Jerry on Mastodon<p><a href="https://hear-me.social/tags/Citibank" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Citibank</span></a> emailed me an alert. The same bank that constantly warns me about email scams. And, yet, they misconfigured their email so it comes as a spoofed email. My email provider delivered it anyway because Citi has a "relaxed" policy in their DNS that says that EMAIL FROM A SPOOFING SERVER CAN BE DELIVERED so long as the signature passes. Yep, servers spoofing them are not a major red flag and the email should be delivered to the inbox anyway. The email provider is not to blame here.</p><p>A major bank should not do it this way.</p><p>The spoofing SMTP server check failed because the sending IP address is not authorized by Citibank's SPF record for info6.citi.com to send their email. This has been going on for years. Do you want Citibank email from a server not authorized by them to send it?</p><p>This relaxed attitude by corporations is why people get scammed.</p><p>Authentication-Results: mail.protonmail.ch; spf=fail smtp.mailfrom=info6.citi.com<br>Authentication-Results: mail.protonmail.ch; arc=none smtp.remote-ip=173.213.5.122</p><p><a href="https://hear-me.social/tags/citi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>citi</span></a> <a href="https://hear-me.social/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://hear-me.social/tags/EmailSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>EmailSecurity</span></a></p>