On 11/2/09 9:14 PM, Eliot Lear wrote:
On 11/2/09 11:06 PM, Rolf E. Sonneveld wrote:
Well, on the envelope level there's not much that carries over
from end to end, is there? The only thing that comes to mind is the
MAIL FROM itself (with the remark made by Eliot, see above) and the
use of DKIM in combination with something like BATV.
It's that MAIL FROM:<> that might be interesting (I still won't say
for sure).
The general mindset is to consider email being sent along fixed paths,
as if being carried by imaginary Internet Mail Tubes. Some want to
define these tubes by the Mail From, since that better accommodates
mailing lists. Others want to see these tubes defined by the From
address as this could better mitigate fraud. However, there remains the
problem created by mailing lists, which are not easily resolved by
attempts at combining a network of From and Mail From Tubes.
There needs to be a name based effort started where Hostnames, Mail
From, and DKIM signers are handled on a name basis. Since email is not
actually carried by email Tubes along specific paths, and name to IP
address relationships is actually rather diverse. The problem set
appears rather complex. However, when viewed at the specific hostname,
there is no diversity, but instead elegant simplicity. It appears EHLO
offers the _best_ means to control abuse at the envelope level by name.
So what EHLO names can be trusted? Why not let originating domains
vote? Why not let senders list in a scalable manner which names they
trusting to handle their Mail Tube. This type of information would make
it easy for anyone to determine which names can be trusted, without
reliance upon a centralized authority. In other words, no batteries
would be needed.
It seems that some providers are fearful of this approach, as this
places accountability on the entity actually handling the Mail Tube.
Providers need to stop trying to hide. Have their IP address and
hostname listed in Authentication-Results. Allow originating domains an
ability to list all the other domains they trust to handle their Mail
Tube. That way, in a manner fairly similar to that used by Google in
ordering search results, it will become obvious which domains are and
can be trusted to handle a mailing list or third-party signing responsibly.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html