Email servers could start attaching certificates (similar to the cerficates used for https/SSL for secure websites) to all outgoing email. Email that didn't come with a certificate could be marked as suspect. All signed email would then be trackable to a source and faking addresses would be much harder to do. After a while unsigned email would not be accepted. If spam was received from a server with a certificate then appropriate notification, or even legal action if necessary, could be done.
Clarifications:
Email servers would have certificates but not necessarily the clients. That would make adoption quicker and reduce the cost of the certificates.
This could work similar to the way that SSL works to verify authenticity. The certificate would not be for encryption.-- Stauffer, May 23 2003 Yahoo! Domain Keys http://antispam.yahoo.com/domainkeysSigned e-mail headers allow verifying that a message really comes from the domain it claims to be from. [jutta, Oct 17 2004] this is so so damn baked. i can sign an email right now. the only problem is that not enough people do it, because most of them dont have a key because they dont know what it is.
im torn as to what to vote. i think we should all sign our emails (and everything else for that matter), but the idea as a post to the bakery should be marked for deletion. i dont vote.-- ironfroggy, May 23 2003 Certificates can be faked as easily as domain names.-- phoenix, May 23 2003 [ironfroggy] How is this baked? I am not talking about the clients signing but the servers signing. I know it would be extremely difficult to get the majority of clients to sign their email.
[phoenix] How can certificates be faked? If they can be faked does that mean that an SSL certificate doesn't do a good job of certifying the identity of the server?-- Stauffer, May 23 2003 SSL certificates are not the same as public key certificates. The former uses a CRL and publishing service to verify authenticity, the latter does not. Since all you're verifying is the e-mail server and you don't mention a trusted third party, I presume you're implementing an overly complicated blacklist which uses certificate names instead of domain names.
If I have it wrong, by all means correct me.-- phoenix, May 23 2003 From recent news it looks like Yahoo is promoting an idea like this.-- Stauffer, Mar 10 2004 random, halfbakery