why there is nothing like a “verified checkmark” for E-Mails of real companies like PayPal to distinguish their E-Mails from scams

1.87K views

why there is nothing like a “verified checkmark” for E-Mails of real companies like PayPal to distinguish their E-Mails from scams

In: 7499

69 Answers

Anonymous 0 Comments

There actually is, it’s called dmarc and dkim records. The problem is that the companies don’t set up their domain names properly.

I checked the top 100 online retailers’ domain names recently and on 7 percent of them had their domain names set up, such as setting up dmarc records in their domain name to prevent email scams.

Pretty soon we will have NameBlock, and companies will be able to completely block certain scam domain names from even being registered, so that will help out a lot.

Anonymous 0 Comments

I think the actual ELI5 answer is that email is an artifact of the early internet and is therefore open and uncontrolled.

Private companies operating their own ecosystems such as Twitter can add whatever verification systems they like, but nobody owns the IP for email.

Like anything with software technology, there’s a tradeoff between ease of use and user freedom. The less able you are to get yourself in trouble, the less control you have over how something functions. Email is very customisable and the underlying architecture is fundamentally insecure.

Anonymous 0 Comments

I think the actual ELI5 answer is that email is an artifact of the early internet and is therefore open and uncontrolled.

Private companies operating their own ecosystems such as Twitter can add whatever verification systems they like, but nobody owns the IP for email.

Like anything with software technology, there’s a tradeoff between ease of use and user freedom. The less able you are to get yourself in trouble, the less control you have over how something functions. Email is very customisable and the underlying architecture is fundamentally insecure.

Anonymous 0 Comments

I think the actual ELI5 answer is that email is an artifact of the early internet and is therefore open and uncontrolled.

Private companies operating their own ecosystems such as Twitter can add whatever verification systems they like, but nobody owns the IP for email.

Like anything with software technology, there’s a tradeoff between ease of use and user freedom. The less able you are to get yourself in trouble, the less control you have over how something functions. Email is very customisable and the underlying architecture is fundamentally insecure.

Anonymous 0 Comments

This is a really complex question.

The short answer is there kinda is but also isn’t. Email was designed so that people could just send it without having to verify who they are. Some technologies have been implement to prevent people from sending illegitimate emails using a legitimate domain but that only stopped one type of spam. Now people just send illegitimate emails from an illegitimate domain that looks like a legitimate domain.

Part of the problem is the decentralized nature of email. Twitter can “verify” people because of they own the entire platform. But since email is decentralized how does Gmail verify that the email coming from your mom on ProtonMail is actually your mom? They can’t. There would need to be a backend identity system that all email servers use which authenticates people. Of course this would never work because you’d have people (and companies) like ProtonMail who’s whole shtick is privacy. Do you think ProtonMail is going to enter all its users into a centralized database?

Each mail server would need to verify that the person who says they’re legit actually is legit. Without a backend how do they do that?

The second problem is that even in situations where there is an authentication mechanism (corporate email for example) people generally don’t understand it. I do cybersecurity in my full time job and I’ll occasionally ask users to explain what the certificate icon on the emails means (and sometimes I’ll ask them to explain how they can tell the email came from their coworker). Most of them have no idea (Even though we have yearly training on it).

But the real simple answer is that it’s simply not worth it to try and solve all these problems. It’s much easier for email providers to just do what they already do (spam filtering) then it is to try and handle identify management. A few people get hit with spam emails and then the AI figures it out and starts blocking that spam campaign. Sure it’s bad for those few but the email provider isn’t liable for any money that users lose from spam so the few are a necessary causality.

Anonymous 0 Comments

This is a really complex question.

The short answer is there kinda is but also isn’t. Email was designed so that people could just send it without having to verify who they are. Some technologies have been implement to prevent people from sending illegitimate emails using a legitimate domain but that only stopped one type of spam. Now people just send illegitimate emails from an illegitimate domain that looks like a legitimate domain.

Part of the problem is the decentralized nature of email. Twitter can “verify” people because of they own the entire platform. But since email is decentralized how does Gmail verify that the email coming from your mom on ProtonMail is actually your mom? They can’t. There would need to be a backend identity system that all email servers use which authenticates people. Of course this would never work because you’d have people (and companies) like ProtonMail who’s whole shtick is privacy. Do you think ProtonMail is going to enter all its users into a centralized database?

Each mail server would need to verify that the person who says they’re legit actually is legit. Without a backend how do they do that?

The second problem is that even in situations where there is an authentication mechanism (corporate email for example) people generally don’t understand it. I do cybersecurity in my full time job and I’ll occasionally ask users to explain what the certificate icon on the emails means (and sometimes I’ll ask them to explain how they can tell the email came from their coworker). Most of them have no idea (Even though we have yearly training on it).

But the real simple answer is that it’s simply not worth it to try and solve all these problems. It’s much easier for email providers to just do what they already do (spam filtering) then it is to try and handle identify management. A few people get hit with spam emails and then the AI figures it out and starts blocking that spam campaign. Sure it’s bad for those few but the email provider isn’t liable for any money that users lose from spam so the few are a necessary causality.

Anonymous 0 Comments

This is a really complex question.

The short answer is there kinda is but also isn’t. Email was designed so that people could just send it without having to verify who they are. Some technologies have been implement to prevent people from sending illegitimate emails using a legitimate domain but that only stopped one type of spam. Now people just send illegitimate emails from an illegitimate domain that looks like a legitimate domain.

Part of the problem is the decentralized nature of email. Twitter can “verify” people because of they own the entire platform. But since email is decentralized how does Gmail verify that the email coming from your mom on ProtonMail is actually your mom? They can’t. There would need to be a backend identity system that all email servers use which authenticates people. Of course this would never work because you’d have people (and companies) like ProtonMail who’s whole shtick is privacy. Do you think ProtonMail is going to enter all its users into a centralized database?

Each mail server would need to verify that the person who says they’re legit actually is legit. Without a backend how do they do that?

The second problem is that even in situations where there is an authentication mechanism (corporate email for example) people generally don’t understand it. I do cybersecurity in my full time job and I’ll occasionally ask users to explain what the certificate icon on the emails means (and sometimes I’ll ask them to explain how they can tell the email came from their coworker). Most of them have no idea (Even though we have yearly training on it).

But the real simple answer is that it’s simply not worth it to try and solve all these problems. It’s much easier for email providers to just do what they already do (spam filtering) then it is to try and handle identify management. A few people get hit with spam emails and then the AI figures it out and starts blocking that spam campaign. Sure it’s bad for those few but the email provider isn’t liable for any money that users lose from spam so the few are a necessary causality.

Anonymous 0 Comments

Email started as basic service: English only, text only. Extensions were made to add other languages, to add images, and to add encryption and message signing.

Message signing is what you are asking for here.

Unfortunately encryption upset the US NSA no end. The US via the Wassenaar Arrangement pushed hard for the ban of encryption technologies in email. It won for a time, and then lost. Which is why you can encrypt 3mail today.

But at the vital moment when the small number of email clients (eg Pine) exploded into hundreds of apps, encryption wasn’t a feature. So it didn’t became part of the default offering of Netscape Communicator or later products like Microsoft Outlook. Unlike other features like vacation messages, or threading, or footers.

This means that emails are not signed by default. And so you can’t check the origin of a email easily. The NSA hasn’t been held to account for the huge financial losses its decision to slow the spread of encryption cost the US in spam and scams.

Anonymous 0 Comments

Email started as basic service: English only, text only. Extensions were made to add other languages, to add images, and to add encryption and message signing.

Message signing is what you are asking for here.

Unfortunately encryption upset the US NSA no end. The US via the Wassenaar Arrangement pushed hard for the ban of encryption technologies in email. It won for a time, and then lost. Which is why you can encrypt 3mail today.

But at the vital moment when the small number of email clients (eg Pine) exploded into hundreds of apps, encryption wasn’t a feature. So it didn’t became part of the default offering of Netscape Communicator or later products like Microsoft Outlook. Unlike other features like vacation messages, or threading, or footers.

This means that emails are not signed by default. And so you can’t check the origin of a email easily. The NSA hasn’t been held to account for the huge financial losses its decision to slow the spread of encryption cost the US in spam and scams.

Anonymous 0 Comments

Email started as basic service: English only, text only. Extensions were made to add other languages, to add images, and to add encryption and message signing.

Message signing is what you are asking for here.

Unfortunately encryption upset the US NSA no end. The US via the Wassenaar Arrangement pushed hard for the ban of encryption technologies in email. It won for a time, and then lost. Which is why you can encrypt 3mail today.

But at the vital moment when the small number of email clients (eg Pine) exploded into hundreds of apps, encryption wasn’t a feature. So it didn’t became part of the default offering of Netscape Communicator or later products like Microsoft Outlook. Unlike other features like vacation messages, or threading, or footers.

This means that emails are not signed by default. And so you can’t check the origin of a email easily. The NSA hasn’t been held to account for the huge financial losses its decision to slow the spread of encryption cost the US in spam and scams.