The View from the Brink

My eyes are currently screaming in a pitch I didn’t know they could reach. It was the generic store-brand shampoo-the one that promises ‘Invigorating Citrus’ but delivers something closer to a concentrated lemon-juice-and-gasoline sticktail. I’m sitting here, squinting through a watery, stinging haze, staring at a screen that looks like a Monet painting if Monet had been really into DNS records and corporate spite. It’s fitting, honestly. The blurriness in my vision matches the absolute lack of clarity in the room where Marcus and Sarah are currently attempting to occupy the same oxygen without physically merging into a singular, mass-energy explosion of frustration.

Marcus is the CISO. He has the posture of a man who sleeps in a suit of armor and suspects his own toaster of being a Russian asset. Sarah is the CMO, and she lives for one thing: the 79% open rate that her latest campaign just clocked. Between them sits a piece of paper-a security audit that has effectively informed us that our house is on fire, but the fire is keeping the guests warm, so Sarah doesn’t want to put it out. This is the great optimization trap. We fixed the deliverability. We made the emails land in the inbox. And in doing so, we essentially handed the keys to the front door to every script-kiddie with an internet connection and a grudge.

I’m here because Echo C.-P. is supposed to facilitate ‘productive discourse.’ As a body language coach, I usually look for the micro-expressions of betrayal or the subtle leaning-away that signals a closed mind. Today, I don’t need a degree to see it. Marcus’s jaw is so tight I can hear his molars grinding from 19 feet away. Sarah is doing the thing where she adjusts her watch every 9 minutes, a classic displacement activity for someone who knows they’re wrong but can’t afford to be.

The Flattening of the Record

Let’s talk about the ‘fix.’ Six months ago, our emails were hitting the spam folder with the regularity of a clock. Marketing was panicking. They brought in a consultant who looked at the SPF records-those little snippets of text in the DNS that tell the world which servers are allowed to send mail on behalf of the domain-and saw a mess. We had 9 different ‘include’ statements. For the uninitiated, SPF has a hard limit of 10 lookups. We were at 9. If we added one more tool-say, a new CRM or a customer support platform-the whole record would break. When SPF breaks, the receiving server just looks at the email, shrugs, and tosses it into the digital abyss.

So, the ‘specialist’ suggested a workaround. They ‘flattened’ the record. They took all those IP addresses hidden behind the ‘include’ mechanisms and dumped them directly into the record. But then, they did something else. To ensure that ‘nothing ever gets blocked again,’ they changed the ending from ~all (a soft fail) to +all.

v=spf1 include:_spf.google.com a mx ip4:192.0.2.1 +all

I’m squinting at the report again. My left eye is still weeping from the citrus assault. That +all is a nightmare. In the technical world, +all basically tells every mail server on the planet: ‘I don’t care who is sending the mail. If they say they are from our domain, believe them. Treat them like family. Give them the good china.’ It is the security equivalent of replacing your front door with a beaded curtain and a sign that says ‘Help Yourself to the Safe.’

“She doesn’t see a security hole. She sees that the bounce rate dropped by 29% overnight. She sees that the sales team is hitting their targets for the first time in 49 weeks.”

– Observation on CMO Performance

Sarah doesn’t see a security hole. She sees that the bounce rate dropped by 29% overnight. She sees that the sales team is hitting their targets for the first time in 49 weeks. To her, Marcus isn’t a protector; he’s an obstructionist trying to sabotage the quarterly growth. I watched her hands. She kept them flat on the table, an assertive, almost aggressive posture meant to claim territory. She’s not moving an inch.

Velocity vs. Survival

But here’s the thing about local optimization: it’s almost always a lie. You can optimize a car’s speed by removing the brakes, but you’ve only improved the ‘velocity’ metric while destroying the ‘survival’ metric. We improved the ‘inbox placement’ metric while destroying the ‘identity’ metric. Last Tuesday, 199 fake invoices were sent to our top-tier clients. They didn’t come from a spoofed domain that looked like ours; they came *from* ours. The SPF record validated them. The DMARC policy, which was also set to ‘none’ to avoid deliverability hiccups, stood aside and let them pass.

I find myself digressing into the memory of a similar mistake I made. Years ago, I coached a CEO to use ‘power poses’-that expansive, space-taking posture people think makes them look like leaders. I optimized his ‘dominance’ signals but completely ignored his ’empathy’ signals. He walked into a layoff meeting looking like a conquering hero instead of a leader sharing a tragedy. He got the ‘authority’ he wanted, but he lost the trust of the 399 people who stayed. It’s the same trap. You fix the surface, you ruin the soul.

Marcus finally speaks. His voice is a low rumble. He points out that the flattened record now includes 1998 individual IP addresses, many of which belong to a cloud provider we stopped using in 2019. We are essentially authorizing a massive, anonymous block of the internet to speak for us.

“It’s a deliverability fix. If we tighten it, our newsletters go to junk. Do you want to explain to the board why we missed the revenue target by $699,999 because of a DNS record?”

– CMO Justification

The Mirage of Frictionless Success

This is where the framework for trade-off evaluation usually fails. We don’t have a common currency. How many phishing attacks is one successful marketing campaign worth? Is 9% more revenue worth a 9% chance of a total domain reputation meltdown? We treat these as binary choices when they are actually architectural challenges. The problem isn’t the SPF limit; the problem is the lazy implementation of the solution.

I’ve spent the last 59 minutes watching them circle each other. My eyes are finally starting to stop burning, though everything still has a slightly orange tint. I realize that the ‘security vs. performance’ debate is a ghost. It only exists when you refuse to do the hard work of precision. You don’t need a +all to get into the inbox. You need a clean, authenticated path that doesn’t rely on shortcuts.

If you actually look at a proper Email Delivery Pro setup, you see that the best in the business don’t trade security for placement. They use alignment. They ensure that the DKIM signatures match the ‘From’ header and that the SPF record is maintained with surgical precision, not blunt-force trauma. But that takes time. It takes coordination between the people who send the mail and the people who guard the gates. And in most companies, those two groups speak different languages.

Marcus wants to move to a ‘Hard Fail’ (-all) and implement a strict DMARC ‘Reject’ policy. Sarah thinks this will ‘break’ the internet. They are both right and both wrong. A strict policy *will* break things if your infrastructure is a disorganized pile of third-party tools. But a loose policy will eventually break the company.

I’ve noticed that when people are lying to themselves, they touch their necks. Sarah is doing it now. She knows the phishing invoices are a disaster. She knows the ‘flattened’ record is a ticking time bomb. But she’s afraid of the friction. Friction is the enemy of the modern executive. We want everything frictionless-one-click buys, seamless logins, instant deliverability. But security *is* friction. It is the friction that stops the slide into chaos.

The Nineteen Day Truce

I decide to interrupt. I mention that her ‘neck-touching’ suggests she’s not as confident in the current setup as her words imply. She glares at me. Marcus almost smiles, which is a terrifying sight-like a tectonic plate shifting. I suggest a middle ground: a 19-day audit of every single sending service. We find out exactly what’s legitimate, we sign it with DKIM, we use subdomains for the high-volume marketing fluff, and we clean the main domain’s SPF record until it’s as lean as Marcus’s patience.

It’s more work. It’s expensive. It will probably cost $9999 in consultant hours and internal dev time. But it stops the bleeding.

We’ve spent too much time thinking about the ‘inbox’ as a destination and not enough time thinking about it as a trust relationship. If I send you a letter and it lands on your desk, but it turns out I also gave 199 strangers the right to write letters on my stationery, have I actually succeeded?

My eyes are finally clear now. The citrus sting is gone, replaced by a dull ache. I look at the screen. The +all is still there, mocking us with its permissiveness. It’s a small thing, just four characters at the end of a string of text. But it represents the entire philosophy of the ‘growth at all costs’ era-the idea that we can skip the foundations as long as the facade looks good.

I head to the bathroom to wash my face again, this time with just plain, unoptimized water. No citrus. No invigorating promises. Just the cold, stinging reality of things as they are. We’ve spent so much time trying to make sure our messages are received that we forgot to make sure they were actually ours. And in the end, if the identity is stolen, the delivery doesn’t matter.

How many other holes have we punched in our walls just to let the light in? How many ‘fixes’ are currently eating away at the structure of our organizations because they were implemented by someone who only cared about one column in a spreadsheet? I suspect the number ends in a lot of nines.