So there are the mentioned tech like SPF,DMARC, DKIM, BIMI as ways to “verify” legitimate emails. I think the 10k foot view is missing here:

Twitter is a closed system. They can verify who they like and whatever illegitimate activity, provided they can detect it, they can shut it down. Nothing on the system, no message ever leaves the confines of the closed Twitter system.

Email is not like this, at all. At its core, it’s just a standard way to send messages across the internet, from one system to another, systems controlled by anyone. Microsoft, Google, yahoo, your own personal or company email server, anyone can run an email server and send and receive email on the internet.

It really is like the postal system it’s named for. I can send you a letter, write any return address on it I like, and it will be delivered, there is no way for you to know if that “from address” is real, nor did the postal worker look inside the message to see what is in there, they just deliver it. That’s the original email standard.

All those abbreviations, basically verification methods for the “from”, SPF etc above, are new layers added on top over the years as spam and scams became a problem, for what should be obvious enough problems with the original spec for email.

The reason why those things don’t solve the problems or haven’t yet? There are a few, buy simply put not everyone has implemented them. It only really works if everyone is using the verification methods in their domain. And worse is that you don’t reduce YOUR scam messages by implementing the verification, you reduce the scams sent to other people that would use your domain. For these methods to reduce your own scam emails, you need everyone else to implement the verification technologies.

And further to that…ideally the whole thing works when every email server can say “sorry I don’t accept unverified email without SPF and DKIM!” Then throw the rest away. But you, gmail, Microsoft, nobody can do that today without breaking the whole internet for email, as clueless people are setting up their own domains for new businesses every day and getting email service with no earthly idea that it’s up to them to configure SPF and DKIM signing and DMARC policy, for their main email and every service they use that sends email for their domain, like mailchimp, hubspot, salesforce, line of business apps. This just never gets done for many small businesses.

The last problem you have is…in a distributed system, what is “legitimate” anyways? Twitter closed system is easy. With email, open distributed system, I can go register PayPalSupport.com or some available domain today, set up email, even set up my SPF, DKIM etc. then send you an email.. that is legit as it gets for email. It’s verified. It’s just that I might fool you into thinking the message is from PayPal. That’s not really an e-mail problem in that case but a human problem.

It’s a wonder email works on a daily basis. Most email is spam, scams and phishing are common. Every email system out there must filter the bad stuff out. All the verifications on a message could fail, but still it could be a “good” email just from a tech challenged business, so content must be scanned by virus engines, AI type systems rate the text and language, image recognition evaluates pictures, links are scanned, on and on. The next message you receive can pass the verifications but yet it’s a phishing message, so the same scanning process must try to detect *that* based on the content. It really is amazing that GMail can mostly pick out the 10-30% of e-mail messages sent to you that are “good” and delete or send the rest to junk.