You may have heard about an interesting hack a few days ago <https://www.theregister.com/2023/06/09/google_bimi_email_authentication/>, where some low-lifes figured out how to send fraudulent emails to GMail users that showed a “verified” blue BIMI checkmark, indicating that the recipient could trust the from-address as authentic. But of course it was not. The details of how the hack was perpetrated are quite intricate, and involve some subtle interplay between the mail-processing policies of GMail (where the recipients had their accounts, and which implements the BIMI check), Microsoft (which ran the Exchange servers where the fraudsters got accounts, and from which the fraudulent messages were sent) and UPS (the purported sender of the fake emails). Of course, all three parties have since taken action to ensure this particular scenario will not happen again. ThioJoe offers up a good explanation of how it all worked here <https://www.youtube.com/watch?v=Czc0F_A82rE>. If your eyes glaze over at the mention of SPF versus DKIM versus DMARC--well, you’re not alone. When I looked at whether I should implement something like this on my own mail server to try to ensure that spammers could not send out fake emails under my name, I felt the same way. So I just decided not to bother. For now ...