The Future of Email

电子邮件的未来

Email authentication: the trust layer that the future of email depends on. Email has always had a spoofing problem. Anyone can put anything in the “From” field of an email. For most of email’s history, that was manageable. A careful reader could catch the tells, such as a slightly off domain name, implausible urgency, or phrasing that doesn’t quite work. 电子邮件身份验证：电子邮件未来所依赖的信任层。电子邮件一直存在欺诈问题。任何人都能在电子邮件的“发件人”字段中填写任何内容。在电子邮件历史的大部分时间里，这还是可以应对的。细心的读者可以发现其中的破绽，例如略有偏差的域名、不合理的紧迫感，或者措辞上的不自然。

However, as AI usage becomes increasingly widespread, the way we engage with email is changing. AI assistants are increasingly reading, summarizing, and actioning email on users’ behalf. AI filters are making consequential decisions about what reaches inboxes at all. In that world, “Did the message arrive?” matters a lot less than “Can we actually verify where it came from?” The answer to that question depends on a set of standards most email users have never had reason to think about, but that are quietly becoming the foundation everything else is built on. 然而，随着人工智能的使用日益普及，我们使用电子邮件的方式正在发生改变。人工智能助手正越来越多地代表用户阅读、总结并处理电子邮件。人工智能过滤器正在对哪些邮件能够进入收件箱做出关键决策。在这样的世界里，“邮件是否送达”远不如“我们能否真正验证其来源”重要。这个问题的答案取决于一套大多数电子邮件用户从未考虑过的标准，但这些标准正悄然成为构建一切事物的基石。

What is email authentication? Email authentication is made up of three interlocking standards: SPF, DKIM, and DMARC. SPF verifies that the server sending a message was authorized to do so on behalf of that domain. DKIM attaches a cryptographic signature to each message so the receiving server can confirm it hasn’t been altered in transit. DMARC ties those two together and tells receiving servers what to do when a message fails those checks: reject it, quarantine it, or let it through. Together, they’re how your inbox can tell whether a message claiming to come from your bank or your employer really did. Without them, a spoofed message is indistinguishable from a legitimate one. While this is not a new problem, as the way we interact with email changes, it becomes a much bigger one. 什么是电子邮件身份验证？电子邮件身份验证由三个相互关联的标准组成：SPF、DKIM 和 DMARC。SPF 用于验证发送邮件的服务器是否获得授权代表该域名发送邮件。DKIM 为每封邮件附加加密签名，以便接收服务器确认邮件在传输过程中未被篡改。DMARC 将两者结合起来，并告知接收服务器当邮件未通过这些检查时该怎么做：拒绝、隔离或放行。它们共同构成了收件箱判断声称来自银行或雇主的邮件是否真实的方法。如果没有它们，欺诈邮件将与合法邮件无法区分。虽然这不是一个新问题，但随着我们与电子邮件交互方式的改变，它正变得愈发严重。

How AI factors into this: Two kinds of AI are now becoming standard features of the email experience. The first is AI filtering: the systems that decide what’s spam, what’s phishing, and what deserves your attention. These have existed for years, but modern versions are significantly more capable, and authentication results are increasingly a core input into how they make decisions. The second is AI assistance: tools that summarize your inbox, surface action items, draft replies, and in some cases take actions on your behalf. 人工智能如何参与其中：目前有两种人工智能正成为电子邮件体验的标准功能。第一种是人工智能过滤：即决定什么是垃圾邮件、什么是钓鱼邮件以及什么值得你关注的系统。这些系统已经存在多年，但现代版本的功能要强大得多，身份验证结果正日益成为它们做出决策的核心输入。第二种是人工智能辅助：即总结收件箱、提取待办事项、起草回复，并在某些情况下代表你采取行动的工具。

It’s worth being transparent about what that looks like at Fastmail: we haven’t integrated AI into your inbox, and your mail isn’t being processed by a model in the background. Our MCP server is simply an API endpoint available if you want to connect an AI client of your choosing with your explicit authorization, and nothing changes if you don’t. But across the broader email landscape, AI assistants acting autonomously on inboxes are becoming increasingly common. That’s where authentication becomes critical. A person reading a suspicious email might notice that the sender’s domain has an extra character, or that something about the request feels off. An AI assistant scanning your inbox for items that need action may not slow down to check those things. It reads the content, notes the urgency, and acts accordingly. If that message is a convincing spoof, as much AI-generated phishing is now, authentication is the safeguard that should stop it before it ever reaches your mailbox. 值得说明的是，Fastmail 的情况是：我们没有将人工智能集成到你的收件箱中，你的邮件也不会在后台被模型处理。我们的 MCP 服务器只是一个 API 端点，如果你想在明确授权的情况下连接自己选择的人工智能客户端，可以使用它；如果你不这样做，一切都不会改变。但在更广泛的电子邮件领域，人工智能助手在收件箱中自主行动的情况正变得越来越普遍。这就是身份验证变得至关重要的原因。一个人在阅读可疑邮件时，可能会注意到发件人的域名多了一个字符，或者请求的内容感觉不对劲。而扫描收件箱以寻找待办事项的人工智能助手可能不会停下来检查这些细节。它会读取内容、记录紧迫性并据此采取行动。如果该邮件是一封令人信服的欺诈邮件（正如现在许多人工智能生成的钓鱼邮件一样），身份验证就是应该在它到达你的邮箱之前将其拦截的保障。

Authentication is becoming infrastructure: In early 2024, Google and Yahoo began requiring bulk senders to have DMARC properly configured as a condition of reliable delivery. This shifted authentication from something senders could deprioritize to a basic prerequisite for reaching inboxes. It’s the same trajectory HTTPS followed on the web: starting as a best practice, then an expectation, then infrastructure. Even if you don’t understand what the padlock in your browser bar actually means, you’ve likely come to learn that its absence when viewing a website is a warning sign you can’t ignore. 身份验证正成为基础设施：2024 年初，Google 和 Yahoo 开始要求批量发件人正确配置 DMARC，作为可靠投递的条件。这使得身份验证从发件人可以降低优先级的选项，转变为进入收件箱的基本先决条件。这与 HTTPS 在网络上的发展轨迹相同：从最佳实践开始，演变为一种期望，最终成为基础设施。即使你不明白浏览器地址栏中的挂锁图标到底意味着什么，你也可能已经了解到，在浏览网站时如果缺少它，就是一个不容忽视的警告信号。

Email authentication is heading in the same direction. New standards are being built on this foundation. BIMI lets verified senders display their logo directly in supporting inboxes, a small but meaningful visual trust signal at a time when AI-generated phishing is harder than ever to spot by content alone. The design of DKIM is being re-visited with some of the lessons learned from the experimental ARC specification, to track and attribute changes for complex email flows, so the filtering systems can tell where bad content is coming from and avoid hurting the reputation of the wrong parties. 电子邮件身份验证正朝着同一个方向发展。新的标准正建立在这个基础之上。BIMI 允许经过验证的发件人在支持的收件箱中直接显示其徽标，这是一个微小但有意义的视觉信任信号，尤其是在人工智能生成的钓鱼邮件仅凭内容越来越难辨别的时候。DKIM 的设计正在结合从实验性 ARC 规范中学到的经验教训进行重新审视，以跟踪和归因复杂电子邮件流的变化，从而使过滤系统能够识别不良内容的来源，并避免损害无辜方的声誉。

That said, authentication alone is not a complete solution. Authentication confirms domain identity, not intent. A scammer with a convincing look-alike domain and a properly configured DMARC record will still pass sender authentication checks. However, authentication raises the cost and complexity of impersonation significantly, which matters more as the future of email becomes more automated. The inbox of the future will be faster, smarter, and more capable than what most of us use today. Authentication is what keeps that future trustworthy, not just convenient. The standards have been maturing for years, and the work now is to keep building on that foundation as email becomes more automated. 话虽如此，身份验证本身并不是一个完整的解决方案。身份验证确认的是域名身份，而不是意图。一个拥有令人信服的仿冒域名和正确配置的 DMARC 记录的诈骗者，仍然可以通过发件人身份验证检查。然而，身份验证显著提高了冒充的成本和复杂性，随着电子邮件的未来变得更加自动化，这一点变得尤为重要。未来的收件箱将比我们大多数人今天使用的更加快速、智能和强大。身份验证是让未来不仅便捷而且值得信赖的关键。这些标准已经成熟多年，现在的工作是在电子邮件变得更加自动化的同时，继续在此基础上进行构建。

Email is not going anywhere: Everybody needs email. It’s where banks send statements, doctors send appointments, every other site sends password resets. Everybody has email. The best indicator for a technology’s longevity is how long it has already existed, and email has been around for a long time! Fastmail is at the forefront of developing the standards which will underpin the email of the future, and we will continue to evolve with email to make things better for everyone. 电子邮件不会消失：每个人都需要电子邮件。银行通过它发送账单，医生通过它发送预约信息，其他所有网站都通过它发送密码重置邮件。每个人都有电子邮件。衡量一项技术寿命的最佳指标是它已经存在了多久，而电子邮件已经存在很长时间了！Fastmail 处于开发支撑未来电子邮件标准的前沿，我们将继续与电子邮件共同进化，让一切变得更好。