"Nate Leon" <nleon(_at_)mailfrontier(_dot_)com> wrote:
Do I understand correctly that Sender-ID only authenticates the most
recent hop?
Any recipient looking at SMTP traffic must, by it's very design,
look only at the most recent hop (i.e. the information it has, and can
determine for itself). However, as the message traverses a series of
MTA's to get to a final mailbox, the message must (by definition)
traverse *all* of those MTA's. It can only do that if, at each hop,
the message passes whatever checks are implemented by that hop.
Or in example form... Some Guy at Yahoo! sends a msg to my Pobox.com
account (assuming I had one :-) which in turn, forwards the message to
MyWork address. Thus, the MTA at MyWork will see the msg coming from
Pobox.com and validate that the Source IP address of the incoming
message is authorized to send mail for the Pobox.com domain. The
receiving MTA at MyWork.com does not authenticate anything about the
yahoo.com domain.
If pobox has claimed responsibility for the message via the fields
used by PRA, then the MyWork MTA can verify that the message passes
the rules published by pobox.com.
If pobox does not claim responsibility, and just forwards the
message without touching the PRA fields, then the message must pass
the rules published by the responsible domain as determined by PRA.
Odds are, because the message now comes from pobox, that it won't.
Whether this means that such forwarding is wrong, or Sender-Id is
wrong, is an exercise left for the reader.
Alan DeKok.