Getting Burned by Scammers: Let’s Make It Small Businesses, Charities, and Organizations Problem to Solve!

It’s a bit technical, but if you start getting bounce back messages from you@yourdomainname.ext (ex: yourname@yourbusinessdomain.com) emails and it includes “reason: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both)” just know two things:

1. Your recipient did not get your message and you’re going to need to send it another way.
2. In the most security theater way of stopping spam ever, by targeting spoofing (sending email that looks like it comes from someone else) many email providers have adopted an SPF and DKIM check.

What’s that?

Sender Policy Framework (SPF)

SPF checks that your domain host knows the IP address of the computer/server/etc. that you’ll send mail from.

The conversation, in terms of what happens at the computer level, goes something like this:

Domain Keys Identified Mail (DKIM)

DKIM is a pre-shared security encryption key that you have to setup on the registered domain and in the email program.

The conversation, in terms of what happens at the computer level, goes something like this:

What’s this mean?

Spammers can’t send email as, for example, billy@mylocalorganization.com and have that get to your inbox. And neither can Billy, unless he has a business account and a static IP address with his internet service provider (most won’t setup business accounts for residential addresses/dwellings) or goes thorough the burden of adding his new IP address every time it changes with his ISP to the DNS record for SPF.

OR

Unless he goes through a complicated process to create a public and private key, edits the DNS setting of his domain with the public key, and configures every email client he uses with the private key for DKIM.

Meanwhile, spammers are totes OK to just set the mail From Name to “billy@mylocalorganization.com” while using spammer@lose50poundstoday.com to actually send. This spammer can easily do this because they have a static IP and the resources for IT support to set up and manage SPF and/or DKIM.

This new layer of security, from the recipient side, requires looking at email headers to be effective.

The email header for both examples above, from Billy and from a Scammer, would contain the following (the first part is the display name you can change, and the second part between the chevrons < and >, is the actual reported email address that the message is coming from:

But both of these would display, if the email that’s actually from Billy were to make it through, as the following in most mail apps and programs:

What’s worse, it’s more likely you won’t see <billy@mylocalorganization.com’s email, but you would definitely get <spammer@lose50poundstoday.com’s email.

So Billy, from our example, he can’t let you know that the next event, information you arguably want to know about, is on Saturday. He can’t reply to the message you sent him. He can’t use the email he pays for at the domain he pays for to send anything without getting an error message.

Not because Billy is a bad actor, a spammer; but because bad actors, spammers, COULD use his email address to send you an email that you in turn open because you think it’s from Billy, and you trust him and want to see what’s going on with My Local Organization.

But yay, we’re just an n^th of a percentile safer online.

Actually, not really. Not even an n^th of an n^th safer than before.

We’re just as unsafe as before, but now we’re putting the entire weight of spam prevention on small business owners, local organizations, clubs, etc., AND we just made it more likely that spam message go through, are delivered and opened by the recipient, which would, actually, mean we are significantly more at risk, AND we just replaced cautious suspicion with opening email from senders that may not be performing best practices, by ensuring your email app will declare that this email is, IN FACT ✅, from the sender.

What We Really Need…

…are systems that are more intelligent. That don’t add burdensome and onerous tasks onto Main Street Humans, the John and Jane Public’s of the world and of their respective regions, the people who run small businesses, have a tidy little mailing list, and are out there trying to provide local employment, local services and goods, local support for their communities.

Instead we need to focus on providing more reliable delivery of email from those who do not bulk send, interactive systems that detect bulk sending reportedly from their domain and contact those domain owners both allowing them to respond to challenges of individual messages and be aware their email address is being maliciously used if a scammer does happen to use their email address.

But most importantly, what we really need, is the common sense that if Google, Yahooo!, AOL, and all the other email giants can’t keep ads like the one to the right out of your email, why would anyone ever think the answer would be to put the burden of doing so on the back of Billy and My Local Organization?

Instead, this does the opposite. It makes it MORE likely you will open that spam, more likely you’ll follow the link or call the number it contains, and more likely you’ll send your money to scammers.

Money out of your pocket, into who know’s hands in some place you may never know exists.

Maybe you even get something from them, most likely you don’t.

But most certainly you didn’t get what you wanted or needed from Billy, and his organization may easily disappear.