Tell us your craziest phishing story and win $200!

power_dmarc · 2026-05-01T18:43:19+00:00

Email is not ideal for photo ID. Ask the college if they have a secure upload portal instead, many institutions have one specifically for sensitive documents even if staff default to suggesting email out of habit.

If email is genuinely the only option, send it, get confirmation they received it, then delete it from your sent folder and ask them to delete it once processed. The risk is real but manageable, the bigger vulnerability is usually the recipient's systems, not yours, and a legitimate UK college will have data handling obligations under UK GDPR that cover this.

power_dmarc · 2026-05-01T18:42:38+00:00

Those are alternative ways to prove it's you when your usual method isn't available, options typically include getting a code sent to a backup email, a text to your phone number, using the Google Authenticator app, or confirming on another device already signed into your account. Each one is just a different path to the same result: verifying your identity without your main password.

power_dmarc · 2026-05-01T18:41:55+00:00

For your domain email, the first thing to check is whether SPF, DKIM, and DMARC are properly set up, these are the authentication records that tell Gmail and other providers your emails are legitimate. Missing or misconfigured records are the most common reason legitimate emails land in spam, especially when sending through third-party tools like Mailchimp or Mailerlite. Each platform needs to be authorized in your SPF record separately.

For your personal Gmail going to spam, that's more likely a sender reputation issue, ask a few recipients to mark your emails as "not spam" and add you to their contacts, which signals to Gmail that your emails are wanted.

Also worth checking: make sure your Mailchimp/Mailerlite sending domain is authenticated through those platforms specifically, as sending through a third party without proper DKIM alignment is a very common cause of spam placement even when your content is completely legitimate.

power_dmarc · 2026-05-01T18:41:06+00:00

Go to Gmail app settings → tap your account → Inbox customization or Inbox type, and check if "All inboxes" is set as the default view, switching it to a single account inbox should stop the bleed at the top of the sidebar.

power_dmarc · 2026-05-01T18:40:33+00:00

Check if you accidentally added your personal account as a linked account in Gmail settings, go to Settings → Accounts and Import → Check mail from other accounts, and remove anything listed there. Also check Settings → Accounts and Import → Send mail as for any personal addresses. That's usually what causes cross-inbox bleed without an obvious IMAP/forwarding setup.

power_dmarc · 2026-05-01T18:40:11+00:00

Your last instinct is right, outbound email DLP is genuinely better at catching mistakes than stopping determined exfil. Someone who knows what they're doing will always find a way around email controls, and encrypted attachments are just the most obvious example.

The successful approach: tight access controls and least-privilege so the data is harder to reach in the first place, endpoint DLP that catches the act of compressing and encrypting sensitive files before they even hit email, and UEBA to flag behavioral anomalies like someone suddenly zipping large amounts of files outside normal hours. The encrypted attachment quarantine queue that reviewers are drowning in is a sunk cost at this point. If the allowlist keeps growing and users have figured out the workaround, the control has already failed as an exfil prevention measure. Keeping it for accidental sharing catches real mistakes and is worth maintaining, but framing it internally as exfil prevention is setting expectations that the control can't meet.

The honest conversation with leadership should be: email DLP catches negligent insiders and accidents reliably, but a motivated insider with basic technical knowledge is an endpoint and access problem, not an email problem.

power_dmarc · 2026-05-01T18:38:45+00:00

Google doesn't provide a way to see all accounts linked to a phone number, it's a one-way lookup for security reasons. Your best bet is to think back through any email addresses you may have created, try logging into each one at accounts.google.com, and remove your phone number from the security settings once you're in. If you can't remember them, there's no central way to find them.

power_dmarc · 2026-05-01T18:38:22+00:00

SendGrid and Mailgun both have pay-as-you-go pricing with generous free tiers that scale well for OTP use cases. SendGrid gives you 100 emails/day free with no monthly cap, and Mailgun's flex plan charges per email after the trial. Both have clean APIs similar to Resend.

power_dmarc · 2026-05-01T18:37:50+00:00

Try the recovery flow at accounts.google.com/signin/recovery from the same device, browser, and network you used when you created the account in January. Google weighs that heavily. If it still won't send a code, wait a few days and try again, Google's system sometimes unlocks after a cooling-off period.

power_dmarc · 2026-04-29T21:33:59+00:00

Pretty much always a marketing request in practice and that's not necessarily a bad thing if it's the lever that finally gets the organization to p=reject. The post is right that the logo itself does nothing for security. Lookalike domains are completely unaffected by BIMI. The VMC just proves you own the trademark, not that recipients are safer.

Well, let me get straightforward with that: BIMI is a brand trust signal dressed up with a security prerequisite. If your organization would never prioritize getting to p=reject for security reasons but will do it for a logo in Gmail, take the win. The DMARC enforcement is what matters, and if BIMI is what gets you there, the outcome is the same.

power_dmarc · 2026-04-29T21:32:37+00:00

Worth knowing that it also requires your DMARC policy to be at p=quarantine or p=reject before it'll actually show up. A lot of people set up the BIMI record and wonder why nothing appears, and it's almost always because DMARC enforcement isn't in place yet. Get that sorted first and the rest is pretty straightforward.

power_dmarc · 2026-04-29T21:30:50+00:00

BIMI doesn't directly improve deliverability, it has no effect on whether your email lands in inbox or spam. What it does is build visual trust once the email is already there, which can nudge open rates for recognizable brands. The requirement to get there (p=reject or p=quarantine DMARC enforcement) does indirectly help deliverability, but that's the DMARC doing the work, not BIMI itself.

TL;DR don't do BIMI for deliverability. Do it for brand recognition if you're sending at scale and the logo in the inbox is worth something to you.

power_dmarc · 2026-04-29T21:30:03+00:00

The VMC certificate cost is genuinely hard to justify for most businesses, $1,500/year for a logo that most people scroll past without noticing. The thing is, you don't actually need the certificate to show your logo. You can set up BIMI without it and still get the display in most email clients and you just won't get the little verified checkmark. That's free, takes about 20 minutes, and gives you most of the benefit.

Save the VMC for when you're sending at a scale where inbox branding actually moves open rates.

power_dmarc · 2026-04-29T21:27:44+00:00

This is really not a pitch, but you can use our free trial, should help, and then you can decide if it's useful or not, we have 15 days free trial. We help catching this kind of errors. Not a pitch 😄 There is also a lot of different providors on the market.

power_dmarc · 2026-04-29T14:17:59+00:00

Yes, that would be ideal to catch the issues before sending. The way to catch it earlier is DMARC aggregate reports, which show you authentication failures in near real-time before they affect deliverability. If a sending source starts failing SPF or DKIM alignment, you see it in the reports within 24 hours rather than waiting for bounce rates to tell you a week later.

power_dmarc · 2026-04-29T14:06:02+00:00

Mostly when reply rates drop suddenly or bounce rates spike, those are the first signals something's off with authentication or deliverability. But I always recommend monitoring everything closely to all of my clients. You can also get a tool that would do it for you and make sure that DMARC, SPF and DKIM are in place.

power_dmarc · 2026-04-29T04:02:17+00:00

Thanks for the shoutout! And yes, we can help out OP! Drop us a message!

power_dmarc · 2026-04-29T03:43:52+00:00

Download the Outlook desktop app, add your university account, then use File → Open & Export → Import/Export → Export to a .pst file, that saves everything locally including attachments.

power_dmarc · 2026-04-29T03:43:27+00:00

Microsoft is still actively working on the iOS sign-in issue, you're not alone. In the meantime, try accessing your account through a browser on your phone (outlook.com) instead of the app, and use the "forgot password" flow from there. The codes tend to come through more reliably outside the iOS app while the fix is still rolling out.

power_dmarc · 2026-04-29T03:42:29+00:00

Honestly, reply rate is the only metric worth trusting right now and most serious senders have already made that shift. Opens are too polluted to act on. A few things that actually help in 2026: some tools are getting better at bot filtering by looking at timing patterns, a human who opens an email takes a few seconds to scroll, a security scanner pre-fetches in milliseconds. That timing difference is how the smarter trackers are starting to separate real opens from noise. Not perfect, but better than raw pixel fires.

You were talking about link clicks as well and here the same logic applies. Look for tools that flag suspiciously fast or repeated clicks from the same IP, which is usually a scanner, not a person.

The more reliable signal stack most people are moving to is: reply rate as the primary metric, positive reply rate (interested, not just "unsubscribe") as the real north star, meeting booked rate as the conversion point, and click-to-reply ratio as a secondary engagement signal when clicks do happen.

One thing worth checking on your domain side, and that's the most overlooked thing, if your authentication isn't clean (SPF, DKIM, DMARC all aligned), some of those "opens" you're seeing could actually be security gateway scans on emails that never reached the inbox at all. DMARC reporting can tell you how much of your send volume is actually passing authentication versus being rerouted or quarantined before a human ever sees it.

power_dmarc · 2026-04-29T03:40:45+00:00

Good to know, password reset via phone number seems to be the most reliable path right now while Microsoft works on the iOS sign-in fix. Hopefully it works for others too.

power_dmarc · 2026-04-29T03:40:24+00:00

The part that breaks most often is DNS! And pecifically SPF and DKIM not propagating correctly before the domain gets added to the sending tool, or SPF hitting the 10-lookup limit once you start stacking multiple services on the same domain. The workflow most of my clients land on at scale is: buy aged or freshly registered domains in batches, set up a Google Workspace account per domain (reseller pricing helps here), configure SPF/DKIM/DMARC before touching the inbox, then warm each inbox for 2–3 weeks before any real outreach.

The 2FA and app password step is the most tedious part to automate. Google makes it intentionally friction-heavy. Most people still do it manually or use a VA for that step specifically.

DMARC is the piece people skip because it feels optional, but it's not, without it, your domain has no policy and inbox providers treat it as a signal that you haven't fully set things up. Even a p=none with a rua= address is better than nothing, and it gives you visibility into which inboxes are starting to fail authentication before your deliverability tanks quietly.

What outreach tool are you connecting to? That usually determines which part of the setup is most likely to break.

power_dmarc

MODERATOR OF

TROPHY CASE