HN2new | past | comments | ask | show | jobs | submitlogin
Gmail sends IRS and FBI emails to spam
86 points by cft on Sept 28, 2022 | hide | past | favorite | 38 comments
My company email is copied to Gmail. Over the years, their spam filter has gone berserk. It started from PayPal emails a couple of years ago. Last year, critical PPP loan documents ended up un Spam folder. But recently, we found several .gov emails there, including irs.gov emails and even several emails from @fbi.gov, containing legal documents! You'd think they could at the minimum whitelist all genuine US government emails? Pressing No Spam button doesn't seem to do anything for the future emails, we ended up creating "Never send to Spam" filter for from:.gov !


So much effort has been put into social media to prove that a user is a real person. This is backwards. I want every message I receive from an organization to be authenticated instead. Or in addition to, if you prefer.

Every email or text that comes from an org should have a verifiable signature. It would cut down on spam and would allow for better filtering of important messages that I need to know about. This goes for public and private orgs. I used to think that apps might fulfill this role, because each one is a verified channel, but text and email being the de facto comms makes it unworkable.

Signed messages or GTFO.


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Yeah!

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1cv7ESh+CzooffWR/YGUxUpj29UFAmM107cACgkQ/YGUxUpj

29Walw//fdfXCWWkD7P3fOraYrZw2zKDwJqFtvn4jznGga8MSGzllPfZiWSZtBnI

wAPGLwMwrpzV5wJyP+JUB4/vwZ7Eh7mzDUZuuxvLalVEwkqkTwqM+rhp44YeXVL6

HJnN52pknmuko7R0tHjKOVYz66VAyWaVJLIbLUqP3UWo4O35nttYlUxTBky8fIHs

z3p7ZMDf44AymOozBmRdeG++1VgXS2CQGemZqbSSqgqTa6RFJYAzaz7sBYd14ZgG

pwoPEe/JV7QfxdRwotQgFdyhbwDY7J7dvn/p6pj0eU3HiuHHi4TDMHA7xpuocrku

jWC4CuQ6fVrnsBtSJuZ2H/SvwDCY2cV1FPwO6blzSJ7t+JymCpCj6uwmLnd4S/Pr

twMisrEP6x9V992D8Q9gfMymilNW9wlTdyWVTpzMxjj/tGdYsSqXTJrXnTPqdlnD

jdq3g3YlC8fZQeatdhy2aofbnUr8esvnlu/JwD5dby9tDKBQwGoAenupl+ZY6uEb

2/93tDHsJTmXfhbJ8ndfPNMWL0zEtULpokgM9EUXPgJxM5QcnTf+GtlW6GH/uZlq

Z00GdKW9tF6MC0SKoqW1IQJcq/MQAcDaTr4hwHAVnonXjzTTBpq1r6zSSP4AgqMg

TZ58dM9HPpSWEv7RM3Bp93UPp1M+z761BC0WWkG2PenJu/vw3Fc=

=9+Ii

-----END PGP SIGNATURE-----


SPF and DKIM were kinda supposed to solve this problem. In fact, gmail generally classifies email without it as spam.

I guess a remaining reasonable thing to do for Gmail and such is to label emails from known important authenticated domains as "important".


Likely because so many scams claim to be from these institutions. Still one would think DNSSEC and similar are enough to pass the filters.


Gmail is utter trash now. Google's OWN emails (like 2FA related) go to Spam as well. They lost it.


Meanwhile, your inbox fills with obvious spam from google.com.


That does indicate good things happening in their filtering setup though. Overzealous PMs at Google push out legit spam from time to time, and the observed behavior suggests that they're treating all traffic equally. To block from-Google spam you should just have to mark it as such and let the algo do its thing (other issues notwithstanding).


Google spam algorithm is a joke.

I've been marking certain types of email as spam from their UI for ages now but they still show up in inbox marked as important. And, It is not that these spam senders are changing email patterns.


No kidding when I say, that sometimes, I get the feeling somebody has inverted the meaning of the boolean "is_spam" in google. Hotmail is no better, I must say.


Google spam has been going haywire for a little while now,

I'm half expecting a new paid-for service to be launched soon, with "verified, effective, spam filtering, making sure never to send important documents to spam" or something similar.


They could do the world a favor, and shut it down, like so many other products.


I use happily only 3 products from google: search, maps and youtube. And only the first was done in-house.


Spam should have its own Moore’s law. It only ever increases. I shudder to think of how difficult it is to try to run an anti spam filter when literally millions of spammers are trying to beat you.


Meanwhile, the majority of spam I receive on my non-Google-hosted email is DKIM-validated from @gmail.com. This seems to have developed in the past few months.


Here in Canada, several of my crucial government emails arrived in Spam too.


just posted above - my wife's invitation to Canadian Citizenship ceremony went into promotions folder and she missed it :( what's funny, all previous communications from the same domain were ok.


Weird that for such event they don't send a proper letter


Even if such emails were not sent to spam I would ignore them. The IRS or FBI can visit me or send a letter. They don’t need to be conducting any business with me over email.


They certainly did send a letter. Anything the OP found in their spam folder that was not matched by a piece of mail is almost certainly fraud -- and why it was dumped in the spam folder in the first place.

The government really loves its outdated means of communication. You're just lucky that they don't demand a fax number.


Have you dealt with FBI much? What you wrote is incorrect.


No, but I've dealt with the IRS. Perhaps the FBI will contact you solely by email, but the IRS does not.


When you pay online, it sends you receipts only by email


It’s not just gmail. When my university switched to office365 for email, announcements from the presidents office, my Dean, and environmental health and safety started going to junk.


The IRS is adamant that the only communication from them you should trust is physical letters. Everything else they warn you to be wary of. Google is probably helping people here. Grandma and Grandpa get swindled for millions every year from Social Security scams and other "We promise we are from the government" scams.

A .gov address is NOT PROOF OF OFFICIAL COMMUNICATION


not only, it sends invitation to Canadian Citizenship ceremony to promo folder as well. My wife missed her ceremony because of it.


Why doesn't the Canadian government send this by snail mail also?


Many Canadian services have paperless options. Generally it isn't the default and you need to choose to stop the paper.


Ah ok. Here in the U.S. such things are handled by snail mail. You can create an account on the USCIS portal to get updates there. When there is an update, an email is sent to you stating there is an update in your case and that you will need to log into the portal to see the update.

In that portal they then state that document XYZ has been mailed to you and if you did not receive if by ABC date then request another copy be mailed to you. You need that physical document to do anything. You cannot download it from the portal because it isn't in the portal.

I like it this way for the added security. Someone gaining access to my email can't see anything related to my immigration status. Two factor authentication is also required for the portal login.


Its sad that "physical letter in an envelope with legal protections that gets left in the mailbox in front of my house" is the best security that the average person has access to.

Hosting my own email is way more secure than that but most people just use some large corporation. I'd also be happy with GPG but no one has bothered to make that easy enough to use other than Proton Mail.


I never imagined the day would come where I'd agree with one of Google's product decisions.


It is funny that nobody here thinks irs.gov should just belong to spam.


Do the emails pass a DMARC check?

If not, it's really not Google's fault.


I think you have the wrong acronym.

DMARC are feedback reports to the mail sender on delivery status.

You probably wanted to use DKIM(a way to sign email). Or perhaps SPF a way to announce authorized amail servers.


  host -t txt _dmarc.fbi.gov
  _dmarc.fbi.gov descriptive text "v=DMARC1;
                                   p=reject;
                                   rua=mailto:dmarc-feedback@fbi.gov,mailto:reports@dmarc.cyber.dhs.gov;
                                   ruf=mailto:dmarc-feedback@fbi.gov;
                                   pct=100"
The DMARC policy shows 100% of mail not passing SPF and DKIM checks should be rejected, and reports sent to the given addresses.


No, I think they are correct. SPF and DKIM are two signals but DMARC request a policy (such as quarantine or reject) based on those signals.


Honestly they nailed this one. No notes!


I get a wee bit worried that email will become unrecoverable and we’ll end up stuck with something far less federated.


Where they belong




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: