There is, it’s called DKIM, and it’s great in theory, but in practice it’s only a small barrier to email forgery. In the simplest terms, DKIM is a system that allows mail servers to sign messages using a secret key to prove that the “from” address is legitimate.
The first problem is that email providers still have to accept some messages that don’t have DKIM signatures. Modern email is based on SMTP, developed in 1983, but DKIM wasn’t adopted as a standard until 2011. If you set up email on a custom domain right now you might not get DKIM on your outgoing messages without doing some extra work, depending on which provider you chose. There is a way to tell other mail servers to reject all messages that say they’re from your domain but lack a DKIM signature (DMARC), but that is extra work.
So, the absence of a DKIM signature alone doesn’t prove a message is forged. I use Proton mail, which is much more upfront about telling you when a message you received isn’t properly signed, and it never ceases to amaze me how many very reputable companies will send out unsigned messages that violate their own DMARC policy.
Even if we did live in a perfect world where DKIM was 100% mandatory and always set up correctly, it wouldn’t totally eradicate email scams. You see, check marks work (or at least used to) on Twitter because there’s a centralized authority to vet that accounts belong to the individuals they claim to represent. In the world of email, the only real centralized authorities are domain registrars. So, all DKIM actually proves is that a message was sent by a server that was set up by the same person that owns the domain after the “@” in the from field.
That isn’t a whole lot of protection. If you own the domain `veryrealinsurancellc.com`, I could buy the domain `veryrealinsuranceinc.com`, and send totally legit DKIM-signed messages from email accounts on that domain. Chances are good that if I blasted out messages claiming to be you a not-insignificant number of your customers would just assume they’d mixed up “llc” and “inc.” Also, if I were a rogue employee at your company and you didn’t monitor your employees’ outgoing messages, DKIM would do absolutely nothing to stop me from sending out messages to potential victims from my work email.
Another problem is that users are conditioned to ignore all security warnings. Seriously, browsers have had to implement non-bypassable error screens for certain types of HTTPS errors (HSTS) because no matter how many scary warnings they put up users would still click “ignore.” On Chrome you can’t even bypass these security errors through some hidden developer setting… you literally have to modify the source code to get around them. So while I may pay attention to my email client telling me a message isn’t properly signed, 99% of users won’t.
And yes, there are alternative ways to sign or encrypt an email message that you can opt into. If you even know they exist I’m not sure why you bothered reading all this because you probably know more about email security than I do. Have fun using them to send highly-secure messages to other security professionals and never getting anybody else to adopt them.
Latest Answers