ietf-asrg
[Top] [All Lists]

[Asrg] Domain-Authorized SMTP Mail

2003-03-18 08:49:33

I posted this to the namedroppers list 1-Jun-2002. It describes a method
of ensuring that only the owner of a domain can authorize the use of
that domain for email purposes, without restricting those who do not
wish to comply. This is the first step in authenticating email without
the use of digital signatures.

June 1, 2002




                   Domain-Authorized SMTP Mail


Copyright Notice

   Copyright (C) David N. Green (2002).  All Rights Reserved.


Abstract

   This document describes when and how to specify Mail Transmitter (MT)
   resource records (RRs) in the Domain Name System (DNS), how to
   configure SMTP servers to query them effectively, and how to
   configure Mail User Agents (MUAs) to filter based on them.


1. Introduction

   Historically, Internet mail has been plagued by forgeries. This has
   become more problematic as the practice of sending Unsolicited
   Commericial Email (UCE) has gained popularity. The addition of MT
   RRs to DNS will solve the problem of forgery of domain, without
   placing undue burden on any Internet Service Provider. This allows
   the Internet Service Provider to begin the process of prevention
   of forgery of user. The use of MT RRs at any site is RECOMMENDED.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   RFC 2119.


2. Mail Transmitter Resource Records
   
   All hosts which are authorized transmitters of mail for a domain,
   including any authorized forwarders, SHOULD be designated as Mail 
   Transmitters through the use of an MT RR.


3. MT DNS queries and Authorized-By SMTP headers

   SMTP servers SHOULD remove any Authorized-By SMTP headers of
   incoming mail. They MAY be configurable to preserve Authorized-By
   headers on incoming mail from a set of trusted servers.

   SMTP servers SHOULD perform an MT DNS query on the domain of
   the From header. If the incoming mail was sent by a server returned
   in the query, the SMTP server SHOULD attach an Authorized-By
   header to the message, whose value is the hostname of the server
   performing the MT authorization.


4. Mail User Agent handling of Authorized-By headers

   Mail User Agents (MUAs) MAY allow the user to filter incoming
   messages based on the presence of an Authorized-By header.
   MUAs MAY allow the user to further filter authorized messages
   based on the domain of the From header.


5. Security Considerations

   If a user's ISP does not support at least the removal of
   Authorized-By headers as stated in section 3, incoming mail may
   be easily forged.

   Additionally, any host between the sender and recipient, or who
   can otherwise masquerade as the sender, can also masquerade
   as an authorized transmitter for the domain of the sender.


Author's Address

   David N. Green
   563 Bill Rutledge Rd
   Winder, GA 30680 USA

   Phone:   +1-770-868-0754 (w)
            +1-770-868-1572 (h)
   Fax      +1-770-220-1937
   EMail:   green(_at_)couchpotato(_dot_)net


Attachment: signature.asc
Description: This is a digitally signed message part