Could you please explain why legitimate companies’ emails lack a “verified checkmark” to help customers distinguish them from fraudulent emails?
In: Technology
Short version:
When the basic framework of what has become email was created back in the 60s and 70s, they had no idea that it would eventually be put into global use. They made no real effort to put abuse prevention into it, because the idea of using an academic messaging service for fraud never occurred to them. What we call ‘spoofing’ – faking the sender data for an email to unsuspecting recipients – was not something email’s initial designers had in mind, as messaging required you to have some level of access to the recipients system, which very few people did. As email use grew, it’s first widely used protocol was called [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) – Simple Mail Transfer Protocol – and it’s developers kept the lax security measures of the older system, but removed the required access to the recipient. That protocol is what we still use today, 40 years later.
Longer version: they’re working it. Over the few decades, a number of measures have been widely adopted to strengthen security – [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) (sender policy framework) was the first big one, but has proven not to be enough. Since then, we’ve seen [DMARC](https://en.wikipedia.org/wiki/DMARC) and [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) come along, but until all email services everywhere are using all of the above, spoofing will always be possible. And even once it’s gone, we’ll still be left with the problem of ‘legitimate’ servers and addresses using similar names to existing domains in order to fool people. In those instance, a little ‘I am who I say I am’ flag would still be accurate, they just aren’t who *you* think they are.
How do you define “legitimate company”?
How do you make sure it’s impossible to fake the “verified” mark?
What if someone gets a scam company “verified” in a country where laws don’t cover that so there’s no way to stop them?
How do you make sure that every email program that exists all simultaneously update to support this new mark?
Because the way email system works, it’s not possible.
For social media platforms, you have a company at the top who owns the platform and decides what goes and what doesn’t go. They also collect a lot of information from its users so they can verify its own users.
For email system, it’s all decentralised. Your emails go directly to the server of the recipient (roughly speaking). There’s no central authority/body that manages the system.
Latest Answers