In most organizations there is no point in a sysadmin to spend the effort in understanding how to set it up correctly as Marketing has got more authority on email. Marketing will simply demand changes to the config that they do not understand and there is nothing you can do to stop it as they will have the CEO on their side.
> Marketing will simply demand changes to the config that they do not understand and there is nothing you can do to stop it as they will have the CEO on their side.
Marketing should get their own (sub)domain for sending their missives, that way the primary corporate domain's reputation is not harmed.
Unless you want to run the risk of outgoing e-mails from Finance / Accounts Receivable to be sent to other companies' Junk folder.
It's amusing to see this advice in this thread contrasted with the recent Troy Hunt phishing attack thread where folks are complaining about companies like Microsoft having dozens of varying domain names.
> […] about companies like Microsoft having dozens of varying domain names.
There's a difference between one and dozens, and even between one dozen and dozens.
Most companies are not of Microsoft's size either: just having news.example.com would probably be sufficient for a lot places.
This is email marketing 101, HN'ers are massively overstating how many domains are getting blacklisted because of "marketing".
Orgs like that will hire consultants like me when they can't figure out why their stuff isn't landing in the inbox. Then 3 months later their webdev will somehow delete the entire zone when adding their A record.
You mean like the time I had a salesperson demanding that we turn off Cloudflare across our entire domain because he'd read some random article somewhere saying we should?
The goal of sales isn't to block upto a 1/3 of world wide traffic. Turning off Cloudfare means more traffic and more sales are not blocked. Did you even read the article or did you dismiss it because it came from 'sales'.
Sales: "look, I turned this off and sales went way up"
Security: "We had to cancel every single one of those sales because they came from stolen credit cards. It's costing us more to deal with that then we are earning"
Accounting: "We're measuring a pretty big loss because security cancelled legitimate purchases together with fake ones and now clients are leaving."
Which is another reason to strictly enforce SPF and DKIM, in my book. Let marketing break those policies, that way I don't need to bother with reading your company's spam!
Marketing decides on DKIM and SPF ?
The problem I personally ran into as a one person IT department was that the VP of marketing had more power over me, as a manager, and that meant more to my supervisor (the CEO) than me fighting to do things as correctly as possible. I was seen as a roadblock or speed bump. So, they may not decide on DKIM and SPF, but if marketing isn’t happy then their negativity could cause push back that forces changes that may technically not be good for the company.
I’ve abandoned that role and have gone back to an IC role and I’m much happier for it.
As long as you're not breaking the law / hurting people, does the struggle really matter? The best way I've been able to make people listen to me is by just presenting them with options and results.
If you do it this hacky way - we run this risk and this bad thing can happen etc. After a few times they see the consequence of their decisions people start paying attention to you. Do it a few more and now the company will have an "institutional knowledge" that you are usually right, and even if the manager leave, you still end up like the go-to guy on how to ship.
And sometimes the marketing people might end up being correct! I've once actually battled to "do the correct thing" (way back in the day it was a ruby on rails modeling I think) and the product owner was like - just do it this hacky way I don't care ... I did it the hacky way and you know what - it was the right call - we never changed it again and the business knowledge we got from it was actually valuable.
In the end, for me personally, I give people respect for their roles and the benefit of the doubt that they're in the position for the right reasons. But when I don't get that kind of thing in return then it just pisses me off. What I realized along the way is that I don't want to be in charge of things like this, it's simply not for me, at the very least it isn't on that team. Maybe that will change with the right people but the whole thing soured me on management in general and I will avoid it like the plague.
I'm pretty bitter about it all still, but it's a combination of a lot of things beyond this particular bit I shared. All I can say is I'm glad I am no longer in that role, it was slowly killing me.
The biggest problem there is that it's a statistical gamble, and often times the damage isn't apparent for months or years later, which is plenty far enough removed from the decision that the manager isn't going to remember let alone realize "he told me so." And you reporting "I told you so" even in very easy, factual, and respectful professional language will typicall not be well received. There's also a decent chance that when the thing breaks or you get breached, you'll be blamed for it, or at least be on the defensive.
Now that said, I've worked with a lot of IT/engineering people who are pretty obstructionist to normal business operations and sometimes need to be told, "yeah, we're accepting the risk, move forward with the plan." Sometimes it's for good reasons, other times it's just our normal humanity asserting itself in different ways. It's a hard problem for sure.
Indirectly, yes. Since they don't understand the details, management just "wants it to work". So too many email admins just give up and make their sending policies as permissive as they can to account for whatever new service marketing is using at the time.
DMARC is required for BIMI, and marketing wants that logo to show up in the Gmail app next to your mail
even worse when you have even less control than that, if you run some type of hosting and are trying to convince non-technical clients (or even worse, non technical clients who think they are technical) to “please just add this record exactly as it says here to your domain” and they’re somehow unable to for months and months
> "please just add this record exactly as it says here to your domain" and they’re somehow unable to for months and months
I ran into this helping a friend whose biz emails to gmail recipients were getting dropped; the IT dept of the umbrella corp wouldn't respond. Same to me when I sent the correct DMARC, SPF etc.
(My friend's biz was his own but it shared some resources with a larger corp.)
I eventually realized that the (wrong) DMARC reporting domain wasn't even registered. I did what you'd expect and I soon had DMARC reports for subsidiaries of the umbrella corp. My friend passed that up to the CEO and suddenly IT was responsive.
In the end, it turned out that IT was deliberately blocking his biz emails to his biz family members. After 10 years they suddenly decided that email to family+gmail was risky and that they were going to gaslight my friend about it. Because reasons.
That’s a wild story, thanks for sharing - I find interfacing with external IT teams extraordinarily frustrating. I suspect it’s because businesses often don’t manage their IT teams well or have a good process to expedite business -> IT requests that really should be super easy and provide a lot of tangible value for the amount of comparative effort involved.
I’ve run into outright malicious stuff internally like this, but never externally - I would probably go apoplectic if I was your friend
to be fair here: for a lot of companies, if the mass mailing stops, the money-flow stops then that's no good for anyone... so the CEO will probably err on the side of money, presumably.
Why would properly configuring SPF, DKIM, and DMARC stop the mass mailing, though?