Spam: June 2008 Archives

A couple days ago I received email from Paypal titled "New PayPal Plug-In - Shop anywhere online." That struck me as kind of suspicious so I looked at the mail headers. The headers showed the message did originate with Paypal's servers, and more importantly it contained a domain key (DKIM). According to Wikipedia, "DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity" through the use of a cryptographic hash.

If I had to dive into the headers to determine the message validity, how would the normal user do? Are there mail clients that would have automatically verified DomainKeys and SPF for me?

A quick Google found a product called Iconix. Iconix works with Outlook, Outlook Express and a bunch of webmail providers (No Thunderbird support) to take the guesswork out of which messages are real.

Once installed, Iconix looks at SPF/SenderID and DomainKeys to determine message authenticity. Next it looks at message identification- this is a list of companies that have paid Iconix and registered with them. If both are verified, then the message's "display From" will be altered to present a logo of the sending organizations choosing. This allows recipients to tell at a glance that the message is from who it says it is.

Iconix at first appeared to be a great solution. Its been reviewed in several trade publications. I didn't immediately find anyone disparaging them online. Iconix is installed software. As such you do wonder a bit about privacy and security implications. Their FAQ does say that the sender's email address is sent to Iconix.

The problem is that they only provide this service for the companies that have signed up. I would expect that they could validate the DomainKeys or SPF for anyone using those email technologies. While this product does solve my original question, "how can ma and pa kettle obtain a reasonable level of trust in email", it only does so for companies that have paid Iconix. That is an extensive list, and it provides better assurance that SPF and DomainKeys alone could.

While Iconix is not available for Thunderbird, there are other solutions that plugin to Thunderbird for SPF and DomainKey validation.

- update - 6/11 - fixed above where I refered to Firefox when I meant Thunderbird. Firefox can be used just like IE in conjunction with Iconix at many webmail providers.