Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 16 and macOS Ventura Combat Email Spoofing With Support for Verified Brand Logos in Mail App
- Thread starter MacRumors
- Start date
- Sort by reaction score
DKIM adoption is a good example why stuff like this should be an ISO standard rather than RFC which is more like a recommendation... Microsoft Exchange for example doesn't even support DKIM... If DKIM was part of an ISO Microsoft could not afford to ignore it. Back in the days RFCs were taken more seriously, but these days the big players rather try to push their propreitary solutions, ignoring RFCs (the boycott of IMAP IDLE would be a good example).
SPF and DKIM is as good as it gets when it comes to domain validation, i.e. that no other server is allowed to send an email from someone@macrumors.com. However domain validation does not prevent someone from setting up a look-alike domain, server and email showing up as someone@macrumos.com (missing the "r"). In order to prevent that you need organization validation, which involves the certificate authorities to perform a manual check of applicant, its domain and check if the applicants company actually exists or at the very least verifying the applicants identity. Naturally, that costs more than a simple domain validation certificate, but is very well affordable for everyone. Since no certificate authority in their right mind will issue an OV certificate for macrumos.com a sending server could not use that domain if OV certificates were mandatory.
As such, that would be by far the most simple approach to getting email fixed. Beyond that, it's not going get much better if we want to keep a decentralized infrastructure -which for me is a fundemantal principle of the internet -and centralizing or federating it under some big corporation is not an option.
No we don't want Apple (or any other big company) to replace IMAP or SMTP or HTTP. Those are the last three major open protocols left that are widely supported, even by the monopolies in email (Microsoft and Google). We should be encouraging their use to keep the Internet open, rather then siloed. Do you want what happened to chat to happen to email? In the past there were open chat standards like XMPP, well just a few days ago Google shutdown Google Talk which supported XMPP, the last widely used chat service to support XMPP. Now you have to decide to use Facebook Chat, Google Chat, Skype, WhatsApps, LINE, etc etc.. all which are siloed and don't communicate with each other or can be run on-premise in your own datacenter. You know how annoying it is for me as a Android phone user when someone uses iMessage to send me something that is not supported in my normal SMS app. I wish Apple would support RCS.
You need to understand email is comparable to phone service (calls and SMS) in the sense it is a widely supported standard, due to it being long in the tooth. These standards are open where anyone can contact you. To deal with spam email or calls, the easy thing to do is only accept them from people on your whitelist you trust. This is how most chat networks work, only people that know you (such as have your phone number in their contacts) can see to add you, which is why you notice less spam.
SMTP already supports sender verification as already described in the forum using SPF and DKIM. The mail server just needs to enforce using it. I don't think they should be blocking email completely just because the SPF or DKIM fails (since many people misconfigure it), but it should cause the mail system to score the email so high it ends up in the spam folder. When it comes to phone calls, they are trying to implement STIR/SHAKEN to combat the same thing with phone calls when it comes to verification to combat spoofing.
Even with email verification it won't completely fix the spam issue since a lot of spam is verified. A lot of email is being sent from hacked email accounts, which will look like they are verified. This means that the root of the issue with this is login authentication. Things are already occurring to improve login authentication, but using a unique hard to guess password for your email account is a major first step. A major second step being MFA. In most instances users pick easy to guess passwords, and even worst reuse that password at other places. Once one of these other places gets hacked, they have your email password. Your email password should be treated like one of you most important passwords, since every service you sign up requires your email for communication, including for security purposes. Simple security practices can go a long way to resolving a lot of issues. If your system gets hacked by way of a virus, then you are completely compromised and nothing will really protect you at that point other then a virus program that can detect and block malicious activity occurring on your system due to the virus infection.
So no we don't want to replace those, we just want to improve them as what have been occurring over the years, such as with HTTP/1.1 moving to HTTP/2, and now HTTP/3, all of which still work in a web browser. Having alternatives is not a problem, but replacing what is already open and supported will just make things more siloed since most of the companies (Google, Microsoft, and Apple) making the decisions do it for their own interests.
Most companies will quickly discover if a hacker is using their own email to send emails to trick end users. It could be a problem but do not let perfection be the enemy of good.
This is a massive step in the right direction and will cause a LOT of scammers to think twice and have to try to think of new tactics which slows them down, in some cases even stop them.
Actually what you propose would not stop spoof emails one bit as security certificates can so EASILY be forged and faked.
I've already been doing that for longer than most people are alive and they still think I am mad lol
This is why Apple will educate users with this feature which is a good thing in my view.
No, it is called business.Unfortunately in order to support this, on top of an https domain and the required DNS records, you have to get a bespoke "verified mark certificate" that signs the logo. There are currently only two options, costing between $1000-1500 per year. Feels like a scam.
Buy Verified Mark Certificates (VMC) or Common Mark Certificates (CMC) | DigiCert
Buy DigiCert Verified Mark (VMC) or Common Mark Certificates (CMC). Choose Verified Mark Certificate for registered trademarks and government seals or a Common Mark Certificate for trademarks protected by prior use.www.digicert.com
Verified Mark Certificates (VMCs) for BIMI | Entrust
Elevate your email communications with VMCs for BIMI. Showcase your registered logo in email avatars, enhancing brand visibility and credibility.www.entrust.com
If the companies participating in this know the pros and cons and still sign up, it's not scam.Unfortunately in order to support this, on top of an https domain and the required DNS records, you have to get a bespoke "verified mark certificate" that signs the logo. There are currently only two options, costing between $1000-1500 per year. Feels like a scam.
Buy Verified Mark Certificates (VMC) or Common Mark Certificates (CMC) | DigiCert
Buy DigiCert Verified Mark (VMC) or Common Mark Certificates (CMC). Choose Verified Mark Certificate for registered trademarks and government seals or a Common Mark Certificate for trademarks protected by prior use.Verified Mark Certificates (VMCs) for BIMI | Entrust
Elevate your email communications with VMCs for BIMI. Showcase your registered logo in email avatars, enhancing brand visibility and credibility.
As others have noted, this just doesn't feel like enough. Yes, it will help some, but not enough.
No they really can't... not sure if you may be confusing it with something else, but TLS OV Certificates are certainly not easily faked or forged. If they were, every HTTPS website would be insecure, which it isn't. The crypto is working.
Well, IMAP has no much to do with this. It works well in displaying what was carried over SMTP in between mail servers. If anything, it is the SMTP protocol that should be reworked to include features you have mentioned - although many are already there as extensions (SPF, DKIM, DANE, MTA-STS), but there are so, so many broken and misconfigured system out in the wild, including from big players, it is close to impossible for this 40 year old protocol to evolve.
You can look at HTTP, for instance. We are already running HTTP3/QUIC, and yet, some sites still relies on HTTP/1.1 - not even HTTP/2… this tells something: if the interactive protocol has resistance, who wants to change what users don’t see?
Plus, IMAP was already replaced by HTTP in some scenarios. Take corporate Outlook, for instance.
Now, this is a two fold problem. Yes, certs are free and easily available, which makes spinning up false “secure” sites trivial. Which is one of the reasons BIMI requires a somewhat large investment on their unique certificate: average folks won’t be shelling a grand for an uncertain return scam and the risk of being identified, so to a point, this is where this service is, for now, slightly more trustworthy.
this article is misleading and potentially harmful.
BIMI is not designed to combat email spoofing. in fact, they say so on their site (https://bimigroup.org/all-about-bimi/): "it is important to know that BIMI is not a security solution".
BIMI does not help users verify authenticity of emails. DMARC does.
BIMI was created for companies (brands) to push their logos in order to "enhance brand value", "improve email opens and clicks".
as for potential for abuse, what will stop a scammer to attach a (e.g.) Chase logo to their DMARCed domain? trademark law?
BIMI is not designed to combat email spoofing. in fact, they say so on their site (https://bimigroup.org/all-about-bimi/): "it is important to know that BIMI is not a security solution".
BIMI does not help users verify authenticity of emails. DMARC does.
BIMI was created for companies (brands) to push their logos in order to "enhance brand value", "improve email opens and clicks".
as for potential for abuse, what will stop a scammer to attach a (e.g.) Chase logo to their DMARCed domain? trademark law?