Maybe I am just "on the cool-aide" or something, but I want to believe this is actually a communication issue.
Firstly, I have to assume that people at these senior levels operate in the best interests of the company (at least most of the time). So, feel free to tell me this is my problem :)
With that assumption called out, their action (at least statistically) is expected to have a better outcome for the company. This applies to all decision - Return to office, technology selection, etc.
So, why is this communication - well because the approach for senior leadership is typically still - "Trust us" - rather than "Here is our logic, and know there are other perspectives, but this is what we are doing and to what end". That communication can increase trust in leadership, and even build confidence when done well.
Of course, if/where my assumption is wrong, the author could we right.
As a side note - I have NOT worked for a companies with competent technical competencies in senior leadership in well over 10 years. This typically (almost always) leads to mass blind adoption of the Microsoft stack. And I generally see that pattern and will use it to help select where I go work next.
Maybe you're right. If so, I've only ever worked for companies with leadership that sucked at communicating.
I don't think it's that simple though. My personal belief is that leadership rarely has a good reason for obtuse decisions and following the leader seems more likely. Even if the first company has a good reason that makes sense for them, I'm not convinced the same (or any) reasoning applies to all the followers.
I also believe that the majority of the leadership at companies I've worked for are poor downwards communicators :)
Great way of pushing the critical email services we all need to reduce spam. While I have always wanted SPF, DKIM and DMARC to be enough of an incentive for the businesses i work with, reputation is often not enough of a driver to prioritise the investment.
But fret not! For when you are dealing with companies which want to communicate with customers in a trusted way, there is a marketer's dream standard - Brand Indicators for Message Identification (BIMI) - now security isnt the only outcome, you get a pretty logo too! https://www.litmus.com/blog/what-is-bimi-and-why-should-emai...
I have used BIMI at multiple companies now which talk about Customer Experience to drive the proper (P=Reject) implementation of DMARC.
> Unfortunately, neither SPF nor DKIM provides a complete solution for preventing email spoofing. SPF authenticates the HELO/MAIL FROM identifier and DKIM authenticates the d= field in DKIM-signature header: neither of them authenticates the From header displayed to the end-user, which means that even if an email passes SPF and DKIM validation, its From address can still be forged.
A lack of DMARC+ on an email domain is definitely a problem, but DMARC+ alone still doesn't solve the "is this the real sender" problem.
We literally just ran into another issue with SPF: the SPF Lookup Limit [1] , which could cause receiver servers to bounce your email back with an "SPF PermError".
If your SPF record causes receiving mail servers to lookup too many domains, some receiving mail servers will reject your email, even when the email itself passes all SPF/DKIM/DMARC checks.
The tricky part of that to diagnose - which [1] talks about, and links to a tool to diagnose it [2] - is that there may be additional lookups that the servers you list in your SPF cause to happen.
So you could have an SPF record with only 4 servers, but if one of those servers causes 7 additional lookups, you might have over 10 SPF lookups. 10 seems to be a growing-in-popularity limit on SPF lookups.
So even if you have SPF, DKIM, and DMARC setup, make sure you don't have too many lookups caused by your SPF record!
As a practical example -- it's pretty common for companies to delegate email to a provider like Gmail. Some infosec folks consider this best practice, and Google will allow you to configure DMARC to say that only messages originating from their servers are legit.
However, this does mean that anyone who can suborn Google's mail servers can use them to spend spoof emails that DMARC will rate as legitimate -- and last month, there was announcement of vulnerabilities (since fixed) which allowed a third party to abuse email-forwarding features to do exactly that. See https://arxiv.org/pdf/2302.07287.pdf
It inst perfect, but it doesn't need to be unless your risk is disproportional to the market. Risk will always be there, you just need to manage it inline with your corporate risk tolerance - and implementing DMARC to P=Reject is most likely going to (very likely exceed) that approach.
Yes, some companies have elevated risk here (Banks, Payment Processors, Social Media companies) - but honestly most don't.
Btw - this is as much an acceptance as a survival strategy - nothing will ever be perfect, not without significant cost & impact elsewhere. Survival of the fittest these days is managing (and please the understanding of) risk better than others
Yep, to me this is the federal side of the multitude of lawsuits against OpenAI for IP infringement. This is going to be super interesting to watch out it turns out... so many implications for the technology.
That said - you already have companies like Adobe with their Firefly product attempting to offer reasonable terms and conditions for using their Generative AI products... so hopefully that is an indication of the market evolving to meet demand as well.
I couldnt disagree more with your second paragraph.
I have a partner who has been prescribed Ketamine for the last 3 years. I firmly believe that the drugs ability to rebuild neural pathways and thus work around / resolve damage to be the only reason why partner is still alive today, and is now ready to return to work after so many years and such a brutal road.
In Australia, being prescribed Ketamine is very difficult, and thus very uncommon. While I do not believe it should be opened up to everyone, my experience over the last few years makes me a massive fan of the drug for specific situations.
At the government department I work for in Australia, we had a new CEO come in at the end of COVID lockdowns and order all staff back into the office full time. The mandate lasted 2-3 weeks before it was retracted due to staff reaction.
I firmly believe that the CEO only issued the mandate as he was told to do so (almost everyone has a boss).
The department has now adopted flexible working arrangements beyond just working from home. As a result, the workforce is happier, all be it some parts of management are still slow to evolve.
Stories like this will keep happening until we evolve to the new ways of working. Just because we did something for 50+ years doesn't mean there aren't better ways of doing something. Mostly I just statements like this as people living in the past, refusing to adapt to a changing world.
Hey, I am about to start writing a position paper covering Social login providers the company should enable/support. Do you have any references you can share for the above comment please ?
Firstly, I have to assume that people at these senior levels operate in the best interests of the company (at least most of the time). So, feel free to tell me this is my problem :)
With that assumption called out, their action (at least statistically) is expected to have a better outcome for the company. This applies to all decision - Return to office, technology selection, etc.
So, why is this communication - well because the approach for senior leadership is typically still - "Trust us" - rather than "Here is our logic, and know there are other perspectives, but this is what we are doing and to what end". That communication can increase trust in leadership, and even build confidence when done well.
Of course, if/where my assumption is wrong, the author could we right.
As a side note - I have NOT worked for a companies with competent technical competencies in senior leadership in well over 10 years. This typically (almost always) leads to mass blind adoption of the Microsoft stack. And I generally see that pattern and will use it to help select where I go work next.