HBP> In terms of bare authentication alone the only link that seems
HBP> to me to add real value is authenticating the Data From: address.
I have not heard of a "Data From" address.
I'm guessing he means "MAIL FROM:" aka: "Bounces-to" which is what it really
means. Authenticating this alone avoids a pile of content screening issues,
never mind saves a pile of bandwidth from never having to see the
unathenticated message at all, and satisfies RFC 2821 7.1, specifically:
Efforts to make it more difficult for users to set envelope return
path and header "From" fields to point to valid addresses other than
their own are largely misguided: they frustrate legitimate
applications in which mail is sent by one user on behalf of another
or in which error (or normal) replies should be directed to a special
address. (Systems that provide convenient ways for users to alter
these fields on a per-message basis should attempt to establish a
primary and permanent mailbox address for the user so that Sender
fields within the message data can be generated sensibly.)
This specification does not further address the authentication issues
associated with SMTP other than to advocate that useful functionality
not be disabled in the hope of providing some small margin of
protection against an ignorant user who is trying to fake mail.
I would rather not touch the message itself including headers and body. Deal
with the envelope.
This also partially satisfies "demonstrating accountability" as I was
questioned on earlier. If a domain's prepared to handle bounces and
receiving servers can send bounces "reliably" to a sender domain, I
consider that beginning to demonstrate accountability.
 "reliably" depends on other things too, sure.
PGP key (0x0AFA039E):
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>