This proposal seems to have been wide misunderstood as something
else. I have improved the title, I think, and will float it again.
Suppose an SMTP service has domain 'service.com' and wants to
prevent cross-customer forgery. A client logs in to SMTP AUTH as 'curly' and
gives a MAIL FROM of 'moe(_at_)example(_dot_)com'. The service then looks for
a DNS A
record at:
moe._using_.paul._at_.service.com._smtpauth_.example.com
This allows the domain owner to specify exactly which SMTP AUTH logins
are allowed to use the domain. The SPF exists mechanism can't do this because
there is no macro expansion for the SMTP AUTH login name. The simple
DNS lookup is highly cacheable.
If the client is using SRS/SES/VERP/whatever, or wishes to allow the
SMTP AUTH account to use any localpart, then he can use a wildcard:
*._using_.paul._at_.service.com._smtpauth_.example.com
If he wants to match the user in a signed localpart, however, he can't use a
wildcard in any standard DNS server, but he can use a custom "stunt" DNS server
to strip the SES/SRS sig, creating the equivalent of:
; NOT LEGAL BIND SYNTAX - means match any name ending with '=moe'.
*=moe._using_.paul._at_.service.com._smtpauth_.example.com
Alternative, the SMTP service can check
paul._at_.service.com._smtpauth_.example.com
if the lookup with localpart fails.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.