Jonathan McDowell wrote:
Primarily you're proposing a technical solution which requires global buy in for it to be particularly useful.
I disagree. As long as it does not require changes to existing systems it has some (limited) use just between two parties. Agreed it becomes more useful when it scales up, though.
Your solution allows for the verification of a sender. It is useful for preventing people spoofing your address, but requires everyone to use it for verification in order to prevent you seeing blow back. It also doesn't let you be sure an email is verified rather than just from a domain without the verification support. And verifying senders won't actually cut out spam unless you only ever want to receive email from a whitelist of recipients.
I do agree with all of that.
At the outset I said that I understand that verification does not solve spam, but it is incredibly frustrating not having any general way of verifying an email is from who it says its from. Maybe I should just make more effort to understand GPG (I've never implemented it because I don't know anyone else who does that I routinely correspond with; a server-side solution I have more hope with).
While I do agree a standard way to verify email headers etc could be useful, I don't think it's going to kill spam.
I think it would make anti-spam measures a lot simpler if there was a general way of knowing who the email was from.
DKIM etc (which I wasn't aware of until this conversation) seem a lot better than SPF, because SPF was fundamentally unusable for most of the people I know (eg who need to send email from roaming laptops etc). Therefore at present, seeing valid SPF record is a good indicator of spam, as the spammers are the only ones using it. DKIM ought to be better. Big domains (eg aol.com, gmail.com, etc) seem to be the biggest problem (although if the domain owner authenticates the user before the mail goes through their server its not a problem for them to sign the email as it goes through).