In the previous part I explained why some of the most popular suggestions for fixing the spam problem will not work.In this part I will start defining how the problem can be solved.

There are in fact a few problems that are related, and spam is only the most visible one.

The most notable problem is the ability to fake who sent a mail, which makes it impossible to reliably tell who sent an email message.
This has some nasty consequences:

• People using email to spread false information 'on behalf' of a person or organization that they want to harm. This already resulted in problems on stock markets at least once due to a faked press release.
• Viruses using it to confuse end users and try to trick them into opening dubious attachments (since many people have been tought to 'only open attachments from people they know'.. Well, thats easy to circumvent when a virus can make the mail look like it comes from someone they know (and there is another problem involved with this, non-text content in mail, more about that in part 3).
• It is used by spammers to hide where they are coming from and to prevent people having too easy a way to get the spammer off the net.

Bottomline, this issue has to be addressed, not so much because of spam, but because it is the only way to ensure people can somewhat count on email being a serious means of communications.

Besides authenticating the sender of a mail, it would be rather desirable to have a reliable trail of how the mail ended up on your computer.

Currently, solutions exist for the authentication problem, it is possible to sign mail electronically, and to verify such signed mail. This is not 100% reliable, but it is at least as reliable as recognizing a hand-written letter from the hand writing of a specific person for example, and that is considered to be reliable by many (see the importance of a hand-written signature for example)

Such a thing would definitely provide a reliable enough authentication for everyday use of email.

So, if the solution exists, why isn't it being used?
First of all, most people don't understand the nature of the problem, and so they do not realize that getting a mail certificate actually helps fighting spam and mail fraud.

Next, there is no standardized way to sign mail, or standardized format for electronic signatures in mail, nor is there a standard way to verify them.

There is however a defacto standard among those who are interested in solving issues with email, and it is a defacto standard which seems to slowly be proving itself workable. It is PGP, or PGP mail if you prefer.

There is however another issue, it often happens that mail is sent automatically by a computer in order to report something (log file analysis, exceptional conditions and such). Are we going to have each and every account on each and every computer have their own private and public certificates?

An alternative to signed mail is to make authentication a responsibility of the mail server that is sending the message, and provide a means to know which mail servers can send messages for a domain

Sender verification in this way is a bit less reliable, in fact all we know for sure is that the domain part of the sender is correct.

I do however believe that this setup is better. First of all, it requires no changes to mail client software, thereby overcoming the big hurdle that things like PGP have to take. Second, it gives control over who can send mail from a certain domain to the owners of that domain, provided that there is a proper form of authentication at their mailservers.

Then, using such a setup doesn't preclude also using PGP for mail where it is important enough that the receipiants can verify the exact identity of the sender independent of any checks at the domain mail servers.

A very good step in this direction is the SPF+SMTP idea. An often heard issue with regards to SPF like solutions is that it is impossible to use for roaming clients. That is not true, it just requires a mobile client to use its 'home' SMTP server, and it requires the home SMTP server to allow authenticated relaying of mail.

In the next part, more about another of things underlying the spam and virus problems of today. The way current mail clients handle non-text content.