I moved a Gsuite client to Zoho because once or twice a week, an email from one person at the custom domain to another person in the same custom domain (company) would have their direct email get put into spam in Gmail.
You would really think that Google would whitelist emails within the same custom domain which is paying for Gsuite service. Maybe that has changed, but it was definitely a problem 5 years ago.
And we're not talking about an email which had some copy/paste of spam, we're talking about a one or two line sentence giving an instruction or asking a question to a colleague.
It is solved by the product. You tick a box, and internal mail is bypassed.
The issue here is that developers and IT folk seem to think that email is easy because the know IT. Email is a complex, and old protocol that has many nuances and, believe it or not, phishers are smart; end users are naive, and often reckless. Spammers, be they benign or otherwise, can be incredibly lazy too, but don't think for one second that you, as a postmaster, are cleverer than they are. Spam and phishing are getting harder to beat. Businesses like Proofpoint, Cisco and Mimecast, along with the likes of Google and Microsoft, are investing heavily in trying to beat these guys, but the reality is that they are always at least two steps ahead.
At scale, that’s not an option. If you have external services that send mail to your Workspace tenant, there is a risk of compromise to the sending service, especially if it is outside of your control. The sending service could have SPF records that permit sending mail on your behalf. That mail needs to be scanned. There is also the threat from bad actors inside your perimeter. Sure if you’re a small operation, or using Workspace as a personal mail host, this may seem like overkill, but I can assure you that the majority of orgs that use Workspace (it a business too after all) would prefer the status quo.
I’d guess the main issue is, the big guys don’t care about you. Like, at all.
If they pass their log through a scanner, come up with a few dozen small servers that look fishy (e.g your IP is contiguous to some other spammer’s IP), and yours is rope in as false positive, you’re banned.
And from there you’ll have to convince Google that you’ve done nothing wrong.
> And from there you’ll have to convince Google that you’ve done nothing wrong.
Imagine the conversation with their support when you ask why bob@domainx.com's email was put in spam folder of jan@domainx.com's email, as both are hosted by Gsuite and presumably entirely within the Google network.
The answer, after two levels of support, was, "We don't understand why, but we can open a ticket with the developers." In the business world, you don't have time to wait for that, especially when non-technical business users are making mistakes or losing business because they can't function properly.
Even with DKIM, all you need is the recipient of one email from one user on one domain (I have hundreds of domains) of your mail server to file a spam report, and WHAM you are blacklisted. So yes, it is a problem even with DKIM. If you have a solution, I would LOVE to hear about it.
I file this under “you can’t have a technical solution to a social problem”. We can do all we want to protect e-mail, but when it comes down to it, someone is going to figure out a way around it and ruin it for others.
The current situation is that we have technical solutions for authenticating smtp sending domains. But there will always be someone who flags an email too quickly or just wants to spite you. Or someone that will send spam regardless (or hack an account, etc...). And so we’re back at square one.
This is especially true for situations (like email) that aren't subject to market forces. Because sending email is so cheap, the return rates can be very small to still justify sending spam. There just isn't any market pressure to keep it contained...
One of my clients is a construction firm specializing with churches. It is not infrequent for them to be communicating about a project with a church - often to a role account (e.g. info@church.org), which is step 1 towards being filed as spam - where the role account is shared with a dozen or more people. The building manager will check the email on Mon, Wed and Fri and every other day there will be a number of well-intentioned volunteers at least one of which will click on the spam button dooming my client's email into the abyss. Weeks later we find the church has gone with a different contractor, as they "could never get a response" from my client.
We will go so far as to donate a new IT/Cloud system to the church (small $$ compared with the project) just to ensure reliable communication. But then they think we are just trying to buy them.
Now my client has a blacklisted domain/mail server IP, and bids they send out are rejected as spam by the providers to other churches.
Makes no difference if we are hosting the mail server or if it is a 3rd party mail service. As soon as a customer is sold, we try and move them off email into a web-application framework for ongoing legitimate communication. Again a lot of resistance.
Does this happen even if you move your client to Google Workspace/Office 365? Using one of those two should eliminate the problem. Was that your experience?
If the alternative is that your construction firm fails and you and everyone else are out of a job - well your email hosting choice is a weird hill to die on.
Presumably most of the firms clients are themselves hosting email on Workspace or 365. And Google/MS might treat email originating from their own systems differently than inbound email originating elsewhere.
Also I'd expect all the firms competitors to be using Workspace or 365, so if using them gives no apparent protection, presumably they should be suffering from this as well?
Hashcash was originally proposed to add some form of cost to sending email. Something similar could be a great way to get mail from legitimate people through. Spam wouldn't scale but the average person would only pay in a bit of CPU time/cost.
“spam wouldn’t scale” - unconvinced on this: spammers already mostly use other people’s compromised machines to do the sending; there is no cost to them here.
If you charge some cost per mail (whether that's CPU time or actual money), users/teams would check their spend and optimize accordingly. They'd notice runaway spend and act on it. The only reason why mail servers become compromised and nobody notices is that bandwidth for mail is generally too cheap to meter. On any 10s of megabits connection, sending a deluge of spam is trivial.
Not even that, you can become the victim of a "noisy" neighbor if someone on the same IPv4 /24 sends too much spam (some of the common blacklist providers will do entire netblocks if they get enough complaints)
That would demand maintaining an address book. Most mails I receive are from services which I have never written to, and I don't see a reason to extra maintain their data when I already have their mails.
For sure. I’m contemplating a scenario I’ve had multiple times “No I didn’t get it” “Okay let me try again, did you check spam?” “Yeah” “Maybe add me to your address book” “Nope still nothing”
It's amazing that having someone in your address book isn't enough in many cases. Like, why?