Enhancement: Well-formed Only Mode – Spam- and Phishing-free Inbox via SPF, DKIM, DMARC and other tools
Categories
(Thunderbird :: Preferences, enhancement)
Tracking
(Not tracked)
People
(Reporter: info, Unassigned)
References
(Depends on 1 open bug)
Details
Attachments
(2 files)
Technical View for Email Flow
Steps to reproduce:
This is not a defect, but a feature proposal ("Enhancement").
Actual results:
Currently Thunderbird (like all email clients) relies on spam filters and blacklists.
Spam and phishing still reach the inbox, filters require constant updates, and false positives remain an issue.
Expected results:
Introduce an optional "Well-formed Only Mode" where only RFC-compliant, authenticated emails (SPF/DKIM/DMARC)
are automatically delivered to the inbox. All others go to a Quarantine folder with clear reasons/badges and
optional sender feedback. This would create a truly spam- and phishing-free inbox.
|
Reporter | |
Comment 1•3 months ago
|
||
Proposed default policy (for discussion)
- Rule Set: RFC-compliant headers; SPF or DKIM = pass; DMARC alignment preferred (not mandatory in v1).
- Direct pass: If DKIM=pass with aligned From (or DMARC=pass), go straight to Inbox (clean).
- Quarantine: If result is fail/unknown.
- AI release: If AI score ≥ 0.80, release to inbox with “released by AI” badge; otherwise stay in quarantine.
- Hard block: Off by default; user/org policy can enable it.
- Retention: Quarantine auto-purge after 14 days (configurable).
- Transparency: Show clear badges/reasons + one-click “Allow once / Allow domain / Report issue”.
Why this matters
- Fewer false positives (AI + address book/customer DB context).
- Measurable (KPIs/Logging path).
- Self-healing ecosystem (sender feedback).
- Cost savings (less manual review, fewer incidents).
Open questions for the community
- Thresholds: Is 0.80 a good default for AI auto-release?
- Rule Set strictness v1: Require DMARC alignment from day one, or phase it in?
- Signals: Any other low-risk inputs for AI (sender history, domain reputation, rate limits)?
- UI/UX: Default to Quarantine first, with optional Hard Block for orgs?
- Privacy: Keep all checks **local ** in the client where possible; any concerns with using local contact/customer matches as features?
|
||
Comment 2•3 months ago
|
||
Comment on attachment 9508743 [details]
thunderbird_wellformed_proposal.txt
|
|
Reporter | |
Comment 3•3 months ago
|
||
Hi Ryan Sipes, Thunderbird Team,
we’ve opened Bug 1984618 and shared an idea also on Connect: Well-formed Only Mode.
The concept:
• Accept only well-formed, authenticated emails (SPF/DKIM/DMARC)
• Quarantine + clear reasons (optionally enhanced by AI scoring: content + address-book match)
• Optional sender feedback (notify why rejected, e.g. missing DKIM, From mismatch)
• KPI dashboard (not paywalled, transparent metrics for all users)
• Fits perfectly as an experimental feature flag for early adopters
This could make Thunderbird the first major mail client with a measurably spam- and phishing-free inbox.
Implementation effort is relatively small (RFC checks, quarantine/feedback/dashboard UI), but the impact is large: lower security costs, clear KPIs, transparent communication — and positive pressure on the global email ecosystem.
We’d love your thoughts on whether this could enter Thunderbird’s roadmap.
Ceterum censeo SPAM et PHISHING esse delendam.
(free after Cato the Elder — Ceterum censeo Carthaginem esse delendam)
|
||
Updated•3 months ago
|
Description
•