From: Tony Finch
Sent: Tuesday, April 20, 2004 3:33 AM
On Mon, 19 Apr 2004, Seth Goodman wrote:
SPF and SES target only envelope-from forgeries,
I think you are underselling SES, since signed sender addresses are so
easy to use to protect against 822 header forgery, even when the
authorship of a message crosses organizational boundaries -- a hard goal
to acheive with a protocol like SPF.
Very true. To stop email forgeries, _all_ the RFC2822 "originator" fields
need validation. SPF and SES, like other LMAP protocols, attempt to verify
the return-path because that is all that is available during an SMTP session
before you have to decide whether to let the SMTP-client proceed to the DATA
phase. However, SPF does _not_ verify the local part of the MAIL FROM:,
even when the domain owner uses the 'exists' mechanism. All the message
recipient knows is that the domain owner has stated that the local-part in
question is a valid at their domain and designates certain IP addresses as
outgoing MTA's. SPF _cannot_ validate that the sender of that message was
indeed the claimed sender. SES _can_ do that, so it provides a higher level
of validation. If we extend it to the other RFC2822 headers, it can
actually verify that the user who puts an address in Return-Path:,
Reply-To:, From: and Sender: actually had the domain owner's permission to
do so. Though testing the other RFC2822 originator fields can't occur until
after DATA, if you validated the Return-Path: first via CBV, you are assured
that the sender will accept a DSN, should you find a problem in one of the
other header fields and the SMTP-client doesn't deal with rejection after
data gracefully.
--
Seth Goodman