DC> Please what it means to authenticate something, when
there is no
DC> identity being authenticated.
DC> For starters, what is the authentication tied to?
sigh. re-reading _after_ posting is never pleasant.
I meant: Please explain what it means to...
I want to authenticate the purported originating email address
whether that be envelope or data FROM, Reply-To, Sender or
In terms of bare authentication alone the only link that seems
to me to add real value is authenticating the Data From: address.
Authenticating fake Envelope From can have benefits if you also
do something else:
* If you authenticate Data From then also authenticating the
envelope from may allow you to reject an impersonation spam
* If you combing the envelope from authentication with attributes
that are tied to the authenticated domain, i.e. an accreditation
by a third party.
I don't think we need to set a hard and fast rule about what is
'legitimate' use here. The authentication part of the spec does
not need to be normative so the identity does not need to be
All that gets published in the DNS record is a note to say that
as the owner of the domain phb.com the emails I send may be
authenticated by the fact that they are consistent with the
* The set of IP addresses of the outgoing edge servers
* The use of specific cryptographic authentication
enhancements (e.g. S/MIME signature under specified root)
* That certain cryptographic security enhancements are
always offered (e.g. STARTTLS is always offered)
We can argue about which of these features should be defined in
version 1 of the spec. But we don't have to get into the PKIX
style philosophical arguments over what we mean by identity.