I was checking BIMI/VMC validation and noticed that Bank of America’s VMC certificate appears to have expired.

The cert shows an expiration date of May 16, 2026.

Subject: Bank of America Corporation
Issuer: DigiCert Verified Mark RSA4096 SHA256 2021 CA1

Obviously, this is not some catastrophic security incident, but it is still interesting. BIMI usually gets treated like a one-time setup project, while the VMC certificate needs the same kind of lifecycle monitoring as TLS certs.

Kind of surprising to see this from a bank of this size.

Anyone else seeing expired VMCs from large brands?

https://preview.redd.it/91sawbw76h2h1.jpg?width=1786&format=pjpg&auto=webp&s=e7b36c3b4a1a00b5f5c515144548708ff27f5ac9

I was checking BIMI/VMC validation and noticed that Bank of America’s VMC certificate appears to have expired.

The cert shows an expiration date of May 16, 2026.

Subject: Bank of America Corporation
Issuer: DigiCert Verified Mark RSA4096 SHA256 2021 CA1

Obviously this is not some catastrophic security incident, but it is still interesting. BIMI usually gets treated like a one-time setup project, while the VMC certificate needs the same kind of lifecycle monitoring as TLS certs.

Kind of surprising to see this from a bank of this size.

Anyone else seeing expired VMCs from large brands?

https://preview.redd.it/2nfkdzj5d82h1.png?width=2048&format=png&auto=webp&s=f3d1cb6a83b0980f428fbef62e3ab9b793274d76

SPF + DKIM + DMARC at p=reject is supposed to close the door. Our support@ inbox is not getting the memo.

Setup:

• SPF is strict, only our own IPs
• DKIM on all outbound
• DMARC p=reject

Still getting NDRs for emails we never sent.

It's backscatter

The config isn't the issue. The issue is ancient mail servers (think government agencies, university IT, budget shared hosting) running Exim or Postfix builds nobody's looked at since Obama's first term.

Spammer forges our From address. The old server accepts the message without touching SPF or DMARC during the SMTP session. Then discovers the recipient doesn't exist. Then dutifully sends a bounce to the From address. That's us now.

Not malicious. Just genuinely out of date.

Options are limited

You can't reach into someone else's mail server config. What you can do: filter NDRs hard on your end, add the bounce patterns to your spam rules, and make peace with the fact that some of this just comes with having a domain.

Modern cloud providers are getting better about rejecting fakes at the SMTP layer, so the problem should shrink over time. Eventually. Maybe.

Curious if anyone's found filtering rules that actually work here.

Look around. Every other product launching right now is some variation of "AI-Powered [insert buzzword]." They're everywhere. Modern tools have given founders and developers a convincing illusion of omnipotence: idea hits, feed it to an LLM, stack some agents on top, and MVP is done in a weekend.

https://preview.redd.it/37ocn6azkv1h1.png?width=1672&format=png&auto=webp&s=06d4a9ef986d56a9eb3417e67a3524c18e73e100

Sounds great, right? On the surface, yes. But underneath that fast-launch facade, something is quietly rotting: thinking is getting commoditized, and we're losing craft.

Real mastery in any field takes years of practice, failure, and deep focus. Today, apparently everyone is a master for $20 a month.

That's a lie we're telling ourselves. Just look at how much panic a 5-hour rate limit window in Claude generates online. Tokens run out, and suddenly people have two options: wait for the reset like a metered parking spot, or upgrade. It's like a Michelin-starred chef who can no longer taste food, just dictating to a chatbot: "make me a pasta." Without the subscription, he can't cook.

The counterargument: "But orchestrating AI IS the new skill."

Fair. But it's a horizontal skill, not a vertical one. You learn to coordinate agents while losing deep domain knowledge. Think conductor versus virtuoso violinist. A conductor is impressive - but if the orchestra walks off stage, can he play a solo that makes the room go quiet?

This is most visible in developers right now. People who got used to copy-pasting from Cursor or Claude hit a wall on hard architectural problems. When a product grows, starts needing real trade-offs, starts buckling under load - prompts stop working. The muscle for hard problems atrophied because they never had to build it. Same thing is happening to analysts, marketers, designers, researchers.

My position: barbell, not crutch

Running out of tokens doesn't scare me. My foundation means I can work regardless of what's left in my quota, whether there's internet, whether a subscription is active. The only thing that throws me off is running out of good coffee.

I use LLMs heavily. But with one condition: AI is a barbell, not a crutch. It sharpens my own work - it doesn't replace the parts I care about. The fastest, most tireless junior I've ever hired. But the senior judgment and the final call always stay with me.

Two types of professionals

The market is already splitting into two groups.

Token-dependent: live limit to limit, panic when Anthropic or OpenAI have an outage, can't produce anything original without a prompt to lean on.

Token-independent: use AI as a force multiplier but can, at any moment, sit down and do the work themselves - with more depth, more precision, better judgment.

The second group will command much higher rates. When the world is drowning in mediocre AI-powered software and content - and it will be - clients and employers will pay serious money for people who actually understand what they're building and why.

Curious whether others are feeling this shift. Are you building toward token-independence, or does the dependency not bother you?