I have been thinking further on the problem of introducing email
authentication. I am starting to think that apart from being complimentary
it is likely to prove essential to deploy both mechanisms.
Both authentication mechanisms have shortcommings due to the fact that we
are attempting to retrofit a legacy infrastructure.
Sender-ID:
Can only provide a definitve 'success', 'not success' can be due to
either forgery or a non compliant forwarding server.
Signature:
Can provide a qualified 'success' that is subject to a replay attack
for certain senders. Failure is most likely to be a forgery but may be due
to transport failure.
Note:
The failure modes of Sender-ID and Signatures are almost entirely
orthogonal, although forwarding is a possible cause of a signature being
corrupted.
So the astute recipient would do the following:
On a sample of email:
Apply Sender-ID and Signature authentication in parallel, apply ALL
modes of Sender ID interpretation (including against HELO). Construct a
table with the following dimensions:
Sender-ID - SPF: Pass | Fail | Indeterminate | Not specified
Sender-ID - PRA: Pass | Fail | Indeterminate | Not specified
Sender-ID - HELO: Pass | Fail | Indeterminate | Not Specified
Signature: Pass | Fail | Not Specified
Spam filter: Pass | Fail (or use score)
Fill in the score for each intersection of the matrix.
Take one MIT grad student, mix thoroughly,
We can now determine the degree to which the various measures are orthogonal
or corellated.
Of course one thing to bear in mind is that unless there is an incentive to
provide authentication that is expected to fail that authentication failures
are almost certain to be due to either misconfiguration or the forwarding
failure.