How is not having a message-id a security risk? It seems that Gmail is being pedantic for no reason

> How is not having a message-id a security risk?

CVE classify a lot of things that have nothing to do with security.

Not having a Message-ID can cause problems for loop-detection (especially on busy netnews and mailing lists), and with reliable delivery status notification.

Dealing with these things for clients who can't read the RFC wastes memory and time which can potentially deny legitimate users access to services

> It seems that Gmail is being pedantic for no reason

Now you know that feeling is just ignorance.

▲

hsbauauvhabzb 3 hours ago | parent [-]

So add a message id at the first stop, or hard ban the sender server version until they confirm. A midway point that involves a doom switch is not a good option.

	▲	geocar 29 minutes ago \| parent [-]
		> So add a message id at the first stop That should have already happened. Google is not the "first stop". > hard ban the sender server version until they confirm SMTP clients do not announce their version. Also I don't work for you, stop telling me what to do. > A midway point that involves a doom switch is not a good option. No shit. That's almost certainly a big part of why Google blocks messages from being transited without a Message-ID.

▲

shadowgovt an hour ago | parent | prev [-]

Because in practice it showed up for a period of time as a common thing in spam-senders. They were trying to maximize throughput and minimize software maintenance costs, so they leave out things that the spec says are optional. But that makes "a commonly-implemented optional thing was left out" into a stronger spam signal.

Is it still a strong spam signal? Hard to say. Sources disagree. But as with laws, heuristics, once added, are often sticky.