29 February 2016
I experienced something today that’s frustratingly becoming quite common. I emailed the support address of a financial institution I use, and they replied that they can only provide support if I contact them from the email address registered to my account.
The problem here is that as the owner of my own domain, I can receive email sent to [email protected], and I take advantage of that by using unique email addresses for most services I sign up for. (If for nothing else, this makes it easy to determine who’s passing on my email address to spammers.) But I can not easily send emails from all those different addresses, since that would require adding each one manually to Mail.app.
What I find irritating, is the company’s assumption that the “from” address serves as any kind of authentication, since it’s dead easy to spoof the from address on an email!
Any company that wants to provide authenticated support must provide a mechanism to initiate the conversation only from within a logged-in authenticated session at their website (or app). After that, it’s fine to continue the conversation outside the authenticated session—e.g. using ZenDesk, HelpScout or whatever support tool they use—because regardless of the email address I use from that point forward in the conversation, I wouldn’t be in a position to even respond if I hadn’t been the one who securely initiated the conversation in the first place.