The minimum criteria for listing an email provider includes this requirement:
Valid SPF, DKIM and DMARC, with the policy p value set to either none, quarantine or reject.
We should warn against email providers offering custom domain support that do not provide clear documentation/steps on how to setup SPF, DKIM, and DMARC for custom domains and why they are needed. They are all used to prevent other people from sending emails as someone else. So, if a custom domain doesn't have all of those set up, it is easier to spoof emails from that domain.
Description
The minimum criteria for listing an email provider includes this requirement:
We should warn against email providers offering custom domain support that do not provide clear documentation/steps on how to setup SPF, DKIM, and DMARC for custom domains and why they are needed. They are all used to prevent other people from sending emails as someone else. So, if a custom domain doesn't have all of those set up, it is easier to spoof emails from that domain.
For example,
Furthermore, I think the email providers page should talk about the importance of SPF, DKIM, DMARC, along with DNSSEC, MTA-STS, etc.