why there is nothing like a “verified checkmark” for E-Mails of real companies like PayPal to distinguish their E-Mails from scams


why there is nothing like a “verified checkmark” for E-Mails of real companies like PayPal to distinguish their E-Mails from scams

In: 7499

There is at least for Gmail: Gmail will authenticate the sender of the email and display a “signed by/mailed by” like in the header if it passes those checks. This then becomes one factor used to identify and handle potential spam messages.

In order for a system like that to work there needs to be a central authenticator. If there’s a central authenticator it’s going to be a for profit corp behind it. If it’s a corp then it’s going to show favoritism to its “trusted validated” companies. And that’s how you get threats to net neutrality. Does not having the trusted symbol mean you’re untrustworthy? Are smaller companies now at a disadvantage because they aren’t trusted?

There are also some companies I’ve had accounts with that will use a code word or phrase that they will always include in an email to you. That at least makes bad spoof jobs completely obvious, since they wouldn’t have that part on there.

There is. The primary problem is that people don’t always take time to actually look.

Each domain, like example.com can “blue check” their outgoing emails. Many mail servers will even reject incoming mail that doesn’t have the “verified check mark”.

The problem is that humans see an email, with the “blue check” from instascam.com saying their instantgram account is locked, click the link to instascam, their browsers loads the instascam webpage that they then enter their credentials into.

More details on how sent emails are verified. https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

The entire internet was designed to not require any sender to prove their identity. In fact all traffic, as it travels through the internet, “self reports” where it came from, similar to how you can write anything you want in the return address of an envelope. The people who designed it were scientists and hobbyists and not thinking about the internet getting so big, and so important, that it would be worth anyone’s while to lie about where traffic came from.

Email protocols were invented around the same time. As such, they trust the “return address” that the sender claims to be. That’s just how it was invented, and the internet is now too big for anyone to propose a single, more secure system, that everyone would agree to adopt at once.

Instead, people have had to layer in “proof of identity” technology over the top of a system that doesn’t require it. One way is via “certificates,” that work a little like signatures. By comparing the signature on the email (or any data in general) with the “official” signature on file in some central trusted authority, you can tell it came from who it was supposed to. Some email providers like GMail now try to do this automatically, but this really only works if both the sending and receiving parties agree on who the authority should be.