On Fri, 11 Jun 2004, Seth Goodman wrote:
Since you propose that recipient MTA's should all maintain trusted forwarder
lists, is there really any need for originator tests? Playing the devil's
advocate here, if all recipients maintained trusted forwarder lists, there
really isn't any need for SRS, either. If we need SRS because not all sites
have forwarder whitelists, we also need originator tests, since those
recipients can't distinguish a trusted forwarder from a forger. How do we
reconcile this?
Simple. All of the above.
Let forwarders chose between DBBF,SRS,RSR , (even SUBMITTER).
Let recipients do SPF checking, plus one of forwarder whitelisting,
CBV (pref via DNS) validation.
Senders should publish SPF. They can also do SES to screen forged bounces.
They can also publish SES validation via DNS to allow efficient validation
(without SMTP).
"Legitimate" sender forgers should stop lying.
Everything mostly plays together nicely. Exception, DBBF forwarders must
be whitelisted.
Having an assurance of the domain sending you the email, and possibly
even of the originating domain, the foundation is laid for layer 2:
giving the user assurance that the 2822 headers are authentic.
Everyone's email needs are so diverse, it would be a mistake to try
and make "one size fits all". We are providing a set of tools that
are compatible with one another. Specific configurations of these tools
are more appropriate for giant providers like AOL or small businesses
like where I work.
The one tool that has not been specified very well is the SES validation
via DNS. The recipient needs to know when MAIL FROM has SES (checking
whether is starts with SRS0 or SES0 is reasonable). There is no standard
that I am aware of for the DNS query. CBV via SMTP works well enough, but
is expensive for both sender and recipient (including all the recipients
using it to ignore forgeries).
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.