You can solve a bunch of SMTP problems by organizing people.
Let's call it the Secure Mail Cooperative. In order to join the SMC, you need to:
- have an acceptable usage policy that means you will not allow any of your users to send spam (defined as...). Your first violation gets a warning. Your second violation gets you suspended from the SMC for a month. Third violation in a year disqualifies your organization from ever rejoining. Reset the count a year after a second violation.
- register the fingerprint of your SSL certs with the SMC, which will publish it in a DNS accept-list.
- add an SMC header to your SMC-bound email that indicates the address of your SMC postmaster, who is one or more people who can enforce the AUP on your side. The SMC postmaster address should never accept non-SMC email.
- agree that the SMC postmaster will be tested every so often and a lack of a response within 168 hours will be considered a violation, same as spam.
That's all off the top of my head, but it could reasonably work... for individuals and small to medium organizations. It requires too much attention for a Google or Microsoft to afford.
Fidonet operated exactly the way you describe. I recall in 90th I used to run quite a large Fidonet node. I was responsible for my points' (users) behaviour - when someone violated rules by misbehaving in an echo conference it effected me as a boss node in first place, I had to execute the ban and brainwash negligent user. What's more, I had to introduce new and old users to fidonet policy and its updates regularily to make sure they understand the rules. This all worked pretty well and was widely accepted. Fidonet was incredibly popular in 90th.
I think we may create a similar network basing on same old ESMTP, what we need is just to agree on rules and their enforcement. Also we need to secure inter-node communications.
i wouldn't have my organization join this cooperative. Why? Because accounts get compromised and spam gets sent. It just does, even with 2FA and NFC dongles and public/private keys.
In your cooperative, if two or more of the thousands of accounts in my org are compromised, the entire org loses email?
Not gonna happen, even if you tweak the rules to be more lenient.
Realistically we will always have spam. It can be reduced but, just like snail mail and all other forms of push communication, you will always get spam. Get over it.
This is called responsibility. Lack of respobsibility brought us to the point where noone cares about security seriously. Yes, we talk much about it, but in reality we don't give a damn about it because possible damage is usually inappreciable.
Let's call it the Secure Mail Cooperative. In order to join the SMC, you need to:
- have an acceptable usage policy that means you will not allow any of your users to send spam (defined as...). Your first violation gets a warning. Your second violation gets you suspended from the SMC for a month. Third violation in a year disqualifies your organization from ever rejoining. Reset the count a year after a second violation.
- register the fingerprint of your SSL certs with the SMC, which will publish it in a DNS accept-list.
- add an SMC header to your SMC-bound email that indicates the address of your SMC postmaster, who is one or more people who can enforce the AUP on your side. The SMC postmaster address should never accept non-SMC email.
- agree that the SMC postmaster will be tested every so often and a lack of a response within 168 hours will be considered a violation, same as spam.
That's all off the top of my head, but it could reasonably work... for individuals and small to medium organizations. It requires too much attention for a Google or Microsoft to afford.