> This is terrifying. Imagine trying to explain to a relative the lesson of this post: always be suspicious, even if the email is from a trusted domain and dkim/dmarc/spf all pass… it doesn’t feel good to imagine their reaction.

I mean, this has been policy at my work for a while now, and in general is good practice for anything on the internet. We deal with a lot of small businesses or just individual contractors, a good chunk still don't even use MFA, or if they do are still falling victim to token theft. We then get malicious emails from these compromised accounts, so to our users - they pass all checks and look legitimate, after all it appears to be actually from our customers.

So yeah it's fair to treat everything with suspicion, especially email.