Chris Drake wrote:
My main objection to domainkeys is that it screws* everyone who might
provide value-added mail services just to authenticate the sender, and
my main objection to SPF/CID is that it doesn't authenticate the
sender - so I think it would be a very good idea to add anything into
SPF/CID to authenticate that the stated sender actually sent the
message: be this via a callback to the sender's ISP's mail system, or
something passed UDP to the sender's DNS, or cryptography, I don't
care: so long as it provides whatever "domainkeys" is looking for. If
we can do this properly, we can hopefully get rid of domainkeys
completely, which will solve a load of additional problems for us all.
the "exists:" directive is powerful enough to support this. Give
every (choose2from verified, genuine, authentic) outgoing message
its own unique envelope return address and load these return addresses
into your DNS server until delivery. We haven't solved man-in-the-middle
attacks but that's not this layer's problem.
--
davidnicol(_at_)pay2send(_dot_)com
"There's a fine line between participation and mockery" -- Scott Adams