I had a long look at the documents and the comments about them to this point.
I've been asked about this group by my clients and I want to know if I'm on
the right train of thought.
The MARID documents describe how an enterprise sending e-mail can protect
itself from spoofing, by providing information that an enterprise receiving
e-mail can use to check if mail really came from the sending enterprise.
This will help ensure that mail claiming to be from somewhere really came
from there.
The first document, marid-core, describes these things:
1) How a sending domain stores its sender records,
2) How a receiving server queries them, what responses to expect, and
recommended actions
It also introduces (or re-uses?) a new message header (Resent-From:) to allow
forwarding services, mailing lists, and other remailers to be checked. It
has the potential to save storage space by examining and rejecting "spoofed"
mail, or flagging such mail for further scrutiny after it's received.
The second document, marid-submitter, describes:
1) A change to SMTP (SUBMITTER) which provides the same information as the
Resent-From: header above,
2) How the receiving server may perform the same checks as above, before the
message is received instead of after.
By supplying Resent-From: information earlier in the SMTP conversation, it
may potentially save bandwidth in addition to saving storage space by
refusing "spoofed" mail before receiving it.
This is a deliberately over-simplified view of MARID's work so far, from this
view point. I need to dumb it down like this when talking to clients and
other non-geeks. Aside from the details, is this what the MARID group has
done so far?
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
Sometimes it's hard to tell where the game ends and where reality bites,
er, begins. <http://vmyths.com/resource.cfm?id=50&page=1>