Viewing a single comment thread. View all comments

uzlonewolf t1_j0sv64t wrote

The issue with that is it tells scammers the email address is real and valid while also allowing them to completely bypass all spam/phish protection.

3

resisting_a_rest t1_j0t2lmb wrote

If I send an email to a non existent address today, don't I get an email back saying it doesn't exist? Or is that not a thing anymore?

I suppose spam/phish protection would have to move to the client (javascript on web-based email systems), which I suppose could overwhelm the browser if you get too many spam messages.

An alternative may be to have a whitelist of addresses that are allowed to send you an encrypted email. If the email server receives an encrypted email from an address not on the whitelist, then just discard it. Use something like SPF to prevent email address spoofing. This whitelist could be a global list as well as a personal list.

But I can understand why people might not want to attempt to implement something like this, there may be many potential ways to circumvent it, and people just don't want that kind of liability.

2

uzlonewolf t1_j0t9e8y wrote

> If I send an email to a non existent address today, don't I get an email back saying it doesn't exist? Or is that not a thing anymore?

Depends on how the server is configured. Most still do this yes, however it is rate limited so someone can't try thousands of random addresses per second. You can't really rate limit DNS like that.

The "whitelist" option is similar to what people do now with PGP/GPG keys, no special server needed.

2

resisting_a_rest t1_j0tn0fc wrote

I'm talking about making it something that the average person would use, not the person that is going to be managing public keys manually.

It could even just be an option to "send this email encrypted" for only one-off emails, and most receivers that deal with sensitive information (banks, brokerages, insurance, etc.) would be able to receive encrypted email this way. It would be the standard way of sending encrypted messages.

Currently, the way I need to do this now with my broker is to either log in to their website and send a message through it, or use a special web-based encrypted message service. It's not a nice way of doing things.

1