Comment by chillfox
1 month ago
In most organizations there is no point in a sysadmin to spend the effort in understanding how to set it up correctly as Marketing has got more authority on email. Marketing will simply demand changes to the config that they do not understand and there is nothing you can do to stop it as they will have the CEO on their side.
> Marketing will simply demand changes to the config that they do not understand and there is nothing you can do to stop it as they will have the CEO on their side.
Marketing should get their own (sub)domain for sending their missives, that way the primary corporate domain's reputation is not harmed.
Unless you want to run the risk of outgoing e-mails from Finance / Accounts Receivable to be sent to other companies' Junk folder.
It's amusing to see this advice in this thread contrasted with the recent Troy Hunt phishing attack thread where folks are complaining about companies like Microsoft having dozens of varying domain names.
> […] about companies like Microsoft having dozens of varying domain names.
There's a difference between one and dozens, and even between one dozen and dozens.
Most companies are not of Microsoft's size either: just having news.example.com would probably be sufficient for a lot places.
This is email marketing 101, HN'ers are massively overstating how many domains are getting blacklisted because of "marketing".
Orgs like that will hire consultants like me when they can't figure out why their stuff isn't landing in the inbox. Then 3 months later their webdev will somehow delete the entire zone when adding their A record.
You mean like the time I had a salesperson demanding that we turn off Cloudflare across our entire domain because he'd read some random article somewhere saying we should?
The goal of sales isn't to block upto a 1/3 of world wide traffic. Turning off Cloudfare means more traffic and more sales are not blocked. Did you even read the article or did you dismiss it because it came from 'sales'.
Sales: "look, I turned this off and sales went way up"
Security: "We had to cancel every single one of those sales because they came from stolen credit cards. It's costing us more to deal with that then we are earning"
1 reply →
Which is another reason to strictly enforce SPF and DKIM, in my book. Let marketing break those policies, that way I don't need to bother with reading your company's spam!
Marketing decides on DKIM and SPF ?
The problem I personally ran into as a one person IT department was that the VP of marketing had more power over me, as a manager, and that meant more to my supervisor (the CEO) than me fighting to do things as correctly as possible. I was seen as a roadblock or speed bump. So, they may not decide on DKIM and SPF, but if marketing isn’t happy then their negativity could cause push back that forces changes that may technically not be good for the company.
I’ve abandoned that role and have gone back to an IC role and I’m much happier for it.
As long as you're not breaking the law / hurting people, does the struggle really matter? The best way I've been able to make people listen to me is by just presenting them with options and results.
If you do it this hacky way - we run this risk and this bad thing can happen etc. After a few times they see the consequence of their decisions people start paying attention to you. Do it a few more and now the company will have an "institutional knowledge" that you are usually right, and even if the manager leave, you still end up like the go-to guy on how to ship.
And sometimes the marketing people might end up being correct! I've once actually battled to "do the correct thing" (way back in the day it was a ruby on rails modeling I think) and the product owner was like - just do it this hacky way I don't care ... I did it the hacky way and you know what - it was the right call - we never changed it again and the business knowledge we got from it was actually valuable.
2 replies →
Indirectly, yes. Since they don't understand the details, management just "wants it to work". So too many email admins just give up and make their sending policies as permissive as they can to account for whatever new service marketing is using at the time.
DMARC is required for BIMI, and marketing wants that logo to show up in the Gmail app next to your mail
even worse when you have even less control than that, if you run some type of hosting and are trying to convince non-technical clients (or even worse, non technical clients who think they are technical) to “please just add this record exactly as it says here to your domain” and they’re somehow unable to for months and months
> "please just add this record exactly as it says here to your domain" and they’re somehow unable to for months and months
I ran into this helping a friend whose biz emails to gmail recipients were getting dropped; the IT dept of the umbrella corp wouldn't respond. Same to me when I sent the correct DMARC, SPF etc.
(My friend's biz was his own but it shared some resources with a larger corp.)
I eventually realized that the (wrong) DMARC reporting domain wasn't even registered. I did what you'd expect and I soon had DMARC reports for subsidiaries of the umbrella corp. My friend passed that up to the CEO and suddenly IT was responsive.
In the end, it turned out that IT was deliberately blocking his biz emails to his biz family members. After 10 years they suddenly decided that email to family+gmail was risky and that they were going to gaslight my friend about it. Because reasons.
That’s a wild story, thanks for sharing - I find interfacing with external IT teams extraordinarily frustrating. I suspect it’s because businesses often don’t manage their IT teams well or have a good process to expedite business -> IT requests that really should be super easy and provide a lot of tangible value for the amount of comparative effort involved.
I’ve run into outright malicious stuff internally like this, but never externally - I would probably go apoplectic if I was your friend
to be fair here: for a lot of companies, if the mass mailing stops, the money-flow stops then that's no good for anyone... so the CEO will probably err on the side of money, presumably.
Why would properly configuring SPF, DKIM, and DMARC stop the mass mailing, though?