Ref: http://www.ietf.org/internet-drafts/draft-church-dns-mail-sender-02.txt
Andrew Church wrote:
"In cases where a message is forwarded through one or more MTAs before
reaching its final destination [...], the MTA at the message's
destination will typically reject the message when the forwarding MTA
fails to respond properly to an MS challenge for the sender's domain.
Thus, MTAs which forward messages should modify the sender address of
such messages to one which they can respond to an MS challenge for.
However, depending on circumstances, it may be appropriate for the MTA
to record elsewhere in the message the original sender address."
Ah, I have got the idea. However, you might want to consider to discuss
in your draft:
(1) Section 1 is confusing since it is about "Forged Headers".
(2) How serious is the problem of "Sender Address" compared to
the "Forged Headers"?
(3) Why use a complicated cryptographic challenge mechanism? AFAIK, it is
quiet common for a current receiving MTA to reject emails that come
from a host with no reverse "in-addr.arpa" information. Furthermore,
why not use the MS RR to list the MTAs who are allowed to use the
sender address of the domain?
regards,
--
Rahmat M. Samik-Ibrahim -- vLSM.org -- http://rms46.vLSM.org --
One Debian GNU/Linux,with glibc,and justice for all - Pledge of A