The email system wasn’t really built to be secure. It was built during a time when the only people who had network access were researchers and students at universities. It was kind of a given that nobody was going to do nasty things because at one time you could make a list of everyone who had access to it.

There are ways people can authenticate they are who they say they are via a form of encryption called “shared key encryption”. But it means you have to take a few extra steps when both sending and reading email and that little bit of extra friction deters 90% of people who want email to “just work”. If it had been something people were taught to use from the start, email programs would support it more. But as-is you have to keep track of a special “key” file and if you lose it, you can’t send emails anymore. And every time a new person sends you an email you have to go download their “public key” so you can use it to make sure they are who they say they are. Some programs exist to streamline this but it’s always a little janky.

There are some looser ways to verify things that *some* email providers like GMail do for *some* entities. One of the janky things about the email system is I can forge an email that says it comes from paypal.com. But there’s a little bit of a paper trail in every sent email, and the emails that legitimately come from PayPal tend to have a paper trail that says they originate on PayPal servers. My forged email would have a slightly different paper trail. GMail sniffs that out and marks things as suspicious. A really determined attacker can hide the true source of the email, but unless they have access to specifically PayPal’s email servers they won’t really be able to make a paper trail that looks “right”.

A flaw in this is Google has to see quite a few emails to understand what that paper trail should look like, and it works best if you have your own internal servers that only your employees access to send mail. If you’re just a random small business, they won’t know what your paper trail “should” look like. They *can* verify if emails came from, say, another GMail account since that all happens inside their servers. So that’s a perk of using Google’s services to run your business email.

And in the end it just kind of… works. 99% of people know better than to click links in emails and start typing in personal details. We’re a world that takes joy in not going out of our way for the vulnerable 1%.