Welcome to the Chaos
Oct. 3, 2024

You Had Me At EHLO... with Dylan Beattie

You Had Me At EHLO... with Dylan Beattie
Apple Podcasts podcast player icon Overcast podcast player icon Spotify podcast player icon PocketCasts podcast player icon Castro podcast player icon Podcast Addict podcast player icon Youtube Music podcast player icon iHeartRadio podcast player icon RSS Feed podcast player icon Deezer podcast player icon Amazon Music podcast player icon PlayerFM podcast player icon Castbox podcast player icon Goodpods podcast player icon Podchaser podcast player icon
Apple Podcasts podcast player icon Overcast podcast player icon Spotify podcast player icon PocketCasts podcast player icon Castro podcast player icon Podcast Addict podcast player icon Youtube Music podcast player icon iHeartRadio podcast player icon RSS Feed podcast player icon Deezer podcast player icon Amazon Music podcast player icon PlayerFM podcast player icon Castbox podcast player icon Goodpods podcast player icon Podchaser podcast player icon

Join Ned and Chris in this episode of Chaos Lever, where they explore the fascinating and sometimes bizarre history of email and the Simple Mail Transfer Protocol (SMTP). Special guest Dylan Beattie, software development consultant and creator of the Rockstar programming language, shares his insights on how email evolved from early telegraph systems to the global communication tool we rely on today.

**Key Topics Covered:**
- The origins of SMTP and email's predecessor, telegraph systems
- Why email became the default communication tool, despite its flaws
- The first spam email and its lasting legacy
- The quirks and limitations of SMTP, including its security flaws
- Modern efforts to secure email with protocols like SPF, DKIM, and DMARC

If you're a fan of tech history, email protocols, or just enjoy hearing about the wild west days of the internet, this episode is for you!

Transcript

[00:00:00.00]
Ned: It's to the point where my children know that that is the answer to 99% of their tech problems. They don't even come to me first. They tell me, I tried turning it off and on again, and it still doesn't work, dad. Okay.


[00:00:12.12]
Dylan: The best explanation of that I think I ever heard was someone said, Look, imagine you're trying to find a new pizza place in an unfamiliar neighborhood and you're completely lost. But if you snap your fingers, you can go back to your house and try again from somewhere you know. Would you do that or would you keep going round and round in circles in a place where you don't know where you are and you don't know where you're I was like, Oh, yeah, I guess. I'm like, That's what it is. Switch it off and on again means it gets to start again from home and figure it out.


[00:00:38.00]
Chris: I just had a light bulb moment. I would absolutely be the moron walking around in circles in the middle of a strange town. Yeah.


[00:00:44.17]
Ned: Wow, that explains so much about you, Chris.


[00:00:46.13]
Dylan: Now, those people do end up with much better stories, but they don't end up with pizza. It's true. It depends. What do you want to go home with at the end of the day?


[00:01:02.28]
Ned: Hello, dear listener, and welcome to Chaos Lever. My name is Ned, and I'm definitely not a robot. I'm a real human person with feelings, message cues, and mind support for non-asky characters just like you. I do not mind UTF-8 encoding at all. Hooray, emoji. Hooray, emoji. Syntex error. With me is Chris, who is also here. Hi, Chris.


[00:01:29.12]
Chris: So is Is that actually an emoji? Because I've found a number of things that are not emojis but should be, and I have written so many angry emails to the Emoji Commission. For some reason, they've all gone unanswered.


[00:01:41.23]
Ned: I don't think you put the correct emojis in your proposal, obviously. You have to put the thank you emoji, and then they'll get back to you.


[00:01:50.29]
Chris: Dear sir and/or madam, I hope this missive finds you smiley face.


[00:01:56.05]
Ned: See, you get it. And today we have a special guest. Dylan Bady is a software development consultant, conference speaker, and musician from London. He's also a fellow Microsoft MVP and inventor of the Rockstar programming language, and he's joining us to talk about none of those things. Hello. Hello, Dylan.


[00:02:14.28]
Dylan: So I just want to tack on. Hello, folks. How are you all doing? I want to tack on a thing you were saying there about emoji and everything, because the thing that I have been petitioning the emoji thing to do is I want them to go full Mr. Potato head with the face emoji. There's It's an emoji with a cowboy hat, but it doesn't have the skin tone modifier and it can't have a beard. I want my little personalized emoji to be me with my skin tone and my beard and my hat. That's what I want. And optionally, sunglasses if it's a bright day out. And they do skin tone modifiers. That's done using Unicode combining characters. They got a great system for that. They got different professions now. So a woman plus a rocket ship is a lady astronaut. Why do they not have human face plus beard plus skin tone plus hat Plus Accessories. And just, you know what? Let's just do it. Mr. Potato had the whole thing.


[00:03:04.25]
Chris: I like it. And I think this is the one and only way that you could actually make Pike Matchbox a reality. And that will be the end of the pandering for the episode.


[00:03:16.13]
Dylan: Fair, fair. So, yeah, let's talk about none of those things.


[00:03:19.24]
Ned: We'll talk about what everybody is just hungry for, and that is a long diatribe on SMTP.


[00:03:27.00]
Dylan: Yeah, running it. So Yeah.


[00:03:32.29]
Ned: Well, let's give a little background to SMTP, and we'll start way before that because electronic communications go long before the humble email. And some of the origins, we can actually trace all the way to the telegraph and the teletype. Samuel Morse was a real person, and he created the Morse code and then sent a telegraph from DC to Baltimore, or Baltimore to DC, is one of the directions. And The first message was, What hath God wrought? Which is like, Strangely prescient, Samuel.


[00:04:06.11]
Dylan: There's a bunch of things about the original... There's two things I love about the Samuel Morse telegraph system. It wasn't actually the first one. It was the first single wire telegraph system, which meant that it had fewer mechanical breakdowns than any of the previous systems. First one ever was in the UK. It was the Cook and Wheatstone system, which was about 1834, and it had five wires. It was a five wire telegraph system, and it connected loops. So you'd send a current up one wire and back down the other one, and then one of the wires burned out. And the thing that I always have to remind people when we talk about telegraph systems is it is easy these days, if you've ever debugged any comm system, you'll phone the person on the other end and go, Right, we're going to send you another one. That didn't exist yet. If you wanted the people on the other end to know that you were about to test the telegraph system, you had to send somebody on a horse to tell them to watch the telegraph system. So Cook and Wheat, then they had five wires, one of them burned out, so then they had four wires, and one of them burned out, and then they had three wires.


[00:05:11.23]
Dylan: Morse jumped the gun on all this and went, Well, one wire. Electrical engineers are like, Well, how can you have a circuit with one wire? It's like, Well, no, you have ground. That's it. It's a potential difference between wire and ground. So yeah, it's a one wire system. The other thing is that Morse code is not... It's named after him, but the code that he invented is not the one that's named after him. Because Morse code that most of us in the world use is international Morse code, which was invented in Germany by a guy called Friedrich Wilhelm-Gerker. So Samuel Morse, great idea, invented a code. We didn't use it, but we put his name on it anyway.


[00:05:48.16]
Chris: It was a pretty clever way of getting a lot more out of what is considered a binary system. Because it's not just on off.


[00:05:56.20]
Dylan: Morse isn't binary. I've had this argument with you because Morse is a time-based coding system. You think dot, dash, dot, dash, but actually the pauses are semantically valid. The pauses are important because dot, dot, dash and dot, dot, dash, they're different things. Every symbol, if you try to encode a Morse in something like a text file, you need dots, dashes, and spaces.


[00:06:18.11]
Dylan: You need three symbols to be able to make sense of it. You have single space, triple space, and five spaces between words and stuff. A lot of people are like, Oh, it's dots, dashes. It's binary. You're like, No, I'm like, Come, try it out. They're like, Oh, yeah. Which is why ASCII ended up being the big deal that it was about 100 years later when we brought that in.


[00:06:40.05]
Ned: One thing I found when I was doing the research for this is when we started moving to machines doing the interpretation instead of humans, we started using a five-bit code that had two to the fifth, so 32 possible combinations. And that encoding was invented by a Frenchman, I believe, named Emil Bordeaux. And that is actually where we get the term Baud rate going over the wire. Is it really? Because Baud rate is how many symbols are being transmitted across the wire. At the time, it was pretty slow. But they kept using that terminology. That's why if you were getting online in 1993 with a 56K BOD modem, that's the same unit of measurement.


[00:07:26.16]
Dylan: Yeah. It's always... I love the little moments when We change the standard unit used to measure something. The days when home Internet connections went from being measured in board to being measured in kilobits. The other one that I remember, and this one I liked because it changed direction as well, is when memory went from being measured in nanoseconds to being measured in hertz. Because it used to be, how long does it take? Then how long it took became a ridiculously small number. The manufacturers are like, Can we split this so the number starts going up again because it's easier to advertise? So they switched from 10 nanosecond RAM or 100 nanosecond RAM became something gigahertz RAM. And now the RAM speed goes up and up and up. But we actually switched the whole system there. But yeah, I remember going from board modems to kilobit modems Now I have gigabit Ethernet, gigabit fiber, coming to my house, which still is unbelievable.


[00:08:22.16]
Ned: Yeah, I do, too. It's amazing. And the irony is that my router can't actually handle gigabit speeds. It's not the router. It's the run of the cable from where it comes into my house to the router is too long. I have to replace the cabling if I actually want to get gigabit to the router, which I'm not going to do. It's just never going to happen. 300 meg is fine. Well, let's fast forward a little bit. So telegraph companies, they fated out in favor of telephone companies, and that became the dominant form of communication for most people. We weren't selling telegraphs. We were ringing somebody up on the phone. The early days of ARPANET also used telephone lines. They used the least lines from the telephone companies to connect interface message processors called IMPs, which is delightful. I like imagining a little creature on each end of the line just gobbling the bits. Those were connected to mainframes at universities like UCLA, and it was at such a university where email across servers was born, and then later SMTP.


[00:09:30.09]
Dylan: I mean, the interesting, what are my other... I love all these little quirks you get when you dig into the history of tech. Email is older than networks because the first standard for electronic mail was basically the equivalent of leaving pigeon, like letters in someone's pigeon hole in a university department. You'd have these mainframe computers with no network connection, but they'd be shared between 40 or 50 different researchers, and they'd all have logins. Obviously, if you wanted to leave someone a note, you'd send them mail, but the mail didn't go anywhere because the computer connected to anything. And so email was around for at least a couple of years before anyone thought, Hey, well, what if we could send the message to a different computer? That would be a big deal, right? Let's... Yeah.


[00:10:10.24]
Ned: Yeah. First, you actually had to connect to those computers. So that was a whole thing. And then realizing, Oh, well, maybe if I wanted to, I could send a message. So yeah, the implementation of mail on a single server was literally, you were given special permissions to write only to somebody else's file. You couldn't read it. You could only append to it. That's how you send a message is you were actually just appending to their mailbox file.


[00:10:37.22]
Dylan: That foreshadows what I think makes email such a compelling technology is it is one of the very few systems where it is implicit that you have right access to a total stranger. You think about it, the thing that makes it work so well, every other system that we've got, pretty much, you have to have signed If I want to send you a WhatsApp, you have to have signed up for WhatsApp first, and Messenger, and Telegram and Signal, all these other things. It's implicit that both people have created an account on the same platform to be able to facilitate that communication. But email is like, No, I've got an Mx record and I'm open on port 25, send me stuff. We're going to probably spend the rest of this episode talking about how that is both wonderful and terrible in all kinds of ways.


[00:11:27.29]
Ned: We had to clamp down on that, open this pretty quickly.


[00:11:32.18]
Dylan: Or try to. Yeah, that's the problem. If you clamp down too much, it stops working. I remember early in my career, I had a company that we did some partnership stuff with, and they would burn down all of their email addresses every three months and replace them with new ones. After three months, you'd reply to them and you'd get back, Sorry, Aaron doesn't work anymore. Now I am a_something. You'd be like, Really? You want everyone to update their address book every three months because you have It's a spam problem. It's a problem that we have never solved because fundamentally, the value of email is that a total stranger can send you something and you can receive it. Anything that jeopardizes is that, it undervalues the problem. People don't use it because they're like, Well, why would I install a thing that means people can't email me? What's the point in having email if I'm then going to pay more money for it to not work?


[00:12:28.29]
Ned: Yeah, that's That's a tough choice. To wrap up the brief history of email. There was a guy, Ray Tomlinson, that was working for BVN, which was eventually bought by Raytheon, I believe. But he was working on ARPANET, and he had access to mainframes that were interconnected, and he thought to himself, Hey, there's this program called SendMessage that is used to send mail inside of the server, and there's this other program called Copynet that lets me copy a file from one server to another. What if I take the copy net protocol, put it in the send message, and now I can send that message to another server? But how do I address that? Because on the local system, it's just the other person's username. I know I will say this user at this other system name. Well, there's an @ symbol. I'll just use that. And thus the email address was born.


[00:13:26.27]
Dylan: Yeah. And it's one of the things I think a lot of folks take for granted now is that they assume that Asky was the right set of characters, but the people who built Asky, they had to make all kinds of decisions. What's in, what's out? What do we have space for? I'm never entirely certain why the @ symbol made the cut. I'm guessing it must have been for product inventories, this many of that product at this price. But to me, that was certainly when I was a kid growing up in the decade or two before email went mainstream, nobody ever used an app for anything. Most people, you got in, I don't know, 1988 and ask someone to draw an app sign, they don't know. They're like, Is it like a... They'd come up with something that looked like an app sign, maybe like an ampersand. They weren't really sure. They'd never really seen one. It was in Asky. It made the cut. It was one of the 128 characters, well, actually 96, minus the control codes that became immortalized. But then nobody used it for anything for about 30 years, which I love.


[00:14:30.08]
Ned: Well, I like that you brought up the ampersand. People can easily draw that. If you asked me to draw one, I absolutely could not do it without looking at the keyboard first. Which is funny because there was a time where ampersand was actually part of the alphabet. That X, Y, and Z was actually X, Y, ampersand, Z.


[00:14:49.19]
Dylan: And per se, by itself in Latin, that's where it comes from. And per se, and. Then they went, No, it's not a letter. I'm like, Well, how do you decide that?


[00:14:59.27]
Ned: Who decides? What are letters anyway?


[00:15:03.15]
Dylan: Most countries now have councils of orthography who decide this, and then the rest of the world goes, We don't care. Language is how you use it, pretty much.


[00:15:16.08]
Ned: Smtp was finally actually drafted as a standard because before, they were just cobbling along with... They gave up on the send messaging and copy that thing pretty quickly and replaced it with FTP as the carrier for mail. That wasn't great. They invented SMTP, Simple Mail Transfer Protocol. Well, actually, they tried to just mail transfer protocol, and apparently that was too complicated. So then they came up with another RFC that had simple in it. And just like Amazon S3, it is not simple at all.


[00:15:48.02]
Dylan: But then 10 years later, they come up with extended simple, which extended the simplicity to a whole new hitherto unforeseen areas of simplicity.


[00:15:58.18]
Chris: It It's quite the contradiction in terms, if you think about it.


[00:16:03.05]
Dylan: Well, I like the idea that we're not going to make it complicated. We're just going to extend the simple. That's what this is. It's still simple, but it's extended.


[00:16:10.22]
Chris: Now with 25% more simple.


[00:16:12.29]
Dylan: Yeah. See? You got it.


[00:16:15.25]
Ned: Oh, jeez. We'll get to the extensions, and God, they are a mess. But yeah, the original protocol was actually pretty straightforward. It had a few verbs that you had to support, like the conversation that you would have if you were a client sending to another server, you would start with the verb mail. Hey, I got mail for you. And then you would say, Here's the recipient of the mail. And if that recipient was accepted by the server, then it would say, Okay, send me the mail, and You would start with the data command, and you would just send them the data, which, of course, had to be in ASCII because that's what everything was expecting at the time. And then when you were done, you did a carriage Return Line Feed, a period, and another Carriage Return in line feed, that signaled the end of the message.


[00:17:03.01]
Dylan: One thing that I've never understood is why character return line feed, character return line feed? Because most of the early email systems were based on Unix. It was days before Linux, but it was various Unix distributions. They didn't use character return line feed as a line separator. That was a Windows thing. I don't know whether that was because they wanted to be able to put line feed. Line feed in the email without it terminating the message body or what? I I have no idea. It's something I've never actually managed to determine. But yeah, there's two things in the world that insist on a character return line feed. One is Microsoft Windows and the other one is SMTP.


[00:17:40.15]
Ned: And both of those had burned me several times.


[00:17:45.02]
Dylan: But we keep coming back to them.


[00:17:49.00]
Ned: The original draft was in '82, but they updated it over time. The most recent update to the protocol itself was in 2008 in general. Then in 2015, there There are a couple updates specifically around the reply codes, like the 500 codes you could potentially get back from a server. When I was looking through things, I realized that basically everything is reliant on DNS in the world of SMTP. Actually, I could probably just say everything is reliant on DNS, period, but especially SMTP. The thing about that that I think is...


[00:18:24.17]
Dylan: I think DNS is one of the cleverest things ever created. It's not perfect, but it has stood the test of time phenomenally well. Actually, the thing I love about DNS is, so going back to whenever '83, it was put in place and rolled out, it was a guy called Paul Mokapetris did all the design on DNS, and There were five competing standards for how to do name resolution of IP-based networks. They gave them all to Paul and said, Could you go through and combine all these? The legend has it. He looked at them and These are all terrible. Threw them out and just came up with a new one and said, Hey, this is what I made out of those five. The lovely thing about it is that it scales with the size of the network that it's serving because it's hierarchical. As long as you can find a root server, the root server will go, Well, no, you go and talk to these people. Then those people go, Oh, yeah, actually, go talk to these people. Then those people go, Go and talk to these people. The whole thing scales all the way up and down again.


[00:19:27.19]
Dylan: The challenge, the big challenge around SMTP has always been that if you did anything which would introduce a breaking change, nobody would adopt your proposal. Nobody would have dropped your update because it meant email wouldn't work. If email wouldn't work, you can't be the person out there going, Hey, I don't do email. Can you all do this new thing that I've got, which is better than email? Everyone's like, No. This is something that I talk about a great deal in all kinds of different contexts is, Yeah, we got WhatsApp and Facebook and Signal Telegram and any number of team, Slack, whatever. But when I buy something on a website, I want an email. I want to actually, don't send me the, You've just taken £500 of my money, and by the way, you're going to send me a WhatsApp message to say you've done it. People know this. They're like, Yeah, actually, we care about the money. If the people spending the money want the email, then we're going to do email. You get the email. Yeah, email is the fundamental. It doesn't matter who you are, what you host with, whether you're running Linux or NetBSD, or you've got one of those Amstrad emailer phones with an email address.


[00:20:35.22]
Dylan: It works. It is this last bastion we've got of being able to talk to each other without a trillion dollar tech multinational mediating the conversation. One of the reasons that it works so well is they've never broken it. It's backwards compatible. I'm putting together some training stuff at the moment for a course about how to do email development. One of the things I show you is, look, you can open a Telnet client and you can send an email to Gmail using commands from 1982, and it works. People are like, No, you can't. I'm like, Yeah, you can't watch this. They're like, Wow. But the way they've done that is they're like, Well, we can't mess with SMTP, so what else do we have? We got DNS. Unlike SMTP, DNS is almost infinitely flexible in what you can do with it. All of these evolutionary steps they've taken to improve the design, performance, everything of the way email works, they're like, Well, we could put something in DNS. Then what that does is it places the onus on the participating parties to be like... Because Gmail recently, within the last two years, they started rolling out restrictions to bulk mailers saying, If you haven't complied with X, Y, and Z, then we're going to start marking your mail as junk, and eventually we'll just stop delivering it completely.


[00:21:51.10]
Dylan: First time that happens, someone's like, Oh, yeah, this can't be important. I don't know what that is. And the second time, they're like, I have to do what? And the third time, they're I should probably figure out what this SPF thing they're talking about is. But I think this is how you roll out progress to something as ubiquitous and as unevolvable as SMTP is you need to put in place a solution that is initially opt-in for the people early adopters, and then it becomes opt-in with a little bit of pressure, and then the big players need to be like, Actually, we're going to start tightening the screws on this a little bit. And then eventually everyone's like, You know what? All right, whatever. Fine, I'll do it. I don't care. I'll set up my DNS security records. Then it's done. And then you're like, Right, what's next?


[00:22:41.12]
Ned: Most of the records now are all TXT records, which is just a generic record that could hold something. What's interesting is back in the late '80s, they tried to introduce a bunch of different resource record types that were male-specific. There was MB, MD, MF, M M-info and MR-record types. Really? No one used them.


[00:23:06.21]
Dylan: It's always fascinating. I've spent so much time working with and researching email, and I'd never come across that detail before.


[00:23:13.07]
Ned: It is in the RFC, and then it disappears real quick. Because everyone was like, We're just going to use the Mx record and call it good. That's what they did. The other thing they did was, and you talked about this earlier, is they extended SMTP. But like you said, you can't break SMTP. If a server rings you up and it's running an older version of SMTP, you still need to accept that mail. The very first thing a server does is it says hello. It does that by sending H-E-L-O because all the commands are for characters for reasons I could not decipher. Sometimes it's painful.


[00:23:51.26]
Dylan: It's so obvious you wouldn't even think it needs writing down. It's so when you look at a transcript and a fixed-with font, things line up.Oh, Jesus.That's literally Yeah.


[00:24:01.09]
Ned: Well, what they decided is instead, if you support the extended version of SMTP, then instead of H-E-L-O, you'll send E-H-L-O. Which you can still say as L-O.


[00:24:14.11]
Dylan: Always reminds me of. You guys know the movie Labyrinth? There's a scene in Labyrinth where she meets the little worm, the little blue guy, and she looks around and she says, Did you say hello? And he says, No, I said hello, but that's close enough. That's it. I'm like, Jim Hensen's creature shop, invented extended SMTP. Hello.


[00:24:35.02]
Ned: I honestly would not be surprised if someone working in that creature shop had a hand in the RFC. Oh, yeah.


[00:24:40.20]
Dylan: Not surprised in the slightest.


[00:24:44.13]
Ned: So the Those extensions, there were ones that are standardized and have to be approved by standards bodies, but they also added one that was just X extensions that start with the letter X, and those could be whatever you wanted to, which meant Microsoft and Google and other companies could just go totally buck wild with anything that started with X. As far as I know, they did. Yeah.


[00:25:07.25]
Dylan: This is the X prefix that exists in HTTP headers as well. It's like, we got this thing that our client and our server both want, but we know the rest of the world doesn't care. We're going to put a X on it. That means that if you don't know what it is, you can ignore it, which I think is a pretty good way of doing things. What's interesting, certainly on the web, is the extent to which these proprietary extensions end up rationalizing. If you folks ever spent any time working with CSS, they came up with something very similar so Microsoft could put in their own private rules and Apple could and Webkit could. Then they got to a point where There are three different companies out there all do using private vendor prefixes to do the same thing. Maybe that should be a standard now. And then eventually the vendor prefixes go away. I don't think it's happened to quite the same extent with things like SMTP and HTTP. But I do think one of the One of the best things you can do if you're designing any protocol is to have a very clear, right, everything up to this line is official and supported, and you better make sure it works.


[00:26:10.13]
Dylan: And if you need to do your own weird stuff, please do it like this. And even A man like Unicode has a private use block. There's a chunk of Unicode characters that Unicode has said, We are never going to put anything official in this block of code points. If you want to put your company's logo type in your own font so you can use it, please put it in one of those. It works. There's a font called Cascadia Code, which is a nerd font, as well as all the regular programming things. It's got the GitHub logo and all this stuff in the private use block that you can use to get funky little console terminals and that stuff. Yeah. So this absolutely create the protocol and then say, If you want to do something that's not in here, this is how you do your own stuff.


[00:26:52.26]
Ned: Sadly enough, Cascadia is one of the included fonts in Canva. If you've ever used Canva? Yeah. Because they know. Yeah. They know what weirdos are using their software.


[00:27:03.17]
Dylan: Cascadia is interesting because Cascadia code was an open source font published by, I think it was Microsoft. I don't know who the foundry was. With a thing saying, you can take this, you can modify it, but you got to give your modifications a different name. For a couple of years, there was Cascadia code, and then there was Cascadia code with a K instead of a C, and that was the nerd font version. Then Microsoft went, actually, the nerd font is a really good idea. We're going to fold that back in. Now the latest release of the official Cascadia has all the nerd font glyphs included in it.


[00:27:36.16]
Ned: I'm going to have to check that out later. Fire up Canada, let's see what it's got. The last thing I want to mention about SMTP is its complete and total lack of security.


[00:27:46.12]
Dylan: Yes.


[00:27:48.02]
Ned: I can count the different ways, but I don't know if there are some favorites that you have about security features it's lacking, Dylan.


[00:27:54.23]
Dylan: The whole security features it's lacking, one, all of them, two, C.1. This goes back to what we are talking about right at the beginning, which is if email was secure, it wouldn't have worked because the mechanisms did not exist for somebody to... Authentication is about there exists some account somewhere, which is a proxy for a human identity or a corporate identity. Authentication is about you being able to verify that you are acting on behalf of that person or that corporation at this point in time for the purpose of this transaction. With that registration mechanism, someone says, Hey, I want to send you an email. You're like, Who are you? They're like, I'm Dylan. They're like, Oh, are you?


[00:28:37.27]
Ned: Like, Yeah.


[00:28:39.06]
Dylan: Who's Dylan? We don't know any Dylan. You're like, That's because it's me. I've never talked to you before. They're like, Oh, you're going to need to create an account. I'm like, Well, how do I do that? They're like, Well, who are you? I'm Dylan. All right. Well, you're not in our list. You're like, I know that. It's the digital equivalent of turning up and going, Hey, I need ID. They're like, Do you have a passport? You're like, No. How do I get a Oh, you need a birth certificate. Well, I don't have that either. Well, what do you have? Well, I don't have anything. Well, then you can't be anybody. You're like, I'm somebody. Look, this is me. I'm me. It's with noises coming out. They're like, Hey, that exists in our system. An email was like, Yeah, we'll just trust everyone to play nice. It probably sounds horribly elitist, but this was in the days when there weren't any stupid people on the internet because it was so difficult to get connected to it in the first place. The only way to get online was you needed to get a job at one of the kinds of places that had a network connection, and they didn't hire stupid people, or you needed to be affiliated with the University Research Institute, or you need to figure out how to do it by yourself using acoustic couplers and app codes and all this stuff.


[00:29:46.07]
Dylan: It's not that there were no stupid people, but generally there was a barrier to entry which encouraged the degree of responsibility and the way people interacted with it. In a lot of things like security, They didn't think about it because one, it would have been prohibitively difficult, and two, there was this... I've said before that the biggest problem with email is it was invented by hippies in California in the 1970s. Do you folks know the story of the first junk mail ever, the first spam?


[00:30:19.20]
Ned: Yeah, but I think it's worth going over again, for sure.


[00:30:23.10]
Dylan: This was in 1978, and it's the Digital Research Corporation Someone's selling a computer. Basically, at this point, you could buy a directory of the internet, which was a printed book that had every single person on the internet. No, really. Every single person on the internet, they'd name their phone number and which machine you could get them at. Deck, they had a bunch of sales offices in the US East Coast, but they didn't have much of a presence on the West Coast. So somebody went through the internet manual, the host file, and just got all the people on the West Coast and emailed all of them and said, Hey, come to this hotel and check out our new computer. They emailed about 400, 450 people. At this point, the internet was still the ARPANET, and it was still under the nominal jurisdiction of the United States Department of Defense. Major Raymond Chahaur got involved and was basically like, I am an Air Force major, and you will not use our network to send your Do you understand? I'm like, We need to bring some of that back. Like, full on Jack Nicholson in a few good men.


[00:31:36.19]
Dylan: Someone sent spam. I want them having the full, you can't handle the truth, both barrels. But yeah, that's not unfortunately how it went down because a lot of people got upset, but a lot of people also went and turned up and bought computers, and so email junk marketing was born.


[00:31:53.04]
Ned: It didn't get better after that.


[00:31:55.09]
Dylan: No. Well, no, I can't.


[00:31:59.20]
Ned: It We found so many like, kluges to try to block spam. The biggest effort is to block it when it's received. There's places like spam house and other services that maintain blacklists of IP addresses and senders If something comes from those, then just block them. Yeah. You've never ended up on one of those black lists- I have many times.


[00:32:24.11]
Dylan: For a long while, I maintained an email delivery system that was sending It was sending job notifications to out-of-work actors. You have never encountered anybody who wants email as badly as an out-of-work actor whose next email might get them an audition, seriously. I've never dealt with anything like it. If we had a quiet day, people would phone me to ask if everything was all right because they hadn't had an email for half an hour. And we check everything was okay? Yeah, once in a while, we'd end on one of the spam lists for whatever reason. We were as meticulous as we could be about complying with all the recommendations, best practice, DNS, security, everything. But sometimes they'd just be like, oh, yeah, we're just... Like spam house would be, are we going to block this entire /24 subnet. And you'd be like, You're going to do what? And I'm like, oh, yeah, if you want to get up, you can fill out this form. And I'm like, I have better things to do than fill out your form. And this is the equivalent of... Then imagine you're walking home one afternoon and you notice one of your neighbors, they've dug a hole in their front yard and there's no safety rail or anything around it.


[00:33:39.25]
Dylan: You think, That could be dangerous. A kid might fall in that. This is bad. It's not good neighborly behavior. You tell the cops, and the cops are like, Right, and they shut down the entire neighborhood. Nobody goes in, nobody goes out, and you can't get home. You're like, I live over there. They're like, I'm sorry, if you want to get back to your house, you got to fill out this form. Then you discover that no one's even checking there's actually a hole. Anybody who wants to can just phone the cops and go, There's a hole in the yard, close the neighborhood, and they will. It's guilty until proven innocent. You can be guilty inside of five minutes, and you're allowed to protest your innocence up to twice a week, and it takes 48 hours to process the requests. It's one of those things. I believe that the real-time black hole databases and stuff, the people running them are doing so out of a sense of responsibility and because they think that their solution is going to improve the net, generally. But I think that the way they've gone about doing it is spectacularly misguided. The most recent one, it wasn't email.


[00:34:45.04]
Dylan: It was somebody... Same idea. You can report network services that you think are being malicious or being abusive, and various sites will shut them down. Somebody It reported a site that was hosted on GitHub pages that was hosting malware. This made it onto the spam house RBL of dangerous IP addresses, which meant GitHub pages stopped working for about a third of the UK for 48 hours. So not just GitHub pages, the official GitHub Windows client download that's hosted on that IP address. Every website on a GitHub pages host, that all went dark and the whole thing just shut down. And your BT Openreach, who are the backbone provider for the vast of residential Internet in this country, were like, a connection failed. And you're like, Connection didn't fail. No, no, no. That connection got told not to by some weird people on the Internet who decided that this is bad. And yeah, it If I had a dollar for every time that I've been blocked by one of these services despite doing everything I could to do anything right, I'd have, I don't know, maybe $50, but still.


[00:35:59.16]
Ned: $50 It's enough to go get a meal at the pub or something. Yeah.


[00:36:02.13]
Dylan: Why not?


[00:36:04.19]
Ned: Well, I mean, some of the protections that we did put in place, stuff like SPF, D-Kym, and D-Mark. For folks who are not familiar, SPF is just a way of putting a text record in DNS that says, Here are the services that are allowed to send mail from my domain. If you get a message from a server that's not on this list, don't accept it.


[00:36:25.20]
Dylan: This is all to do with SMTP. The interesting thing you talk SMTP security, actually, you got to look at it from two different perspectives because there's SMTP as a way of sending email, and there's SMTP as a way of delivering email. Smtp as a way of sending email, that's easy because you have an outgoing relay that normally It's fair to assume that you have a pre-existing relationship with the people who provide it. I got an outgoing relay I can use here from the people who provide my home Internet connection because if I abuse it, they know where I live. I got another one, if you use Gmail. Gmail gives you an outgoing relay that you can use to send mail as long as you're sending it from your Gmail address because they know who you are. They can shut this down. That one's easy because both parties are previously authenticated. You know who they are, they know who you are, and you can only use it for certain predefined things. So that one we solve. They give you a username and password or they give you an API key and you use that. The other end, delivery, that's where it gets much more interesting because someone turns up at your email server and says, Hey, I have email I'm here for Dylan, and you're like, Oh, yeah, who's it from?


[00:37:32.10]
Dylan: And they say, it's from Bill Gates. And you're like, All right. And prove it. What can you do or what can that piece of software do to examine this incoming email and say, is this really from? So it can be like, all right, well, it says it's from billg@microsoft. Com. It goes in DNS. It looks up the SPF. Spf says, here are the IP addresses that are allowed to send mail on behalf of microsoft. Com. And then you look at the mail, you're like, did this connection come from one of those addresses? No, it didn't. All right, well, that's interesting. And it turns out that Bill is on holiday and Bill has connected his laptop to the hotel WiFi. And this is where you get into this interesting gray area about certain libertarian ideals about how the net is supposed to operate. There's a guy called John Gilmore. John is a self-identified libertarian cypherpunk. I think he was employee number three at Sun Microsystems or something, like a single-digit Sun Microsystems employee number. He runs an open relay out of spite. He runs a hop. Toad. Com is an open SMTP relay that he has still got set up so that anybody in the world who needs to send email can send it via hop.


[00:38:52.28]
Dylan: Toad. Com. Of course, the reaction to this is that every reputable ISP on the planet refuses to accept email that came from hop. Toad. Com because it's obviously spam. John Gilmore's attitude is, Well, that's just them being... That's bad behavior. They should accept it. This is the Internet, man. It's peace and love and open relays. They're like, No, that's not how any of this works? We tried that and it failed. Gilmer is an interesting guy. I absolutely agree with 95% of what he says. Then the last 5%, I'm like, Oh, no, you No, really? You're going to go that little extra step further. But he's one of those characters who the fact that they're on the other side of the line makes it easier for the rest of us to realize where we think the line is because there's this person, and they're like, Yeah, he's definitely too far. The line is somewhere between me and him. That's useful information for me. But yeah, so all the stuff, DNS and SPF, and then a DCM, domain key, identified male, SPF is just like, Hey, yes or no. Then it's up to you to look at it and decide whether you're going to accept it or not.


[00:40:09.10]
Dylan: I have DCM set up for a whole bunch of things because I basically break email for fun and profit and then write talks about how I did it. If you look up the DNS records for funwith. Email, I think it's the most complicated set of mail relays you'll see. Anyway, because I got subdomains for that that are registered at and Outlook and Proton Mail and Funmail and Zoho. Basically, all the big providers, I've set up accounts with all of them and then Alias and different fun with email records. Yeah, the Deacon thing says, Look, if you get a message claiming to be from here, but it actually came from messagingengines. Net. Then that's legit because that's a relay priority that I use. You can put hints in there that are like, If you see this, it means drop it. If you see it comes from here, then flag it as junk, but deliver it If you see it from here, that means it's good and you can pass it. It's all about giving the recipient, the incoming systems, enough context that they can look at a mail and decide what to do with it right there and right then.


[00:41:12.23]
Dylan: One interesting thing for me Another thing that I haven't seen anyone really working with is email was basically designed... Smtp was designed on the premise that not everyone's connected all the time. When you send mail, you might connect to the net just long enough to send the mail and then you're going to disconnect. These days when pretty much everyone is online 24/7, there is the ability for a message gets in and you can be like, Well, this message claims that it is messageid #gooid@microsoft. Com. You ping microsoft. Com, Hey, I got this. Did this come from you? And they can say yes. You could develop a relatively lightweight protocol that gave you message by message authentication. Again, it would be soft opt-in. It's something you could develop the protocol. You could roll it out. People could start gradually switching it on. If it proved successful, you'd get to a point where the big players like Outlook and Gmail start first of encouraging and then insisting and eventually shutting down anyone who doesn't comply with it. I haven't seen anything. It's all the stuff I've seen around improving email security on the delivery side of it has been about domains and DNS records and IP addresses.


[00:42:25.27]
Dylan: I haven't seen anything that acknowledges the fact that a domain could be compromised overnight, and so everything that was good yesterday is bad today. But early days, we're still trying to make this stuff better without breaking anything that worked in 1983.


[00:42:45.07]
Ned: Yeah, and any changes they want to make have to be rolled out very slowly. Like you said, Google is just finally now saying, Bulk mailers, which is only people who send more than 5,000 messages in a single day, have to now comply with SPF and D Kim and But everybody else, we're not enforcing that yet. But I think eventually, they will get to the point where it's across the board, you have to have these records.


[00:43:08.13]
Dylan: Gmail is approaching the point where if Gmail does it, then email does it and vice versa because it represents such an astonishing... Actually, one of the really interesting things, the biggest provider of mailboxes is Gmail, but the biggest provider of mail clients is Apple. Something like there's some weird, and I don't entirely understand why this is, but more than half of all the email that is ever read anywhere in the world is read on an Apple device. I seriously wonder whether there's some intersection there between a certain demographic of people in certain parts of the world who tend to use email over tools like Slack and Zoom and those kinds of things. But yeah, I thought that was interesting. I have a Gmail account that I read on an iPhone, so I'm definitely ticking boxes in both of those camps.


[00:44:02.01]
Ned: You're part of the problem.


[00:44:03.03]
Dylan: I am, yeah. But maybe also part of the solution. I don't know.


[00:44:07.25]
Ned: We'll have to wait and see. Well, Dylan, it's been an absolute pleasure having you on Chaos Lever.


[00:44:11.23]
Dylan: Hey, thank you so much.


[00:44:12.25]
Ned: If folks want to reach out to you, consume your interesting content, what's a good place to start?


[00:44:17.24]
Dylan: So dylanbeatie. Net is my website, and pretty much everything is linked from there. If you just search Dylan Beatie, I think I'm all 10 of the top 10 now. Number 9 used to be somebody else, and I was very unhappy about that, but I think I finally banished them into the second page of results obscurity. But yeah, I'm one of those people. I use my own name for everything, and I'm on pretty much every platform. At the moment, Blue Sky seems to be where the good conversation is happening. I'm Blue Sky on dylanbt. Net over there. But by the time this goes out, I have no idea what will have happened. There'll be something, some other thing. But yeah, email dylan@dylanbeatie. Net. That's work for 25 years, and it will fail over my dead body. If you want to talk to me, that's the best way to make it happen.


[00:45:04.08]
Ned: Awesome. Well, thank you again, Dylan. And hey, dear listeners, thanks for listening or something. I guess you found it worthwhile enough if you made it all the way to the end. So congratulations to you, friend. You accomplished us something today. Now you can go sit on the couch, fire up a terminal, and send an email via SMTP to your Gmail server. You have earned it. You can find more about the show by visiting our LinkedIn page or go to our website, chaoslever. Com, where you'll find show notes, blog posts, and general Tom Foulery. We'll be back next week to see what fresh hell is upon us. Tata for now.


[00:45:45.07]
Chris: I can't believe we got through all of that and didn't even talk about the Bizzocco rules that make up what is and what is not a valid email address.


[00:45:55.24]
Dylan: I have a talk about email, like a conference talk I do, that I'm pretty sure reinstated everything that ended up on the cutting room floor, it would be a five-hour talk.