I wish e-mail had an "authenticated receipt" feature, where you'd have to authorize a sender in your e-mail client (with eg. OAuth-style flow) to let them send you e-mail, and they can only do so with the negotiated key, and e-mails received from authenticated senders would be specially marked with the key-associated name of the sender.
I feel like that would address a lot of phishing issues, because all "account updates" and other messages from regular contacts could be visually and unfalsifiably authenticated. While still allowing for sending unauthenticated messages, they just don't get the marker.
Seems a lot more reliable for the average user than "check whether the URL starts with..."
@ChlorideCull I'm personally not too concerned with those folks, to be honest. They don't need to be using it, for it to be useful to many folks!
@joepie91 "check if the url starts with foobar" is imo just completely unworkable for multiple reasons
- most people do not understand the structure of domains
- open redirect vulnerabilities exists
- companies commonly use third party domains
@joepie91 on the other hand, a sad amount of mail admins still think SPF and DKIM is the work of the illuminati or whatever and refuse to deploy it, so I have my doubts it would ever take off