-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stuart D. Gathman wrote:
Suppose an SMTP service has domain 'service.com' and wants to
prevent cross-customer forgery. A client logs in to SMTP AUTH as
'curly' and gives a MAIL FROM of 'moe(_at_)example(_dot_)com'. The service
then
looks for a DNS A record at:
moe._using_.paul._at_.service.com._smtpauth_.example.com
This allows the domain owner to specify exactly which SMTP AUTH logins
are allowed to use the domain.
(s/moe._using_.paul/paul._using_.moe/, plus s/curly/paul/ or vice versa, I
guess.)
Your point seems to be for the relay (service.com) to check with the domain
owner (example.com) for whether user "paul" is allowed to use a MAIL FROM
of <moe(_at_)example(_dot_)com>.
This is not necessary when example.com is also owned by service.com (which
is the case for most vanity domain forwarding services). For the cases
where users can bring their own domain and use it with a shared MTA, your
proposal is an interesting idea.
The SPF exists mechanism can't do this because there is no macro
expansion for the SMTP AUTH login name.
Doing this through SPF would only work with _outbound_ SPF checking, which
is rarely done. But perhaps adding a new macro for the SMTP AUTH identity
in outbound SPF checking is worthwhile? Would it break compatibility?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCieYfwL7PKlBZWjsRAt1UAJ4iAHm58mlp4mWirnL4+w4pXEgt9wCfeBqy
YNTnc5t8ommlJi26bCpwFPA=
=xklG
-----END PGP SIGNATURE-----