Controversy around SPF
When E-Mail was documented in 1982, E-Mail was meant to be decentralised. The uprise of ISPs, such as Yahoo, Hotmail and Gmail, a few decades later, has defeated this purpose.
Recently, In may 2023, the authors of RFC 8058 discovered severe flaws in SPF: Big ISPs tend to store all their IPs in a single SPF record. Customers who use their own domain for sending are instructed to add an include to this SPF record in their own domain's SPF record. This way, all domains sending via - for example - Gmail have all Gmail IPs included in their SPF record. Impersonating a Gmail customer's domain on a Gmail SMTP connection results in SPF pass.
Because DMARC requires SPF or DKIM to pass, this discovery also implicates the security of the DMARC protocol. And because BIMI depends on DMARC, also BIMI can't be trusted anymore on big ISPs plattforms as long as this issue hasn't been solved.