I... don't particularly get it. He mentions spoofing, he writes a page about how spoofing works... but says a lot less about how it actually impacts his solution or how to fix it.
Besides the fact that implementing a new security scheme means you have to think through every possible path and can be sure you're still missing a few, there are two major issues:
- not everybody has SPF or DKIM, and definitely not everybody has DKIM.
- both of those authenticate the domain, not the username. Within the local org network I can probably spoof email usernames without much effort.
Plus... I don't think mailto links really work universally. I remember the last time I clicked one it opened an unconfigured Outlook, even though I use gmail.
Author here. The risk with spoofing is that someone might register an email address that they can't actually send mail from.
You're right that SPF and DKIM are not universal (besides not being strictly for user authentication); this scheme would require a domain to have both in order to be secure and would require some kind of policy attestation around email local parts, which would exclude some email providers and some users. That's why it's "a random idea I had on the subway," and not something I'm doing in production :-)
Most sites I sign up using an email that I could, but don’t send email from. I assign per-site emails which all forward to another mailbox that I regularly send mail from.
I could change my client temporarily to send from one of those custom addresses, but I’d have to be quite a bit more interested than usual in your service to bother.
Even users who just have multiple emails in their client would end up sending mail from the default account, which may not match. I have a work account, my personal gmail, my personal domain mail, a family email account, and a side project email account on my phone.
Even if users just have work and personal, how many users are you willing to lose because they sent a mail from the wrong account?
I also think most of the value to the site owner is being able to hit the user with a site->user communication (often an ad or offer of some sort) and me proving I can send you mail from that address is, at a minimum, putting the emphasis on the wrong syllable, and in a lot of cases is telling you nothing about my ability to receive email at that address.
This was my first thought. I just have a * rule on my domain hosting account to send all email to my gmail, but can’t actually send from any of those addresses. I’ll usually sign up with website@mydomain.com
SPF and DKIM are universal. The proof is transactional email services. There was a time when they sent emails on behalf of clients. Now, they do it on their own account.
> I use neomutt (there are dozens of us, dozens!) and so links sometimes are wonky.
I used neomutt for that one example, but the other error modes happen to me regularly on macOS with the system mail client. For example, I regularly (~1/week) run into services that expect the verification email to be opened in the same browsing session, but Chrome "helpfully" picks a different profile.
(The point about neomutt was not that services should support my particular pathological case, but that graceful degradation is important everywhere. It used to be common to send multipart emails for exactly this case, but I've seen more and more services choose not to.)
When opening for the first time, Gmail asks to be registered as the mailto handler, but I guess people just hit "no" not knowing what's that about.
And there's probably a lot of web-based clients that didn't care to implement this, so yeah, if you want to use mailto links, you better have a big and patient customer support team at hand
Even if all web clients were perfect, and all users understood what a mailto handler is perfectly, wouldn't it still break if people have multiple email addresses? If you have a gmail and a mail from one of Microsoft's mail providers, you can only have one of those webmail pages as your default mailto handler, right?
> - not everybody has SPF or DKIM, and definitely not everybody has DKIM.
A correctly configured mailserver should reject your email (or mark it as spam) if you don't use both DKIM and SPF.
It's safe to assume 99.999% of users use both.
Besides the fact that implementing a new security scheme means you have to think through every possible path and can be sure you're still missing a few, there are two major issues:
- not everybody has SPF or DKIM, and definitely not everybody has DKIM.
- both of those authenticate the domain, not the username. Within the local org network I can probably spoof email usernames without much effort.
Plus... I don't think mailto links really work universally. I remember the last time I clicked one it opened an unconfigured Outlook, even though I use gmail.