| ▲ | vel0city 5 days ago | |
There's little reason to think these emails didn't pass SPF/DKIM. They probably "legitimately" own their npmjs[.]help domain and whatever server they used to send the emails is probably approved by them to send for that domain. | ||
| ▲ | zokier 5 days ago | parent | next [-] | |
But in the same vein the phishing email can easily be gpg signed too. The problem is to check if the gpg key used to sign the email is legitimate, but that is exactly the same problem as checking if the from address is legitimate. | ||
| ▲ | mdaniel 4 days ago | parent | prev [-] | |
No guessing required, DKIM was intact, but it was also sent via a transactional email service, so that's why https://gist.github.com/Qix-/c1f0d4f0d359dffaeec48dbfa1d40ee... | ||