Hector Santos wrote:
The SMTP specs has it written in STONE that Validation of the
MAIL FROM is not required, hence the #1 basis for the SMTP
spoofing problems and reason we are trying to find something
to AUGMENT SMTP to secure the transaction.
Well, of course I disagree with this assertion. It used to be
clear that you should not accept mail if you have no idea how
to report problems later to the originator. And that worked as
designed (= in theory) in STD 10 SMTP, until STD 3 broke it for
the one special case RfC 1123 5.3.6(a).
The spammers got it right, use any MAIL FROM that survives a
simple "call back test", and stay away from SPF FAIL protected
addresses, if you are sending from a zombie.
With DKIM they will be also limited in their choices for some
2822-identities. With MTAMARK or similar ideas they will be
limited in their choice of the sending IP. And then we either
declare victory or give up on SMTP.
It is too late for SMTP. It is not too late for DKIM.
If DKIM offers what Doug apparently envisions, an abuse address
guaranteed to hit no innocent bystander, then that's not wrong.
(Same idea as an SPF PASS as far as I'm concerned)
It only isn't good enough for some of us. But DKIM could also
offer some hardcore no-nonsense "either it's signed or forged"
policy for those who want it. Just different POVs, IMHO they
can coexist.
Bye, Frank
_______________________________________________
ietf-dkim mailing list
http://dkim.org