The email system wasn’t really built to be secure. It was built during a time when the only people who had network access were researchers and students at universities. It was kind of a given that nobody was going to do nasty things because at one time you could make a list of everyone who had access to it.

There are ways people can authenticate they are who they say they are via a form of encryption called “shared key encryption”. But it means you have to take a few extra steps when both sending and reading email and that little bit of extra friction deters 90% of people who want email to “just work”. If it had been something people were taught to use from the start, email programs would support it more. But as-is you have to keep track of a special “key” file and if you lose it, you can’t send emails anymore. And every time a new person sends you an email you have to go download their “public key” so you can use it to make sure they are who they say they are. Some programs exist to streamline this but it’s always a little janky.

There are some looser ways to verify things that *some* email providers like GMail do for *some* entities. One of the janky things about the email system is I can forge an email that says it comes from paypal.com. But there’s a little bit of a paper trail in every sent email, and the emails that legitimately come from PayPal tend to have a paper trail that says they originate on PayPal servers. My forged email would have a slightly different paper trail. GMail sniffs that out and marks things as suspicious. A really determined attacker can hide the true source of the email, but unless they have access to specifically PayPal’s email servers they won’t really be able to make a paper trail that looks “right”.

A flaw in this is Google has to see quite a few emails to understand what that paper trail should look like, and it works best if you have your own internal servers that only your employees access to send mail. If you’re just a random small business, they won’t know what your paper trail “should” look like. They *can* verify if emails came from, say, another GMail account since that all happens inside their servers. So that’s a perk of using Google’s services to run your business email.

And in the end it just kind of… works. 99% of people know better than to click links in emails and start typing in personal details. We’re a world that takes joy in not going out of our way for the vulnerable 1%.

There is. DMARC and DKIM are both ways to verify that the sender of an email with a certain domain (let’s say PayPal.com) actually owns that domain. Most current email clients will also display a warning if an email doesn’t verify.
But this is technology that was added on to email later, so it’s not watertight and not universally used. Email is also not controlled by one central company, so verification is limited to the domain name(of which ownership can be verified). Someone could still send you ‘valid’ phishing mails from visually similar domain names (something like peypal.com).

Now, verified profiles with centralized platforms can also have issues. In the case of Twitter, it is simply a question of money. If you pay $8/month, you’re verified. With other platforms, it’s usually down to people checking accounts. Which can take time, people can make mistakes, ‘parody’ accounts can get missed, etc. So it’s still worth it to be vigilant.

There is. DMARC and DKIM are both ways to verify that the sender of an email with a certain domain (let’s say PayPal.com) actually owns that domain. Most current email clients will also display a warning if an email doesn’t verify.
But this is technology that was added on to email later, so it’s not watertight and not universally used. Email is also not controlled by one central company, so verification is limited to the domain name(of which ownership can be verified). Someone could still send you ‘valid’ phishing mails from visually similar domain names (something like peypal.com).

Now, verified profiles with centralized platforms can also have issues. In the case of Twitter, it is simply a question of money. If you pay $8/month, you’re verified. With other platforms, it’s usually down to people checking accounts. Which can take time, people can make mistakes, ‘parody’ accounts can get missed, etc. So it’s still worth it to be vigilant.

There is. DMARC and DKIM are both ways to verify that the sender of an email with a certain domain (let’s say PayPal.com) actually owns that domain. Most current email clients will also display a warning if an email doesn’t verify.
But this is technology that was added on to email later, so it’s not watertight and not universally used. Email is also not controlled by one central company, so verification is limited to the domain name(of which ownership can be verified). Someone could still send you ‘valid’ phishing mails from visually similar domain names (something like peypal.com).

Now, verified profiles with centralized platforms can also have issues. In the case of Twitter, it is simply a question of money. If you pay $8/month, you’re verified. With other platforms, it’s usually down to people checking accounts. Which can take time, people can make mistakes, ‘parody’ accounts can get missed, etc. So it’s still worth it to be vigilant.

There is, it’s called DKIM, and it’s great in theory, but in practice it’s only a small barrier to email forgery. In the simplest terms, DKIM is a system that allows mail servers to sign messages using a secret key to prove that the “from” address is legitimate.

The first problem is that email providers still have to accept some messages that don’t have DKIM signatures. Modern email is based on SMTP, developed in 1983, but DKIM wasn’t adopted as a standard until 2011. If you set up email on a custom domain right now you might not get DKIM on your outgoing messages without doing some extra work, depending on which provider you chose. There is a way to tell other mail servers to reject all messages that say they’re from your domain but lack a DKIM signature (DMARC), but that is extra work.

So, the absence of a DKIM signature alone doesn’t prove a message is forged. I use Proton mail, which is much more upfront about telling you when a message you received isn’t properly signed, and it never ceases to amaze me how many very reputable companies will send out unsigned messages that violate their own DMARC policy.

Even if we did live in a perfect world where DKIM was 100% mandatory and always set up correctly, it wouldn’t totally eradicate email scams. You see, check marks work (or at least used to) on Twitter because there’s a centralized authority to vet that accounts belong to the individuals they claim to represent. In the world of email, the only real centralized authorities are domain registrars. So, all DKIM actually proves is that a message was sent by a server that was set up by the same person that owns the domain after the “@” in the from field.

That isn’t a whole lot of protection. If you own the domain `veryrealinsurancellc.com`, I could buy the domain `veryrealinsuranceinc.com`, and send totally legit DKIM-signed messages from email accounts on that domain. Chances are good that if I blasted out messages claiming to be you a not-insignificant number of your customers would just assume they’d mixed up “llc” and “inc.” Also, if I were a rogue employee at your company and you didn’t monitor your employees’ outgoing messages, DKIM would do absolutely nothing to stop me from sending out messages to potential victims from my work email.

Another problem is that users are conditioned to ignore all security warnings. Seriously, browsers have had to implement non-bypassable error screens for certain types of HTTPS errors (HSTS) because no matter how many scary warnings they put up users would still click “ignore.” On Chrome you can’t even bypass these security errors through some hidden developer setting… you literally have to modify the source code to get around them. So while I may pay attention to my email client telling me a message isn’t properly signed, 99% of users won’t.

And yes, there are alternative ways to sign or encrypt an email message that you can opt into. If you even know they exist I’m not sure why you bothered reading all this because you probably know more about email security than I do. Have fun using them to send highly-secure messages to other security professionals and never getting anybody else to adopt them.

There is, it’s called DKIM, and it’s great in theory, but in practice it’s only a small barrier to email forgery. In the simplest terms, DKIM is a system that allows mail servers to sign messages using a secret key to prove that the “from” address is legitimate.

The first problem is that email providers still have to accept some messages that don’t have DKIM signatures. Modern email is based on SMTP, developed in 1983, but DKIM wasn’t adopted as a standard until 2011. If you set up email on a custom domain right now you might not get DKIM on your outgoing messages without doing some extra work, depending on which provider you chose. There is a way to tell other mail servers to reject all messages that say they’re from your domain but lack a DKIM signature (DMARC), but that is extra work.

So, the absence of a DKIM signature alone doesn’t prove a message is forged. I use Proton mail, which is much more upfront about telling you when a message you received isn’t properly signed, and it never ceases to amaze me how many very reputable companies will send out unsigned messages that violate their own DMARC policy.

Even if we did live in a perfect world where DKIM was 100% mandatory and always set up correctly, it wouldn’t totally eradicate email scams. You see, check marks work (or at least used to) on Twitter because there’s a centralized authority to vet that accounts belong to the individuals they claim to represent. In the world of email, the only real centralized authorities are domain registrars. So, all DKIM actually proves is that a message was sent by a server that was set up by the same person that owns the domain after the “@” in the from field.

That isn’t a whole lot of protection. If you own the domain `veryrealinsurancellc.com`, I could buy the domain `veryrealinsuranceinc.com`, and send totally legit DKIM-signed messages from email accounts on that domain. Chances are good that if I blasted out messages claiming to be you a not-insignificant number of your customers would just assume they’d mixed up “llc” and “inc.” Also, if I were a rogue employee at your company and you didn’t monitor your employees’ outgoing messages, DKIM would do absolutely nothing to stop me from sending out messages to potential victims from my work email.

Another problem is that users are conditioned to ignore all security warnings. Seriously, browsers have had to implement non-bypassable error screens for certain types of HTTPS errors (HSTS) because no matter how many scary warnings they put up users would still click “ignore.” On Chrome you can’t even bypass these security errors through some hidden developer setting… you literally have to modify the source code to get around them. So while I may pay attention to my email client telling me a message isn’t properly signed, 99% of users won’t.

And yes, there are alternative ways to sign or encrypt an email message that you can opt into. If you even know they exist I’m not sure why you bothered reading all this because you probably know more about email security than I do. Have fun using them to send highly-secure messages to other security professionals and never getting anybody else to adopt them.

There is, it’s called DKIM, and it’s great in theory, but in practice it’s only a small barrier to email forgery. In the simplest terms, DKIM is a system that allows mail servers to sign messages using a secret key to prove that the “from” address is legitimate.

The first problem is that email providers still have to accept some messages that don’t have DKIM signatures. Modern email is based on SMTP, developed in 1983, but DKIM wasn’t adopted as a standard until 2011. If you set up email on a custom domain right now you might not get DKIM on your outgoing messages without doing some extra work, depending on which provider you chose. There is a way to tell other mail servers to reject all messages that say they’re from your domain but lack a DKIM signature (DMARC), but that is extra work.

So, the absence of a DKIM signature alone doesn’t prove a message is forged. I use Proton mail, which is much more upfront about telling you when a message you received isn’t properly signed, and it never ceases to amaze me how many very reputable companies will send out unsigned messages that violate their own DMARC policy.

Even if we did live in a perfect world where DKIM was 100% mandatory and always set up correctly, it wouldn’t totally eradicate email scams. You see, check marks work (or at least used to) on Twitter because there’s a centralized authority to vet that accounts belong to the individuals they claim to represent. In the world of email, the only real centralized authorities are domain registrars. So, all DKIM actually proves is that a message was sent by a server that was set up by the same person that owns the domain after the “@” in the from field.

That isn’t a whole lot of protection. If you own the domain `veryrealinsurancellc.com`, I could buy the domain `veryrealinsuranceinc.com`, and send totally legit DKIM-signed messages from email accounts on that domain. Chances are good that if I blasted out messages claiming to be you a not-insignificant number of your customers would just assume they’d mixed up “llc” and “inc.” Also, if I were a rogue employee at your company and you didn’t monitor your employees’ outgoing messages, DKIM would do absolutely nothing to stop me from sending out messages to potential victims from my work email.

Another problem is that users are conditioned to ignore all security warnings. Seriously, browsers have had to implement non-bypassable error screens for certain types of HTTPS errors (HSTS) because no matter how many scary warnings they put up users would still click “ignore.” On Chrome you can’t even bypass these security errors through some hidden developer setting… you literally have to modify the source code to get around them. So while I may pay attention to my email client telling me a message isn’t properly signed, 99% of users won’t.

And yes, there are alternative ways to sign or encrypt an email message that you can opt into. If you even know they exist I’m not sure why you bothered reading all this because you probably know more about email security than I do. Have fun using them to send highly-secure messages to other security professionals and never getting anybody else to adopt them.

A lot of these replies are missing the point. SPF/dkim/dmarc verifys the sender is authorized by the domain owner to send an email as that domain. The blue check mark that Twitter uses or used to use serves a different function entirely. The blue checkmark verifys that the account is owned by a legitimate and notable person or organization. Applying the blue checkmark to email would result in a checkmark for PayPal.com but not one for paypals.com, even though the person who owns paypals.com sent the email they are not notable enough to receive the blue checkmark.

A lot of these replies are missing the point. SPF/dkim/dmarc verifys the sender is authorized by the domain owner to send an email as that domain. The blue check mark that Twitter uses or used to use serves a different function entirely. The blue checkmark verifys that the account is owned by a legitimate and notable person or organization. Applying the blue checkmark to email would result in a checkmark for PayPal.com but not one for paypals.com, even though the person who owns paypals.com sent the email they are not notable enough to receive the blue checkmark.

If you have properly configured SPF, DKIM, and DMARC there is now additionally something fairly new called — BIMI which is kind of analogous to the check mark you’re referencing — https://postmarkapp.com/blog/what-the-heck-is-bimi