Hacker News new | past | comments | ask | show | jobs | submit login

The problem is that those basic fakes are normally rejected by the spam filter because they fail the SPF/DKIM checks on the receiving site.

If you actually use mailgun yourself then you add mailgun to the list of permitted senders and probably add a DKIM key as well. When someone else then fakes your email address without any validation, mailgun might sign the message and bypass every anti spam measure there is.

This could be solved without validation (for example by using dedicated IP addresses and DKIM keys per domain and attaching those to your specific account and API keys) but that'd take some significant engineering effort (and address space, loads of servers are still configured IPv4 only for some reason).

From the screenshot, I gather that the DKIM checks failed already. That still makes mailgun an open relay, though, so they should be added to the necessary IP blacklists if they can't fix this problem.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: