w> When
w> you get to the point of identifying a particular author, I'm not sure
w> that it is so important to worry about the MTA that the email was sent
w> from.
My reading of the majority of the MTA Authentication schemes is that
they purport to validate authorship (and, therefore, really are making
statements about the From field) based on having the message transit
authorized MTAs.
I don't see this at all. Most of these proposal provide a way to make
assertions about what IP addresses can use a given domain in one or more fields
of a message. The criteria for picking a particular field or fields for the
validity check are based on an understanding of how those fields are set and
handled by the email infrastructure, not on what those fields "mean".
For example, the proposals that validate MAIL FROM fields don't do it because
they think the field names the author of the message. Rather, they do it mostly
because (0) The field is generally believed to be amenable to this sort of
check, (1) Envelope information is accessible earlier in the SMTP dialogue than
header information, and (2) There's a nice synergy between the way these
schemes work and the way mailing lists override the MAIL FROM. The obvious
downside are (1) The pesky NULL MAIL FROM used for notifications and (2) Poor
interactions with autoforward.
Similar advantages and disadvantages can be enumerated for using various
header fields for these sorts of checks.
But this isn't an attempt to identify and check the author. And not only is it
well understand that this isn't what MAIL FROM is for, it is far from clear
that a check of this sort based on the author's address would be meaningful.
Ned