ietf-mxcomp
[Top] [All Lists]

RE: (DEPLOY) In Support of Sender ID

2004-09-02 15:06:46

On Thu, 2 Sep 2004, Michael R. Brumm wrote:

While SPF doesn't prevent forging of 2822 addresses seen by 99% of MUAs, the
same could be said of SenderID. I don't know of any MUAs which display the
PRA as described by SenderID.

As I said before, there is a large majority of mail that goes from large
commercial sites (or consumer ISPs) merely one hop to another large
commercial ISP, so the From: header will be successfully authenticated.

Due to the fact that there will be a small number of messages that *will*
take multiple forwarding or other hops, IP-based authentication of headers
won't work for those with existing mail clients, and all IP auth solutions
have the potential of causing false positives if the interim forwarding
hops aren't upgraded.

For this reason, it may end up being the case that Sender ID can not
reliably prevent spoofing for messages that take complex paths; but there
is some solace in that these complex paths are usually managed by the
*receiver*.

SPF, while authenticating something that does not give you a positive
value for the first case I stated, also has the potential to change a very
fundamental part of the mail channel in trying to work around the problem
of the second case.

(And yes Dave Crocker, I am simplifying the "one hop" idea in my first
paragraph, but from what I've seen so far it looks like that idea holds
for large Enterprise-to-ISP or ISP-to-ISP communication in a majority of
cases :)

-Rand