Mail How to tell a real Aster email from a fake one
Whenever you send an email, there is a small blue badge next to our official emails. A fair number of people have asked us what it is for and whether they can rely on it. The answer to this question is that it carries a specific meaning, and we would like to explain exactly what that meaning is, rather than let people assume. The entire point of the badge is to help you find out if a message is from us or not.
People impersonate email providers all the time, and this will never change. Someone will act like us, use our logo, and write something urgent to you about your account being at risk. They will ask you to confirm your password before your account is deleted. We built this badge so you have a reliable way of separating those messages from the ones that we send without having to inspect headers or know anything technical about how email works.
What the badge actually means
The badge shows up only when two separate conditions are both satisfied. If either one of them fails, the badge will not appear at all, which is the behavior we would like from something people are going to trust.
The first condition is that a message originated inside Aster rather than arriving from somewhere outside on the wider internet. This matters more than anything else, because mail that comes in from outside our system is marked as external. External mail is never eligible for a badge under any circumstances.
Aster-to-Aster messages are the only kind that can qualify. Those are messages that are encrypted on our side and cannot be forged by any outside sender. If a message was delivered to you from the open internet while claiming to be us, it will not have the badge, no matter how convincing it looks.
The second condition is that sending addresses have to be one of our reserved official accounts on astermail.org or aster.cx. This means the address is one of the following: support, security, billing, privacy, legal, abuse, hello, and updates. These are the email addresses that we own and have locked at the system, account, alias, and username levels all at once. There is no point at which an ordinary user could register security@astermail.org for themselves and have the badge attached to it.
Why it cannot be faked
A spoofed email coming off the open internet is free to write whatever it likes into the From field. That freedom is the entire reason phishing has worked for as long as it has.
What that spoofed message is unable to do is change the fact that it reached us from the outside. That means our client files it as an external address the second it arrives. External mail has no route to displaying the badge, regardless of which address it came from. To produce a message that carries a badge, someone would need to send it inside Aster’s encrypted system using one of our reserved addresses that cannot be registered in the first place. Neither half of that is something an attacker has any way of changing.
In simple terms, the badge is simply proof that the message came from us and not from an outside source.
What we will never do
The badge does its job by showing you that a message did come from us. The other half of staying safe is knowing the things a real message from us is never going to contain.
We are never going to ask for your password under any circumstances, and we are never going to ask you for your recovery phrase or recovery codes. Partly because we have no reason to, and partly because we could not make use of them even if you gave them to us.
Given that we do not store any of this, anything asking you to confirm or verify your password by replying or following a link is not from us. The presence or absence of a badge does not change that. Whenever something does not feel right, the safest move is to open Aster yourself and look at your account directly instead of trusting whatever the message says.
Founder and CEO of Aster Privacy.
