In
<5(_dot_)2(_dot_)1(_dot_)1(_dot_)0(_dot_)20050519171542(_dot_)00c03c28(_at_)pop(_dot_)mail(_dot_)yahoo(_dot_)com>
David MacQuigg <david_macquigg(_at_)yahoo(_dot_)com> writes:
OK, let's nail this down. Here is the example incoming email, with
the proposed ID command. Assume you have no prior relationship with
the sender, so you don't know what authentication method he uses.
EHLO mailserver7.bigforwarder.com
ID bigforwarder.com
MAIL
FROM:<<mailto:bob(_at_)sales(_dot_)some-company(_dot_)com>bob(_at_)sales(_dot_)some-company(_dot_)com>
Without the ID command, you will waste a bunch of DNS queries and
possibly conclude this sender offers no authentication.
The problems with trusting the sender to tell you what you should
check was just discussed by you and me on the ietf-822 list a few days
ago. It was a bad idea there and then, it is still a bad idea here
and now. I will not repeat on spf-discuss what has already been said
on ietf-822.
The idea of creating a new identity for the sole purpose of
authentication has been discussed before. In particular, Meng
proposed that the "submitter" identity should be turned around.
Instead of the identity given by the submitter parameter having to
match the PRA as determined by the headers, the MTA should make sure
that the appropriate headers are added so that it matches.
This idea didn't get a lot of support, but I encourage you to read the
MARID list archives to learn what was discussed previously.
-wayne