In <700EEF5641B7E247AC1C9B82C05D125DA7C5(_at_)srv1(_dot_)fecyk(_dot_)ca>
"Gordon Fecyk" <gordonf(_at_)pan-am(_dot_)ca> writes:
| I think it is likely that there will need to be completely separate
| proposals for:
|
| 1) The "is this IP address authorized to be an MTA?" question.
| (e.g., MTA-Mark, SS, DUL lists, etc.)
|
| 2) The "is this IP address authorized to use a given domain name in
| the MAIL FROM (and HELO) address?" (e.g. RMX, SPF, DMP, etc.)
|
| 3) The "is this From: header from who it claims to be from?" (GPG,
| S/MIME, DomainKeys, Caller-ID, etc.)
You gave consideration to 1) and 2) as they're directly related to the work.
I wanted to know if the third area referred to deserves consideration from
this group. Or if there are others.
I definately think that 3) (checking the mail headers) deserves
consideration. It is a much harder problem, but it is at least as
important as the other two. Only 3) will really address phishing scams.
I can not think of any other areas that deserve consideration.
I don't remember if it was decided to consider 3) because of the problem of
using bandwidth to receive the e-mail in the first place, in order to analyze
it. I would prefer not to consider it as all of the approaches to verify the
headers requires us to receive the message in its entirety, saving no
bandwidth at all.
The choice of whether to do any of these validations should be left up
to the individual mail admins. I see no particular reason why a mail
admin couldn't use all of them, if they wanted to. Just because an
email passes one of these test doesn't mean it will pass all of them.
Personally, I use DUL lists for 1), SPF for 2) and I would use
something for 3) if there was something available.
-wayne