If you have properly configured SPF, DKIM, and DMARC there is now additionally something fairly new called — BIMI which is kind of analogous to the check mark you’re referencing — https://postmarkapp.com/blog/what-the-heck-is-bimi

If you have properly configured SPF, DKIM, and DMARC there is now additionally something fairly new called — BIMI which is kind of analogous to the check mark you’re referencing — https://postmarkapp.com/blog/what-the-heck-is-bimi

A lot of these replies are missing the point. SPF/dkim/dmarc verifys the sender is authorized by the domain owner to send an email as that domain. The blue check mark that Twitter uses or used to use serves a different function entirely. The blue checkmark verifys that the account is owned by a legitimate and notable person or organization. Applying the blue checkmark to email would result in a checkmark for PayPal.com but not one for paypals.com, even though the person who owns paypals.com sent the email they are not notable enough to receive the blue checkmark.

So there are the mentioned tech like SPF,DMARC, DKIM, BIMI as ways to “verify” legitimate emails. I think the 10k foot view is missing here:

Twitter is a closed system. They can verify who they like and whatever illegitimate activity, provided they can detect it, they can shut it down. Nothing on the system, no message ever leaves the confines of the closed Twitter system.

Email is not like this, at all. At its core, it’s just a standard way to send messages across the internet, from one system to another, systems controlled by anyone. Microsoft, Google, yahoo, your own personal or company email server, anyone can run an email server and send and receive email on the internet.

It really is like the postal system it’s named for. I can send you a letter, write any return address on it I like, and it will be delivered, there is no way for you to know if that “from address” is real, nor did the postal worker look inside the message to see what is in there, they just deliver it. That’s the original email standard.

All those abbreviations, basically verification methods for the “from”, SPF etc above, are new layers added on top over the years as spam and scams became a problem, for what should be obvious enough problems with the original spec for email.

The reason why those things don’t solve the problems or haven’t yet? There are a few, buy simply put not everyone has implemented them. It only really works if everyone is using the verification methods in their domain. And worse is that you don’t reduce YOUR scam messages by implementing the verification, you reduce the scams sent to other people that would use your domain. For these methods to reduce your own scam emails, you need everyone else to implement the verification technologies.

And further to that…ideally the whole thing works when every email server can say “sorry I don’t accept unverified email without SPF and DKIM!” Then throw the rest away. But you, gmail, Microsoft, nobody can do that today without breaking the whole internet for email, as clueless people are setting up their own domains for new businesses every day and getting email service with no earthly idea that it’s up to them to configure SPF and DKIM signing and DMARC policy, for their main email and every service they use that sends email for their domain, like mailchimp, hubspot, salesforce, line of business apps. This just never gets done for many small businesses.

The last problem you have is…in a distributed system, what is “legitimate” anyways? Twitter closed system is easy. With email, open distributed system, I can go register PayPalSupport.com or some available domain today, set up email, even set up my SPF, DKIM etc. then send you an email.. that is legit as it gets for email. It’s verified. It’s just that I might fool you into thinking the message is from PayPal. That’s not really an e-mail problem in that case but a human problem.

It’s a wonder email works on a daily basis. Most email is spam, scams and phishing are common. Every email system out there must filter the bad stuff out. All the verifications on a message could fail, but still it could be a “good” email just from a tech challenged business, so content must be scanned by virus engines, AI type systems rate the text and language, image recognition evaluates pictures, links are scanned, on and on. The next message you receive can pass the verifications but yet it’s a phishing message, so the same scanning process must try to detect *that* based on the content. It really is amazing that GMail can mostly pick out the 10-30% of e-mail messages sent to you that are “good” and delete or send the rest to junk.

So there are the mentioned tech like SPF,DMARC, DKIM, BIMI as ways to “verify” legitimate emails. I think the 10k foot view is missing here:

Twitter is a closed system. They can verify who they like and whatever illegitimate activity, provided they can detect it, they can shut it down. Nothing on the system, no message ever leaves the confines of the closed Twitter system.

Email is not like this, at all. At its core, it’s just a standard way to send messages across the internet, from one system to another, systems controlled by anyone. Microsoft, Google, yahoo, your own personal or company email server, anyone can run an email server and send and receive email on the internet.

It really is like the postal system it’s named for. I can send you a letter, write any return address on it I like, and it will be delivered, there is no way for you to know if that “from address” is real, nor did the postal worker look inside the message to see what is in there, they just deliver it. That’s the original email standard.

All those abbreviations, basically verification methods for the “from”, SPF etc above, are new layers added on top over the years as spam and scams became a problem, for what should be obvious enough problems with the original spec for email.

The reason why those things don’t solve the problems or haven’t yet? There are a few, buy simply put not everyone has implemented them. It only really works if everyone is using the verification methods in their domain. And worse is that you don’t reduce YOUR scam messages by implementing the verification, you reduce the scams sent to other people that would use your domain. For these methods to reduce your own scam emails, you need everyone else to implement the verification technologies.

And further to that…ideally the whole thing works when every email server can say “sorry I don’t accept unverified email without SPF and DKIM!” Then throw the rest away. But you, gmail, Microsoft, nobody can do that today without breaking the whole internet for email, as clueless people are setting up their own domains for new businesses every day and getting email service with no earthly idea that it’s up to them to configure SPF and DKIM signing and DMARC policy, for their main email and every service they use that sends email for their domain, like mailchimp, hubspot, salesforce, line of business apps. This just never gets done for many small businesses.

The last problem you have is…in a distributed system, what is “legitimate” anyways? Twitter closed system is easy. With email, open distributed system, I can go register PayPalSupport.com or some available domain today, set up email, even set up my SPF, DKIM etc. then send you an email.. that is legit as it gets for email. It’s verified. It’s just that I might fool you into thinking the message is from PayPal. That’s not really an e-mail problem in that case but a human problem.

It’s a wonder email works on a daily basis. Most email is spam, scams and phishing are common. Every email system out there must filter the bad stuff out. All the verifications on a message could fail, but still it could be a “good” email just from a tech challenged business, so content must be scanned by virus engines, AI type systems rate the text and language, image recognition evaluates pictures, links are scanned, on and on. The next message you receive can pass the verifications but yet it’s a phishing message, so the same scanning process must try to detect *that* based on the content. It really is amazing that GMail can mostly pick out the 10-30% of e-mail messages sent to you that are “good” and delete or send the rest to junk.

So there are the mentioned tech like SPF,DMARC, DKIM, BIMI as ways to “verify” legitimate emails. I think the 10k foot view is missing here:

Twitter is a closed system. They can verify who they like and whatever illegitimate activity, provided they can detect it, they can shut it down. Nothing on the system, no message ever leaves the confines of the closed Twitter system.

Email is not like this, at all. At its core, it’s just a standard way to send messages across the internet, from one system to another, systems controlled by anyone. Microsoft, Google, yahoo, your own personal or company email server, anyone can run an email server and send and receive email on the internet.

It really is like the postal system it’s named for. I can send you a letter, write any return address on it I like, and it will be delivered, there is no way for you to know if that “from address” is real, nor did the postal worker look inside the message to see what is in there, they just deliver it. That’s the original email standard.

All those abbreviations, basically verification methods for the “from”, SPF etc above, are new layers added on top over the years as spam and scams became a problem, for what should be obvious enough problems with the original spec for email.

The reason why those things don’t solve the problems or haven’t yet? There are a few, buy simply put not everyone has implemented them. It only really works if everyone is using the verification methods in their domain. And worse is that you don’t reduce YOUR scam messages by implementing the verification, you reduce the scams sent to other people that would use your domain. For these methods to reduce your own scam emails, you need everyone else to implement the verification technologies.

And further to that…ideally the whole thing works when every email server can say “sorry I don’t accept unverified email without SPF and DKIM!” Then throw the rest away. But you, gmail, Microsoft, nobody can do that today without breaking the whole internet for email, as clueless people are setting up their own domains for new businesses every day and getting email service with no earthly idea that it’s up to them to configure SPF and DKIM signing and DMARC policy, for their main email and every service they use that sends email for their domain, like mailchimp, hubspot, salesforce, line of business apps. This just never gets done for many small businesses.

The last problem you have is…in a distributed system, what is “legitimate” anyways? Twitter closed system is easy. With email, open distributed system, I can go register PayPalSupport.com or some available domain today, set up email, even set up my SPF, DKIM etc. then send you an email.. that is legit as it gets for email. It’s verified. It’s just that I might fool you into thinking the message is from PayPal. That’s not really an e-mail problem in that case but a human problem.

It’s a wonder email works on a daily basis. Most email is spam, scams and phishing are common. Every email system out there must filter the bad stuff out. All the verifications on a message could fail, but still it could be a “good” email just from a tech challenged business, so content must be scanned by virus engines, AI type systems rate the text and language, image recognition evaluates pictures, links are scanned, on and on. The next message you receive can pass the verifications but yet it’s a phishing message, so the same scanning process must try to detect *that* based on the content. It really is amazing that GMail can mostly pick out the 10-30% of e-mail messages sent to you that are “good” and delete or send the rest to junk.

Email is so fucking ghetto what’s the point. The company should and does just prompt you if the problem the next time you try to log in to the service.

Email is so fucking ghetto what’s the point. The company should and does just prompt you if the problem the next time you try to log in to the service.

Email is so fucking ghetto what’s the point. The company should and does just prompt you if the problem the next time you try to log in to the service.

There is. I see SPF, DKIM, and DMARC mentioned, but also BIMI allows you to assign a copyrighted logo to your emails that you digitally sign as yours- which is almost exactly the ‘verified’ checkmark you’re asking about!