email-verification-protocol icon indicating copy to clipboard operation
email-verification-protocol copied to clipboard
Published 2 months ago verified publisher icon WICG

Proof of email existence and spam

Open el1s7 opened this issue 1 month ago • 2 comments

If anyone can become an issuer by just adding the correct DNS records for this protocol, a question that comes to mind is: What's stopping spam services or a malicious domain for using this protocol to grant verification tokens to any fake email under their domain?

So my point is: This doesn't actually verify that a mailbox actually exists and can receive emails, we just trust what the domain owner says.

el1s7 avatar Nov 09 '25 15:11 el1s7

How is this trust model any different than how things work today? Yes, we are making it just as easy for a legitimate user to provide a verified email as we are for a malicious user -- detecting a spam domain is not the objective -- simpler email verification is.

dickhardt avatar Nov 09 '25 19:11 dickhardt

I had some similar concerns when discussing this at IIW, but I eventually became convinced that this does not change anything from the RP's perspective. Nothing is stopping sites from still blocking any domains they "don't like" for whatever reason.

Though I agree that it should be made explicit that deliverability verification is a non-goal of this proposal, cf. #23.

fkj avatar Nov 10 '25 07:11 fkj