Reminded me of a story which happened earlier this year. Our organization has a bunch of servers in the local network which need to send emails. The admins decided that a firewall based on IP filtering is enough and didn't enable any other form of authentication for the email server. I accidentally found out that if I try to send an email directly via SMTP using a Python script, the email server misidentified me as a server (because we're both in the local network). The first thing I did as an experiment was to impersonate our CEO and send an email on his behalf with a fishing link to our chief security officer and other top managers. The link led to my own server hosted on OVH which tracked who opened the link. Basically, only one guy hesitated to open it, everyone else clicked on it (including CSO). DKIM/DMARC for the email were shown as valid in Outlook. If our organization, which is the largest IT company in the region, with a whole department of system admins, cound't set it up correctly, I'm afraid to think what happens in smaller companies.
> If our organization, which is the largest IT company in the region, with a whole department of system admins, cound't set it up correctly, I'm afraid to think what happens in smaller companies.
I advice organizations on email infrastructure configuration for a living, and I can tell you from experience that many organizations, and even MSPs, get it wrong. However, the problem is often not technical, but cultural. Many system admins have a hard time accepting, or convincing their boss, that they need external consultancy for something as seemingly simple as email. It also doesn't help that for most MSPs, email is a loss-leader, their clients expect it to cost no more than a few bucks a month.
In most organizations I have consulted, email is treated as a simple set and forget service. Admins are expected to whip up an SMTP service in an hour and move on to other tasks. Whereas the reality is that email has become a minefield of subtle configuration mistakes, and requires continuous monitoring.
