce server noise; others note geo-IP is imperfect and can cause collateral damage.
  • Many are more annoyed by “legitimate” marketing spam (forced opt-ins, dark patterns, endless categories) than by classic criminal spam, and feel big providers do little to curb it—possibly because it aligns with their ad-driven incentives.