Mark, thanks; great analysis of how this works.
At 02:38 PM 8/11/2004 -0700, Mark Lentczner wrote:
This is more convoluted than the draft requires because it is trying to stave
off as much work as possible. Specifically, if the reputation is high, or is
on a white-list, then the PRA extraction from the headers can be skipped (as
your local mail policy essentially trusts that domain's machines (as
authorized via Sender-ID) to do the right thing.)
Just to emphasize the converse, PRA extraction from the headers will still be
required unless the reputation is high or on a white-list. Some of the
comments I have seen on this list would lead one to believe that extracting the
PRA and checking Submitter against it is optional. In fact, not to do so with
a sender you don't know well would greatly decrease the effectiveness of Sender
ID by spoofing the PRA while using Sender with an authorized domain for the
source address of the SMTP client.