I concur, and it's a shame they have chosen to make a bunch of noise and pass the blame rather than see if they have an issue.
Even Gmail's own interface ("show original " I think) will display a failure of the DMARC check and is a useful testing tool.
Sadly noise like this adds a misleading boost to the "it's impossible to run your own email server" sentiment, but I don't believe this is as true as people make out (yet).
I started this post to say thanks for sharing the mail-tester.com website. I just tested my own setup and found it thoroughly useful.
Bootstrapping identity without an existing identifier to base it on is a difficult problem.
On one hand, it is a barrier to entry. On the other hand, without some barrier, you can be subjected to spam.
One option to deal with it is Web of Trust, with users who have been vouched by the operator being able to vouch other users, and so on.
So, if I forgot my "password" (private key), I can log in with a new key, and say, "my name is Joe, please verify me", and confirm it via out-of-band with another human.
If you have access to at least one device with a valid key, you can vouch the new key with an existing one.
And if any improper vouching is detected, you can trim the vouch tree at the problem node with all downward nodes also becoming disallowed.
This is basically the (PGP-based) account system I've built in sHiTMyseLf.
Do you have any articles to learn more about this? I’ve been thinking about this exact problem with many companies requiring hoops like phone numbers for antispam purposes. But all they really care about is that it’s a human not a bot.
So some way to have an independent central website with list of valid but anonymous keys could be used to sign up for any online service and prove you’re a human. Sort of like id.me . I’d almost be okay needing to get a letter in the mail for initial registration.
I'm thinking along similar lines (including physical mailing of smartcards or something similar). I like building AGPL software and take on commercial work from time to time. Maybe I should write an article ; )
Email is in my profile.
EDIT check out upspin.io project it's written in go and has a lot of thought put in
I don't know how reliable of a proof is a received mailing is. I guess it's proof of something...
I think a much more reliable proof is a vouch from another member who signs up to be your "sponsor" -- responsible for all your actions.
If you're interested in seeing a working prototype, check my profile. Some of the things I described have to be done manually for now, however, until the UI is finished.
If you aren’t aware, FAF “Forged Alliance Forever” is a fan-supported client for the community maintained Forged Alliance expansion for the 2008 RTS game Supreme Commander. Gyle steams FAF games regularly: https://m.youtube.com/c/GyleCast
It’s got the economic model from Total Annihilation and used nowhere else.
If you want to be more durable against this, it’s a bit more risky but you can allow someone to send your server an email to verify their email address.
There are various ways to fake this out, but the more you integrated correct DKIM checking the more reliable it would be.
Yeah I don't think this is Google's fault..... are they even checking their inbox for DMARC results?