DKIM is not solving the wrong problem, DKIM is solving an underlying problem.
The suggestions to use reputation, accounts etc are still fine and good, but step 0 is to check whether that guy on the other side is who he says he is - and that's where DKIM comes in.
Yeah, but it doesn't check whether that guy on the other side is who he says he is, it only checks whether that domain on the other side is what it appears to be (registered via ICANN-approved registrar to "that guy"). DKIM relies on DNS. It checks on domains, not people. You have no reliable assurance from DKIM of who is actually controlling that domain. It might not be "that guy" but someone else. DNS is not without its vulnerablities (including social engineering). Any security mechanism based on DNS is only as "secure" as DNS, which isn't very.
Yes but then again (i consider this their trolling of diy) google forces you to set up reverse resolve regardless of dkim. They effectively lock out (or should I say, spam out) anyone that doesnt have ISP preparing to do that and it complicates migration to another ISP. And prevents you running multiple domain mail server on single ip. It is true, that reverse resolve generally in EU isnt such a problem, but it does make issues for USA users.
I don’t know about signing, but my email domain (my surname.net) is now 30 or so years old. It gets^w got a lot of spam...
A decade or so ago, I set up a catch-all account so <anything>@mydomain.net is redirected to an isp-account that I have as one of my email identities, In this case I used <account>@mac.com. It’s basically just a front-line imap repository, stuff I want to keep will move off it.
Whenever I need to supply an email to an online site, I use <company name>@mydomain.net. The only time this hasn’t worked is with Samsung, who won’t let you sign up as ‘samsung@...’, generally it’s ok though.
There is another rule on the mail server, send-to-trash. This accepts all email and just bins it. I can move <anything>@mydomain to this rule at the click of a button in a second or two on with a web-interface. I do this for:
- unsolicited email sent to a random “name” at my address, this is actually fairly rare now that most of the obvious ones are gone
- when the mail content doesn’t match the <company name> part, ie: where the address has been sold to an email-list.
- when I want to expire the email address. Sometimes this is temporary, and I have an address I want to keep, but it’s current;y being spammed. Making the server send reject messages For a while usually helps. Usually.
Using this, I’ve managed to keep the same email domain since college some 30 years ago actually useable and useful. YMMV :)
I do this for about 10 years now too! It's very convenient to "expire" the email addresses that are sold off.
Another thing I do is to use a [email protected] email when an annoying site tries to force me to login. All emails to this spam email address is sent to trash with a filtering rule, and I manually open my trash to click the verification link.
With catch all emails, you need a string "... -all" SPF to make others reject bounce spam messages.
> It's possible that email clients could learn some lessons from this, for example by splitting your inbox into 'people and places you've interacted with before' and 'new contacts from strange people'.
That's how I have Thunderbird set up. I have a rule that puts mail from anyone not in my contacts list into a folder called Unrecognized Sender.
I know its currently more suitable for an organization than individuals, but, I think with a bit of glue it would work fantastically at internet-scale.
There are two (well, lots more than two) different problems with email. DKMS solves spoofing. That isn't a more or less "wrong" problem than spam. The latter just needs a different solution (and Google etc. have become pretty good at it).
The author obviously has no idea why email signing are there. And what he was proposing, a authorizing system, or white-list system has been there for quite a while but why it is not enabled by default? It creates more problems then the problems it resolves. Just imagine how it going to work if you need to send a legit email to someone for the first time. If you are going to need authorization to do it, How do you get that required authorization? By calling the recipient or send them a letter so that they can add you to the list? Then what the point to send email in the first place?
Another problem with email is that it's your responsibility to keep your contacts list up-to-date when people change their email address. By comparison Facebook doesn't have that problem - for example organising a high school reunion is much more likely to succeed if you contact people via Facebook than via email. I really hope email (or its successor) can copy more of the benefits that currently draw users into those walled gardens.
> By comparison Facebook doesn't have that problem - for example organising a high school reunion is much more likely to succeed if you contact people via Facebook than via email.
I see it the opposite way. People regularly drop off of social networks in favor of new ones or none at all.
I know people who have had the same email address since the 90's.
Facebook's strategy to achieve this is to disallow people from having two different accounts. Things are different on e.g. Twitter where it's common to have two accounts for different usage (like email).
Do you suggest disallowing people from having two different email addresses?
I've been using SpamArrest for about ten years, and I'm very happy with it.
I always whitelist in advance any person or domain I expect to hear from. SpamArrest gives me a chance to hear from legitimate strangers. If a sender refuses to reply to the challenge email, then what (s)he had to say couldn't be that important.
DKIM works well for what it does. Assuming that what the author describes as “revocable authorization” is a desirable feature (I don’t really get why a user wouldn’t just filter them with a block list or white list approach, but whatever) - how is this possible without a centralised provider?
If it’s only possible with a centralised entity like Twitter, it’s not going to scale to last centuries like email will.
because current filter tools are not specific enough or easy enough to use for that purpose. i basically only got the option to mark something as spam and let the algorithm figure out why.
i'd like to sort email by these categories:
signed emails with a known/whitelisted key.
signed emails with a known/blacklisted key
signed emails with an unknown key.
unsigned emails with a known/whitelisted email address
unsigned emails with a known/blacklisted email address
unsigned emails with an unknown address.
and finally emails with obviously fake addresses.
whitelisted keys go to my inbox.
those will be spam free.
blacklisted keys are blocked/bounced/sent to spam.
new keys go into a new contacts folder with a spam rating based on content. then i walk through that folder and accept or block keys.
for unsigned emails the same is done based on the address.
whitelisted addresses get a spam rating in a second inbox.
blacklisted addresses get blocked and unknown addresses get checked manually.
unknown keys or addresses can further be separated into: received only one email from this address or multiple emails.
when i reply to an email the key or address gets whitelisted automatically.
All you have to do is to ignore email that is signed by entities you don't know and/or don't like. It is as simple as that. The mystery is why people accept anonymous email at all.
I run a web service with email validation, and a nontrivial number of users' validation emails bounce with a request to click some link to pay some money in order to email the user. Sometimes I get the same responding to support requests from users.
I suspect these same users wonder why such a large fraction of their online interactions/signups don't work...
Interestingly, this is where the proof-of-work idea for Bitcoin likely came from (hashcash). Basically prove you've done X amount of CPU work in order to send me an e-mail.
[+] [-] Sebb767|5 years ago|reply
The suggestions to use reputation, accounts etc are still fine and good, but step 0 is to check whether that guy on the other side is who he says he is - and that's where DKIM comes in.
[+] [-] 1vuio0pswjnm7|5 years ago|reply
[+] [-] brightball|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] stiray|5 years ago|reply
[+] [-] spacedcowboy|5 years ago|reply
A decade or so ago, I set up a catch-all account so <anything>@mydomain.net is redirected to an isp-account that I have as one of my email identities, In this case I used <account>@mac.com. It’s basically just a front-line imap repository, stuff I want to keep will move off it.
Whenever I need to supply an email to an online site, I use <company name>@mydomain.net. The only time this hasn’t worked is with Samsung, who won’t let you sign up as ‘samsung@...’, generally it’s ok though.
There is another rule on the mail server, send-to-trash. This accepts all email and just bins it. I can move <anything>@mydomain to this rule at the click of a button in a second or two on with a web-interface. I do this for:
- unsolicited email sent to a random “name” at my address, this is actually fairly rare now that most of the obvious ones are gone - when the mail content doesn’t match the <company name> part, ie: where the address has been sold to an email-list. - when I want to expire the email address. Sometimes this is temporary, and I have an address I want to keep, but it’s current;y being spammed. Making the server send reject messages For a while usually helps. Usually.
Using this, I’ve managed to keep the same email domain since college some 30 years ago actually useable and useful. YMMV :)
[+] [-] Ayesh|5 years ago|reply
Another thing I do is to use a [email protected] email when an annoying site tries to force me to login. All emails to this spam email address is sent to trash with a filtering rule, and I manually open my trash to click the verification link.
With catch all emails, you need a string "... -all" SPF to make others reject bounce spam messages.
[+] [-] kwhitefoot|5 years ago|reply
That's how I have Thunderbird set up. I have a rule that puts mail from anyone not in my contacts list into a folder called Unrecognized Sender.
[+] [-] AdamJacobMuller|5 years ago|reply
I know its currently more suitable for an organization than individuals, but, I think with a bit of glue it would work fantastically at internet-scale.
[+] [-] bawolff|5 years ago|reply
[+] [-] sleepless|5 years ago|reply
[+] [-] paxys|5 years ago|reply
[+] [-] mrjin|5 years ago|reply
[+] [-] dgellow|5 years ago|reply
1. A stranger send you an email
2. Hey asks you if you want to whitelist the sender or not
3. If rejected, you won’t be bothered anymore by any of their emails
4. Otherwise you just get their email moving forward and can decide to reject them later if necessary
https://hey.com/features/the-screener/
[+] [-] bawolff|5 years ago|reply
DKIM+whitelist solves that problem, so dkim would still be solving the right problem.
[+] [-] m12k|5 years ago|reply
[+] [-] heavyset_go|5 years ago|reply
I see it the opposite way. People regularly drop off of social networks in favor of new ones or none at all.
I know people who have had the same email address since the 90's.
[+] [-] emersion|5 years ago|reply
Do you suggest disallowing people from having two different email addresses?
[+] [-] GnarfGnarf|5 years ago|reply
I always whitelist in advance any person or domain I expect to hear from. SpamArrest gives me a chance to hear from legitimate strangers. If a sender refuses to reply to the challenge email, then what (s)he had to say couldn't be that important.
[+] [-] teddyh|5 years ago|reply
I suggest that everyone in the comments with a pet idea read this: https://craphound.com/spamsolutions.txt
[+] [-] natcombs|5 years ago|reply
[+] [-] crispyporkbites|5 years ago|reply
If it’s only possible with a centralised entity like Twitter, it’s not going to scale to last centuries like email will.
[+] [-] em-bee|5 years ago|reply
i'd like to sort email by these categories:
signed emails with a known/whitelisted key.
signed emails with a known/blacklisted key
signed emails with an unknown key.
unsigned emails with a known/whitelisted email address
unsigned emails with a known/blacklisted email address
unsigned emails with an unknown address.
and finally emails with obviously fake addresses.
whitelisted keys go to my inbox. those will be spam free.
blacklisted keys are blocked/bounced/sent to spam.
new keys go into a new contacts folder with a spam rating based on content. then i walk through that folder and accept or block keys.
for unsigned emails the same is done based on the address.
whitelisted addresses get a spam rating in a second inbox.
blacklisted addresses get blocked and unknown addresses get checked manually.
unknown keys or addresses can further be separated into: received only one email from this address or multiple emails.
when i reply to an email the key or address gets whitelisted automatically.
[+] [-] upofadown|5 years ago|reply
[+] [-] superkuh|5 years ago|reply
[+] [-] TwoBit|5 years ago|reply
[+] [-] xapata|5 years ago|reply
Hey, Basecamp, can you make that feature for me?
[+] [-] plantain|5 years ago|reply
I suspect these same users wonder why such a large fraction of their online interactions/signups don't work...
[+] [-] aeternum|5 years ago|reply