Dombox — The Zero Spam Mail System

Viruthagiri Thirumavalavan
18 min readFeb 17, 2019

--

Hello there,

My name is Viruthagiri Thirumavalavan. I’m the creator of Dombox.

I would like to present a new email system that fixes the email spam problem. It’s not a replacement to the existing system. But more of an upgrade. i.e. It’s backward compatible with the current email system. And fully compatible with the SMTP Protocol

For the sake of this document, I’m gonna call my new email system as “Email 2.0”. The current email system (e.g. Gmail) should be considered as “Email 1.0”

What’s so special about your new system? you might ask.

The answer is simple. My system doesn’t have the “spam” folder. And it makes your emails more organised.

If you spend your morning in deleting bunch of unwanted mails from your inbox everyday even though you have a good spam filter, then you are the perfect audience for my new email system.

I’m looking forward to hear your feedback. Without further ado, let’s get started.

The Problem

This is how current email systems deal with spam mails.

This is how it’s supposed to work.

Problem with Mail Rejection

Rejecting spammer mails comes with a big complication. A system must be able to clearly identify the spammers. If you reject mails that are from Genuine Senders, then your system is completely flawed.

You don’t want to lose mails from handful of Genuine Senders. That’s the whole purpose of having spam filters, right?

Mail Classifications

In our system, we classify the mails into three categories.

Conversational Mails

Conversational mails are all about you versus another human.

If the person who is sending you the mail is a human, then such mails go under conversational mails.

Transactional Mails

Transactional mails are all about you versus the website server.

These mails are automatically triggered when you interact with the website.

Think of it as a transaction between you and the website. The transaction can be money or data. You need to be notified for the transaction.

If you are the only Recipient of a mail sent by a website, then most likely it’s a transactional mail.

e.g. Confirmation Emails, Welcome Emails, Product Shipping Notices, Purchase Receipts

Promotional Mails

Promotional mails are very different from transactional mails. When it comes to promotional mails, you are not the only recipient.

So promotional mails are all about website marketing team versus their users. Since you are one of their users, that includes you too.

Marketing team drafts the mail and then send it to all users in bulk.

Promotional mails usually contain tracking links.

Small businesses usually depend on third-party newsletter services to send out promotional mails. e.g. Mailchimp

This is because third-party services offer better tracking tools. e.g. how many people opened your emails, how many people clicked the links, how many people unsubscribed etc.

As per law, promotional mails require unsubscribe links. Transactional mails are not.

Both Transactional Mails and Promotional Mails are related to websites. So let’s group them as “website related mails”. Keep in mind, You don’t need a website to send Transactional Mails and Promotional Mails.

e.g. A mobile app can send Transactional Mails with the help of third-party transactional mail services (e.g. AmazonSES) and it can send Promotional Mails via third-party newsletter services (e.g. MailChimp).

For simplification, we use the term “website related mails” to refer both Transactional Mails and Promotional Mails

Create an Account

Let’s create an account in our mail system. Nothing fancy here. Let’s pretend that we get the following new email address once we complete the signup process.

Email Address: giri@domboxmail.com

This email address is equivalent to a gmail.com address. i.e. It can accept mails from anyone.

At this stage, our system should be treated as Email 1.0 [And yes, we are gonna have the spam folder at this stage]

This is how our mail system looks right now. i.e. A single system can accept mails from everyone.

Box Groups

The term “box” refers to any mailbox that has the capability of receiving emails.

Normal Mailboxes Aka. Mailboxes

This works exactly like other mail services. e.g. Gmail.

The boxes found in this group can accept mails from anyone including spammers.

Address structure:

local-part@domain

e.g. johndoe@domboxmail.com

The addresses found in this category are called “email address” or “e-mail address”. These addresses are also known as “Mailbox Address”

Isolated Mailboxes Aka. Domboxes

Dombox is the short form for “Domain-based Isolated Mailbox”

Users are gonna create a separate mailbox for each domain. Each of this separated (i.e. Isolated) mailbox is called Dombox.

Most of us familiar only with “Normal Mailboxes”. Normal Mailboxes are nothing but “Shared” Mailboxes whereas Domboxes are “Dedicated” Mailboxes.

The boxes found in this group can accept mails only from the “Dombox Domain” and its “SAD domains”. {Note: SAD stands for “Sender Alias Domains” and it will be explained in a later section}

Isolated Mailboxes should be used only for Transactional and Promotional Mails.

The addresses found in this category are called “imail address” or “i-mail address” which stands for “isolated mail address”. These addresses are also known as “Dombox Address”

i-mail address structure:

A user can have unlimited Domboxes

All emails you receive from websites fall under either Transactional or Promotional Mails category.

The internet has 332 million domains as of 2018. But the users are gonna create Domboxes only for the sites they are about to Create Account or Update Account.

Dollar symbol is a perfectly valid character in the local-part. But you are welcome to use our alternate email structure too. Both address structures can accept mails to the same box.

Alternate i-mail address structure:

Domkey is required to generate a Dombox. Domkey is a unique string just like a username. It stands for “Dombox Global Keyword”. i.e. All Dombox addresses gonna use this key to make them unique.

Note: A Dombox is a property of both the “User” and the “Dombox Domain”. Only the “Dombox Domain” and its “SAD Domains” can write emails to the “Isolated Mailbox”. Only the user can read and delete emails from the “Isolated Mailbox”.

All i-mail addresses can be called as “e-mail address”. But not all e-mail addresses can be called “i-mail address”.

The Three Phases

We solve the spam problem in three phases. Isolation, Restriction and Injection

Isolation — Deals with Websites and Apps

Restriction — Deals with Friends, Family, Colleagues and Acquaintance. [Collectively referred as “Authorized Personnel”]

Injection — Deals with unknown people [i.e. Strangers]

Phase 1: Isolation

In this phase, we are going to isolate the domains. In other words, each domain gonna have its own email address and inbox.

Just to be clear, You don’t have to go to individual box to read mails. You can read the mails from the “Unified Mails” page just like you do in the Email 1.0

This is how our unified mails page navigation look like.

Let’s create a Dombox.

Activate Extension — Domboxes

Set Domkey

Domkey is the short form for “Dombox Global Keyword”. {Heads Up! Its “Dombox Global Keyword”. Not “Domain Global Keyword”}

Domkey will be the same for all user created Domboxes.

Domkey should be a unique string just like a username.

Domkey should be an alphanumeric string.

Domkey must be set before creating your first “Dombox”

Domkey can be set only once for an account and cannot be changed later.

Domkey cannot be one of your “Normal Mailbox” local-part. i.e. If you have an email address like johndoe@domboxmail.com, then you can’t have “johndoe” as value for Domkey

New Dombox

Enter the domain to create a new Dombox

View Dombox

You need to use the Dombox Address “twitter.com@test123.domboxmail.com” in twitter.com while you create account or update account. Twitter dombox can accept mails only from twitter.com by default.

Sender Alias Domains

Direct Pass

When the Envelope Domain == Dombox Domain

We created an isolated mailbox for amazon.co.uk and the box address looks like this.

MAIL FROM: <orders@amazon.co.uk>

RCPT TO: <giri123$amazon.co.uk@domboxmail.com>

Envelope Domain: amazon.co.uk

Dombox Domain: amazon.co.uk

This box can accept mails only from amazon.co.uk by default.

We make sure the mail is not spoofed by fetching SPF record from amazon.co.uk.

After that process, the mail will be accepted without any issues.

Thus, it is a direct pass.

Indirect Pass

When the Envelope Domain ≠ Dombox Domain

MAIL FROM: <jeff@amazon.com>

RCPT TO: <giri123$amazon.co.uk@domboxmail.com>

Envelope Domain: amazon.com

Dombox Domain: amazon.co.uk

To allow mail from jeff@amazon.com to amazon.co.uk box, amazon.co.uk should have the following SAD record in _sad.amazon.co.uk

“v=sad1 amazon.com:r+b -all”

Note: Envelope Domain, Message Domain and Signature Domain can be completely different from the Dombox Domain. However, We always check the SAD record in the “Dombox Domain”. Because Dombox Domain is the “owner” of that box.

The “Dombox Domain” can be extracted from the Dombox Address during the RCPT TO command.

giri123$amazon.co.uk@domboxmail.com => amazon.co.uk

SAD Types

Box SAD — This is the SAD Record collected from user’s imported mails and new incoming mails [aggregated from all users].

Local SAD — This is the SAD Record added by our company staff for the notable domains. e.g. Facebook => “v=sad1 facebookmail.com:r+b -all”

Global SAD — This is the SAD record defined in the “Dombox Domain” DNS by the domain owner in this path.

_sad.domboxdomain.com

Box Features

Boxes come with the following features.

Feature | Description

Make Offline | When a box is offline, it can’t able to accept any new mails. You can browse only the old mails.

Delete | When a box gets deleted, only the box mail address will be lost. But the mails can still be browsed via “Unified Mails” page. The mails can be recovered if you recreate the box. And yes, a deleted box can’t able to accept any new mails.

Format | Bulk deletes all the mails found in a particular box. Applicable only for Domboxes. {Normal Mailboxes usually contains Conversational Mails which are very important. So Format option not available in Normal Mailboxes} To completely delete the box along with its mails in Domboxes, you must “format” the box first and then use the “delete” option.

Mute | Prevents annoying mail notifications. Mail will be accepted but you won’t be notified when a box is “Muted”.

Subscribe | When a user is “Subscribed” to the box, the user is voluntarily asking the site to send newsletters / promotional mails. This option is associated with our One-Click newsletter subscription service called “Telescribe”. Note: Domboxes are Double Opt-In by default. So no need for confirmation emails.

Unsubscribe | This option helps you with the unsubscription nightmare. When a user is “Unsubscribed” to the box, the user is asking the site, not to send any newsletters/promotional mails. When the box status is “Unsubscribed” and our system find any new mails with “List-Unsubscribe” header and/or “Unsubscribe” link at the mail footer, then we automatically try to unsubscribe on behalf of the user and then instantly move the mail to the “Trash” folder. If a domain sends Promotional mails without “Unsubscribe” link, then they are breaking the laws.

End result

This is the end result after completing the Isolation phase.

Note: “Mailboxes” still can be able to accept mails from websites and apps at this stage. That’s why Mailboxes part contains website and app icons in the last figure.

Phase 2: Restriction

In this phase, we have an option called “Restricted Mode”. This mode applicable only for the boxes found in the “Mailboxes” group.

If you are gonna use this phase, be sure to offload all website related mails (i.e. Promotional Mails and Transactional Mails) to Domboxes and only keep the Conversational Mails in the Mailboxes.

Pay attention to the Mailboxes part. No website and app icons there. Only human icons available now [Which means Conversational Mails].

You can find most of your “Conversational Mails” contacts in your “Address Book”. So when you enable “Restricted Mode”, you are asking us to allow emails only from the contacts found in your “Address Book”.

Restricted Mode is an optional feature. By default, it’s turned off. You need to enable it to use that feature.

When you enable “Restricted Mode” for the first time, you must agree to our “Restricted Mode” terms.

You can turn on/turn off this mode anytime.

When it’s turned off, it allows emails from everyone. But not from the “Blacklisted” contacts

When it’s turned on, it allows emails only from the “Whitelisted” and “Neutral” contacts. For all others “Injection” rules apply. {Refer next section}

If you send an email to a new contact, it will be automatically whitelisted.

If you ever deactivate the Domboxes extension, then the restricted mode will be deactivated too.

This is the end result, once you activate “Restricted Mode”.

Phase 3: Injection

Via “Isolation” you allow only certain “Websites” to mail you and via “Restriction” you allow only certain “Individuals” to mail you.

Injection phase only deals with “Strangers” and rely on Challenge/Response mechanism to detect spam mails.

This phase contains few methods.

Method 1: Intro via a Mutual Contact

Method 2: CAPTCHA

Method 3: Phone Number Validation

Method 4: Proof-of-Work (PoW)

Method 5: Attention Fee

I’m going to explain only the CAPTCHA method here. Please refer my white paper for detailed description of other methods.

This method works exactly like Google reCAPTCHA. The idea is that spammers usually send millions of mails. They don’t have enough time to manually enter the CAPTCHA.

Since we already isolated the website mails, websites don’t have to worry about entering the CAPTCHA.

When you enable “Restricted Mode”, the warning text would look something like this.

Caution:

You are about to enter a sensitive zone.

"Restricted Mode" is intended for the boxes that deals with only conversational mails. So offload all website related mails to the Domboxes before you enable this mode.

When the Restricted Mode is ON, we will send a challenge mail to the Sender if the sender is not found in your "Address Book".

Real users can respond to those challenges. e.g. CAPTCHA. But automated and bulk mailers cannot. So their mails **never** gonna reach your inbox when the box is Restricted.

Do you understand what you are signing up for?

(a) Yes, I know what I'm doing

(b) No, Get me out of here.

When the Restricted Mode is ON, then our system will be considered as Email 2.0

This is how our challenge mail would look like.

From: challenge@dombox.org

To: someuser@gmail.com

Sub: Mail Delivery Pending

Message:

The following recipients enabled Restricted Mode.

user1@domboxmail.com
user2@domboxmail.com
user10@domboxmail.com

And your contact not found in the recipient Address Book.

Please verify that you are human by filling the CAPTCHA in the following link to deliver the mail.

https://www.domboxmail.com/challenge/abcde/fghij

Our apologies for the inconvenience.

Challenge Form

Backscatter Attacks

Email can be easily forged.

If a mail we receive says it’s from “president@whitehouse.gov”, that’s not always gonna be true. If we keep sending our challenge mail to “president@whitehouse.gov”, then we have a far more serious problem.

So we need to make sure mails from “Strangers i.e. unknown senders” are not forged.

Sender Policy Framework

SPF is one of the best mechanisms we have for email to detect email spoofing. We compare the “Incoming mail IP address i.e. Client IP” with the whitelisted IP addresses found in the “Envelope Domain” SPF record.

For example this is the SPF record of facebook.com

But there is one bigger problem with SPF. It’s an optional mechanism. i.e. There is no internet standard that says, a domain MUST configure SPF.

The popularity of SPF record fades away once we get past the Alexa top 1 million domains. So if we rely only on SPF record, then the solution may work for the 100th domain, but not gonna work for the 100 millionth domain.

Hot Gates Strategy

Whatever we did so far, just to have the content you are gonna see from this point forward. So pay strict attention.

Have you ever watched the Gerard Butler starred movie 300? If yes, let me ask you a question?

In that movie, King Leonidas and his soldiers battle against 300,000 persian soldiers, near a narrow pass called “Thermopylae aka. Hot Gates”.

My question is, Why Hot Gates? Why not battle in an open ground?

That’s because these spartans strength not only lies on their superior fighting skills, but also lies on their tactical advantage. Without “Hot Gates”, the whole battle would have been an instant massacre.

Challenge/Response mechanism is a weapon that should be used in a narrow battle like “Hot Gates”. But every C/R based spam solution out there, trying to use the C/R mechanism in an open ground battle. That is the main reason why C/R mechanism is flawed and not popular even though it got patented 20 years back.

Email is ubiquitous. You know what else is ubiquitous?

MX Records. They were introduced in 1986.

Let’s refresh our memories.

  • We classified the mails into three categories. Conversational Mails, Transactional Mails and Promotional Mails.
  • We offloaded Transactional Mails and Promotional Mails to Domboxes.
  • Users agree that they are gonna use the Mailboxes only for “Conversational Mails” when “Restricted Mode” is ON.

So… In “Injection” phase, we are dealing with only “Strangers”. Not just any strangers. We are talking about “Conversational Mail Strangers”. Context really matters here.

We already gave unrestricted access to websites and apps in Domboxes via “Isolation”. So, there is no such thing as “Transactional Mail Strangers” or “Promotional Mail Strangers” in our system.

The term “Conversational Mails” can be termed as MX-to-MX Mails.

e.g. When john@example.com sends an email to jane@gmail.com, Gmail.com MX record is queried and then mail will be transferred to one of the Gmail MX servers. When Jane reply to that mail, example.com MX record is queried and then mail will be transferred to one of the example.com MX servers. So Conversational Mails requires MX record on both sides.

So “MX Records” should be the “Hot Gates” of our Challenge/Response based email system. i.e. We actually diverted the spammers to the injection phase by Isolating and Restricting the genuine senders.

Our primary clue for verifying mail genuineness now is “MX Records”. Let’s verify these stranger mails.

MX Records

MX Records can be classified into two categories. Self-Hosted and Third-Party Hosted

Self-Hosted

When a mail coming from richard@piedpiper.com, we are gonna compare the “Incoming mail IP i.e. Client IP” address with the IP addresses extracted from the following records.

dig MX piedpiper.com (MX Records)

dig TXT piedpiper.com (SPF Record)

dig A piedpiper.com (A Record)

Third-Party Hosted

When MX server domain not ends with the same domain, then that domain will be considered as a third-party hosted domain.

In this case, piedpiper.com hosting their mails in Google servers.

So we are gonna compare the “Incoming mail IP i.e. Client IP” address with the IP addresses extracted from the following records.

dig MX piedpiper.com (MX Records Points to google.com)

dig TXT piedpiper.com (PiedPiper SPF Record)

dig TXT google.com (Google SPF Record — The base domain of MX host)

dig A piedpiper.com (A Record)

Strangers

We can classify the Strangers into two categories based on the MX Record check we performed in the last section.

Verified Strangers and Unverified Strangers

Verified Strangers

Challenge/Response mechanism applicable only for verified strangers.

An incoming mail from the “Verified Stranger” will be accepted, but it will be put in the “Pending” folder. This is a system folder and cannot be accessed by the user.

If we display “Pending” folder to the user, then it beats the purpose of the system since “Pending” folder is a replacement for “Spam” folder.

If the sender responded to the challenge correctly, then the mail will be moved to the user inbox. If the sender do not complete the challenge within 30 days, then the mail will be discarded.

Unverified Strangers

If the receiving domain is a Self-Hosted system (e.g. @domboxmail.com), then the mails will be rejected with the following error.

550 Restricted Box. Unauthorized and Unverified Sender. Please configure SPF or Send this mail from one of your MX server IP address

99.99% of the “Unverified Stranger” emails are from either spammers or probably the websites you didn’t want to isolate.

Genuine Senders rarely get caught here. If a genuine sender get caught here, then it’s actually their mistake. Put it this way, they have an address in America for incoming mails, but outgoing mails are originating from Japan. That’s abnormal since we are talking about “Conversational Mails” here.

Small businesses usually don’t go for such abnormal setup. Anyone who go for such abnormal setup probably doing that for better networking policies. These networking professionals most likely knew what is an SPF record.

Besides we are giving crystal clear error message when rejecting the mail.

550 Restricted Box. Unauthorized and Unverified Sender. Please configure SPF or Send this mail from one of your MX server IP address

This is how 550 error message look like on the sender side when the mail gets rejected.

If the mails are third-party hosted (e.g. @gmail.com), then the mails will be moved to Trash directly.

Domain Reputation

In Email 1.0, stranger reputation is tied to the IP address. Emails can be easily forged. If a spam mail says it’s coming from “president@whitehouse.gov”, we can’t just block the whole whitehouse.gov domain. We can only block or rate limit the IP address.

But In Email 2.0, only mails from “Verified Strangers” will be accepted. That means, mail is REALLY coming from the said domain since the domain is either whitelisted the IP address or mail received from one of their MX servers. So, stranger reputation not only tied to the IP address, but also tied to the domain.

So if you send spam mails via our “Injection Phase”, you are converting yourself from “Verified Stranger” to “Verified Spammer”. In such cases, we not only block your domain and IP address, but also build a block list similar to “Spamhaus Block List (SBL)” and then publish your domain and IP address there to help others.

Spam Filters

In our Injection Phase, we use Challenge/Response mechanisms like CAPTCHA. If you don’t want to annoy the sender, then you can stick with the typical Spam Filter.

Keep in mind, injection phase is all about “Verified Strangers” mails. So we use Spam Filter only for scanning “Verified Strangers” mails. Most Spammers are “Unverified Strangers”. So Email 2.0 with spam filter is much better than Email 1.0 with spam filter.

Email 2.0 + Spam Filter = Scan only Verified Mails. The sender owns the domain. So no Phishing or Spam since the owner take full responsibility.

We can also use “Domain Registration Date” to rate limit emails from “Verified Strangers”. i.e. If the domain is fresh, then we can respond with error message like “Your domain is a new domain and you have exceeded the daily limit. Please try again tomorrow or ask the recipient to whitelist your email address”

So Spam Filter based Email 2.0 is a three step process.

Step 1: Is the Sender is a “Unverified Stranger”? If yes, reject mail. Else proceed to next step.

Step 2: Is the domain is a fresh domain and daily limit exceeded? If yes, reject mail. Else proceed to next step.

Step 3: Scan the mail using Spam Filter.

Final Architecture

This is how Email 2.0 system architecture looks like.

White Paper

Whatever you have read so far is a heavily trimmed version of my 300 pages white paper and tries to offer only an overview of my system. My white paper solves many notable problems. Email Spam is one of them. So, There is more to it.

Please take a look at my white paper if you wanna understand my complete system. My white paper can answer the following questions.

What are the Box Types available? What are Dombox Layers? What is Mail Score? What is an Anomaly? What is Parallel Internet? What is a Portal? How Teleport Works? What are the Contract Terms? How Telescribe works? How Dombox works for Mailing Lists? How Dombox can prevent Phishing? How Dombox can help with Data Breach? How Dombox can help with Internet Privacy? What are the benefits of Dombox?

Download full white paper here.

Get Notified

My product is still a work in progress. And, I don’t have the ETA for release. But if you are Interested, I’m happy to notify you for the BETA once it is ready.

Please leave your email address here.

Notes & Links

Official Website: www.dombox.org

White Paper: Our white paper is a ~300 pages document that explains our Email 2.0 system from top to bottom.

For feedback and business enquiries, please send a mail to giri@dombox.org

--

--

Viruthagiri Thirumavalavan

I’m an Entrepreneur and Engineer who work on stuffs related to Email. Thanks for stopping by.