Email has arguably been a cornerstone for digital communication in the internet age, but email has some painful flaws that still need to be addressed.
Email as a technology grew from very simple beginnings in the 1960s. It started out simply as a way to leave a message for a user in a file folder on a computer that those users would see when they logged into the mainframe. This eventually grew into a program that could be used to easily share messages from one user to another on the same computer. The current evolution of this capability is the ability for users on one computer to be able to send these messages to users on another computer with the creation of the Simple Mail Transport Protocol (SMTP) and the introduction of the very familiar [email protected] addressing scheme that we are all very familiar with today. By the early 1990s internet service providers were offering free email addresses for their customers ushering in the rise of spam, and by the late 1990s email was well on its way to become a critical communication tool.
Given the simplicity of its early beginnings, it may not be hard to believe that SMTP as the mechanism that allows users from one computer system to send messages to users on another computer system has some pretty serious flaws. Primarily the fact it doesn’t provide any way to verify that the person sending a message is actually really that person. Interestingly, it’s relatively easy for any person in the world to send an email claiming to be from [email protected] and deliver that to whomever they like. The recipients will receive the message, and without some significant technical effort won’t be able to tell that Bill Gates didn’t actually send the message. If you’ve ever received an obvious spam message from a friend, or have had a friend claim that they received an “odd” message from you, you have witnessed how common it is for spammers to take advantage of this flaw. For the most part, this can be fairly harmless, but imagine if you will if you received an email from [email protected] asking for you to click on this link and to reset your password. As an end user there is an inherent trust that if the message says it comes from a trusted party that it must be a legitimate message, but in this case a spoofer will leverage this and steal your password and money.
This is precisely the type of thing that began happening, and internet thieves started baiting users with fake messages and stealing valuable information. Around 2004, in order to combat this, the Internet Engineering Task Force created the Sender Policy Framework (SPF) and the DomainKeys Identified Mail specifications and protocols that allowed the SMTP system to be used, but also to allow for messages to be verified. SPF and DKIM allow the computers that receive email messages for processing to verify that the computer that sent to them is allowed to do so for that domain.
With the introduction of these specifications, internet service providers and mail processing centers had the tools needed to start verifying email, and blocking spoofed email, but the problem with SPF and DKIM is they don’t tell these processors what to do when they encounter a message that appears to be invalid. In 2007, PayPal started working with large email providers such as Yahoo and Google to establish a method to allow domain owners such as paypal.com and marlinnetwork.com to let ISPs know any mail that comes from their domain that doesn’t validate against SPF or DKIM should not be delivered, but rather sent to the bitbucket.
While the DMARC standard has seen significant success by large mailbox providers, it’s time for all domain-owning organizations to get on board and start rolling out this technique to significantly reduce spam and internet theft.