Truedomain anti-phishing and email authentication

One of the big problems with email is that the email standards were developed during the earlier days of the internet when all the machines and people connected to the internet trusted each other. That means that emails are very easy to forge and spoof, because there was no method of trust or authentication built into the email standards.

Over time systems have been added which try and add these extra layers of trust. Unfortunately each of these systems introduces it’s own problems.

RBLs provide a list of machines that are untrusted, or have shown malicious behaviour, or have sent spam (each RBL has different listing criteria). Using these you can block emails from particular machines, or give them a higher spam score. Unfortunately RBLs can cause false positives, and cause legitimate emails to be blocked.

SPF is a way to trust the domain in the “SMTP envelope from” address. Unfortunately most people don’t actually see the envelope from address, so this isn’t actually very useful. In most cases, the main thing this will help stop is backscatter because email with forged from addresses won’t be accepted and/or bounced. Unfortunately SPF breaks forwarding of emails, something lots of people want to do. There’s an additional standard SRS that attempts to fix this, but it’s annoying to implement, given the only small benefit that SPF provides.

DKIM is a way to sign emails using a public/private key system based on a particular domain. Basically if you own xyz.com, then you can sign an email with DKIM, and the receiver can verify that:

1. The email was signed by the domain xyz.com
2. The email content and headers haven’t been altered in any way from
   when xyz.com sent it

In theory this is very useful, because it provides a way to identify trusted emails. The problem is that just verifying that an email is signed by xyz.com isn’t really enough. The big queston is “Do you trust email from xyz.com?”.

If the domain is yahoo.com, then the answer is generally “no”. Anyone can signup a free account at yahoo.com, and then send you emails, that will be DKIM signed by yahoo.com. So knowing an email is signed by yahoo.com doesn’t tell you much useful about the trust of that email.

On the other hand, if the domain is facebook.com, then the answer is generally “yes”. At the moment, the only email being sent by facebook.com is official notification emails from Facebook. Similarly sites like paypal.com, linkedin.com, ebay.com, etc are domains you do want to trust, as any emails they do send are definitely from their corresponding company only, and not from just any person.

The problem is that there’s lots of email providers out there, and lots of domain owners out there. To make DKIM useful as a way to trust emails, each email provider has to work out which domains they want to list as trusted and a way to display those emails. With lots of different email providers and potential companies to trust, that creates a huge number of required relationships.

What’s needed is someone that sits in the middle to act as a mediator between companies that want emails they send to be trusted, and the email providers, so they don’t have to build and maintain lists of domains to trust individually themselves.

That’s where Truedomain comes in. Their aim is to work with senders to build a list of trusted sending domains, and easily allow receivers to check the DKIM signatures on received emails to see if they’re from a trusted domain. When an email is from a trusted domain, they make it easy to display trust details for that domain, including the sending company, and a logo from that company. This is particularly useful as a way to protect users from phishing emails.

Emails that are truedomain protected are now displayed in the FastMail web interface with a light green background on the mailbox screen, and the logo from the company next to the from name/address. Additionally on the message read screen, a green box under the subject line also shows the company logo and details of what company sent the email.

Mailbox screen display

Message read screen display

For email users, you can think of truedomain as EV SSL for email. In the same way that SSL certificate providers vet companies, and then provide them a certificate that displays a secure connection in your browser with the company name, truedomain vets companies, and then provides a way for their emails to display securely in your email service with the company logo and name.

With the large amount of phishing emails, and the huge cost phishing emails cause, we believe that truedomain are providing a useful service that will continue to grow as more sending companies and email receivers get on board.