In 2026, anyone with a terminal can type eight lines of telnet and send mail claiming to be your CEO. No password. No certificate. No proof of identity.
The protocol that carries every email on the public internet was specified in August 1982 for 235 trusting research hosts — and nobody has re-shipped it since.
This is the SMTP Tax: the cumulative cost of running a 44-year-old plaintext mail protocol on a network that now moves roughly 320 billion messages a day between adversaries. Spam filters, BEC wire fraud, midnight SPF flattening, multi-billion-dollar email security industries — all of it is the bill for an architectural default the world stopped questioning around 1995.
The video walks through the full stack of patches that have been bolted onto SMTP since 2003. SPF tells receivers which IPs are allowed to send for a domain — and breaks the moment a message gets forwarded. DKIM signs message bodies with real public-key cryptography — and says nothing about the visible From: header your user actually reads. DMARC ties the two to the visible identity through alignment — and is advisory, with the most common policy being p=none, which rejects nothing. BIMI publishes a logo for domains that already enforce DMARC — a UX sticker on top of three optional patches. MTA-STS, ARC, TLS-RPT, DANE — each one a layer on a layer on a layer.
Then the structural argument: what email looks like if you stop bolting. JMAP (RFC 8620) moves authentication from a TXT record to the request itself. The decentralized identity world — DIDs, the kind of identity model behind Bluesky's AT Protocol — asks what mail looks like if every sender is a key, not a string. The reason that argument is approximately as far away as IPv6 was twenty years ago isn't technical. It's gravitational.
The closing frame: the SMTP Tax is not a bug. It's a default chosen in 1982 for a federation of universities, never re-chosen for the network that exists now.
━━━━━━━━━━━━━━━━━━ CHAPTERS ━━━━━━━━━━━━━━━━━━
- 0:00 The Cold Open: Eight Lines, No Password
- 0:19 By The Numbers: 320B Emails, $50B BEC
- 1:20 RFC 821, August 1982: A Network Of 235 Hosts
- 3:11 SPF (2003): The First Patch
- 3:49 DKIM (2007): Strong Primitive, Wrong Target
- 4:28 DMARC (2012): Why p=none Is Theatre
- 5:20 BIMI And The Patch Pile
- 6:17 The Structural Alternative: JMAP
- 7:01 Cryptographic Sender Identity And DIDs
- 7:59 A Default Nobody Re-Chose
━━━━━━━━━━━━━━━━━━ KEY CONCEPTS MENTIONED ━━━━━━━━━━━━━━━━━━
- SMTP — Simple Mail Transfer Protocol, RFC 821 (1982), Jon Postel
- RFC 793 — TCP specification, source of Postel's Law
- Postel's Law — "Be conservative in what you do, be liberal in what you accept from others"
- SPF — Sender Policy Framework (2003)
- DKIM — DomainKeys Identified Mail (2007)
- DMARC — Domain-based Message Authentication, Reporting and Conformance (2012)
- BIMI — Brand Indicators for Message Identification (2020)
- MTA-STS, ARC, TLS-RPT, DANE — auxiliary patches on the SMTP stack
- JMAP — JSON Meta Application Protocol, RFC 8620 (2019)
- BEC — Business Email Compromise (FBI IC3 category since 2013)
- DID — Decentralized Identifier (used by Bluesky's AT Protocol)
- ARPANET — 235 hosts at the time RFC 821 was written
━━━━━━━━━━━━━━━━━━ FREQUENTLY ASKED QUESTIONS ━━━━━━━━━━━━━━━━━━
What is the SMTP Tax?
The cumulative cost of running a mail protocol designed in 1982 for 235 trusting hosts on a 2026 network of 320 billion daily messages between adversaries. It includes BEC fraud, spam filtering infrastructure, the entire email security vendor industry, and the engineering hours spent maintaining SPF, DKIM, DMARC, and BIMI records that the protocol itself never required.
Why doesn't SMTP have built-in sender verification?
Because RFC 821, written by Jon Postel in August 1982, specified SMTP for ARPANET — roughly 235 hosts where every administrator knew every other administrator by name or institution. The threat model was hardware failure, not a hostile actor. The word "authentication" does not appear once in the 47-page document.
Does DMARC stop email spoofing?
Only when a domain publishes p=reject and the receiver honors it. The most common DMARC policy by an enormous margin is p=none, which is monitoring mode — it rejects nothing. Roughly 30% of Fortune 500 domains enforce p=reject; across the broader Alexa top 1 million, the figure is closer to 12%. Everyone else is running a record that exists so a vendor checkbox lights up green.