Hallam-Baker, Phillip wrote:
The 3 model picture follows from what has been said
about 'use' and
'meaning'; that is, either prescribed by "authority", left to the
recipient, or hinted by the publisher. I would strongly
support the 3rd
way. I guess that I'm coming to where you are from a
different direction.
What I am saying is that the sender is not saying use a
particular type of authentication, the sender is saying
"This address is frequently the target of impersonation
attempts, if you have the capability to perform rfc822
From verification it is important that you do so and great
weight should be placed on any negative finding".
That is not a directive to apply a particular type of
auth, which the group is rightly seeing as an impractical
proposition. But the targets of phishing attacks really
need a means today of saying 'take the sender address really
seriously'. I suspect that this requirement will become
very much more widespread in the future.
I don't see a problem with doing RFC2822 checking in principle, but I
think that it is harder in practice to do such checking since there are
more headers and use cases to deal with.
What I am trying to avoid is a sender listing his email servers via a
MARID mechanism and that mail bouncing because of RFC2822 checking being
done by the sender does not match what the sender thinks it is. This is
why I am arguing for RFC2822 checking to be a normative part of the spec
if we agree on it.
If we make it clear that any "suggestion" that the sender makes requires
him to have his outgoing email conformant to that checking, it can make
things better. For example, if the sender is saying "do from header
checking", then the spec should say how that verification is done so
that the sender will know how to make his email conformant. Otherwise, I
am afraid that people will arbitrary employ such checking where the
sender does not want it applied and as the result of that, the email
will not get through.
I hope I am being clear on this.
Yakov
P.S. I had a side thought on this: in the case of RFC2822 verification
specifically, if the "Return-Path" header is known to be correct via
MAIL FROM verification, than it can be matched against the "from" header
instead of doing a DNS lookup. This might be an alternative way to do
checking at MUA level, without doing any additional IP or DNS checks.