1. Hacker News, a #CyberSecurity newsletter, is sent from a domain where DMARC policy is p=none, which tells email providers, like gmail, to deliver all email that is screaming, "I am a Hacker News spoof email sent by a POS scammer" to the intended recipient anyway. p=none means take no action, even if you know it's a scam. Spam folder optional. Email services and clients will oblige. WTF Hacker News?

2. Hacker News is also using an insecure signature algorithm for signing their newsletter.

3. An extremely well-known Cybersecurity expert is sending the newsletter from a domain that has no DMARC record at all, so all spoof emails claiming to be from them will be delivered. And likely this is being constantly exploited. A DMARC policy of p="reject" would have those spoof emails trashed and not delivered. But no DMARC policy means "whatever, and I don't want to know". So, spoof emails go through unstopped and no reports of abuse are being sent to this person either. And it's their job to tell us how to stay secure and not be fooled by spoof emails. WTF?

Sometimes I don't understand how things work in the world.

#HackerNews #spoofing #EmailSecurity