6

When I first started playing around with how SMTP worked over 20 years ago, I remember being somewhat surprised how easy it was to make an email appear in someone else's mailbox that looked like it came from anyone at all.

These days, SMTP servers do tend to be somewhat stricter about forwarding on emails that are not from addresses they are configured to handle, but the fact remains that, for instance, in my hotmail account, I receive at least once a week an email that purports to be from apple.com or anz.com.au (a local bank) etc. etc., with nothing at all in the email that suggests it did not originate from a mail server owned by said organisation.

The obvious question is why is this still so broken, when it should be so easy to fix? If I browse on the web to https://www.apple.com, I'm given a pretty strong guarantee that what I'm looking at is legitimately owned and/or managed by Apple Corporation, but if I receive an email that says it's from support@apple.com there appears to be no such guarantee at all.

I'm aware there are protocols and standards for signing emails (DKIM etc.) but it seems they're so little used that few popular mail clients even bother to check for them.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dylan Nicholson
  • 191
  • 3

1 Answers1

2

Yes DKIM and SPF as you say do go some way in helping fight against spoofing. It's not the clients that tend to ignore the likes of DKIM it's the receiving email server that does not bother to check the result, or fails to adequately act on the result.

I suspect many large email providers would rather accept more spam over loss of legitimate traffic or complicated user configurations. The likes of hotmail I suspect commercially would rather accept the spam.

On the other hand the likes of Apple.com not having suitable DKIM etc is probably because the implementation costs to get this correctly deployed across their infrastructure is too costly and complicated. There is a strong argument that companies should feel morally compelled to ensure their domains, such as Apple, make use of email security controls. But costs will normally outweigh security benefits.

ISMSDEV
  • 3,272
  • 12
  • 22
  • hotmail especially has in the last three years completely blocked my server, the server of my university, and gmail, for days, on four separate occassions (as far as I remember). All of these all were configured correctly with DKIM & SPF. So, no, microsoft especially isn't very concerned with not delivering ham. – Marcus Müller May 26 '17 at 10:55
  • The hotmail client doesn't appear to show at all which emails were sent with valid DKIM signatures. I still find it odd that web browsers largely solved this problem with the introduction of HTTPS and various conventions on showing the user when sites are secure etc.*, but email is so far behind. ( * Though why Chrome recently went backwards in allowing users to easily check the CA for TLS certs baffles me.) – Dylan Nicholson May 26 '17 at 16:02