I posted this to the namedroppers list 1-Jun-2002. It describes a method
of ensuring that only the owner of a domain can authorize the use of
that domain for email purposes, without restricting those who do not
wish to comply. This is the first step in authenticating email without
the use of digital signatures.
June 1, 2002
Domain-Authorized SMTP Mail
Copyright Notice
Copyright (C) David N. Green (2002). All Rights Reserved.
Abstract
This document describes when and how to specify Mail Transmitter (MT)
resource records (RRs) in the Domain Name System (DNS), how to
configure SMTP servers to query them effectively, and how to
configure Mail User Agents (MUAs) to filter based on them.
1. Introduction
Historically, Internet mail has been plagued by forgeries. This has
become more problematic as the practice of sending Unsolicited
Commericial Email (UCE) has gained popularity. The addition of MT
RRs to DNS will solve the problem of forgery of domain, without
placing undue burden on any Internet Service Provider. This allows
the Internet Service Provider to begin the process of prevention
of forgery of user. The use of MT RRs at any site is RECOMMENDED.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
RFC 2119.
2. Mail Transmitter Resource Records
All hosts which are authorized transmitters of mail for a domain,
including any authorized forwarders, SHOULD be designated as Mail
Transmitters through the use of an MT RR.
3. MT DNS queries and Authorized-By SMTP headers
SMTP servers SHOULD remove any Authorized-By SMTP headers of
incoming mail. They MAY be configurable to preserve Authorized-By
headers on incoming mail from a set of trusted servers.
SMTP servers SHOULD perform an MT DNS query on the domain of
the From header. If the incoming mail was sent by a server returned
in the query, the SMTP server SHOULD attach an Authorized-By
header to the message, whose value is the hostname of the server
performing the MT authorization.
4. Mail User Agent handling of Authorized-By headers
Mail User Agents (MUAs) MAY allow the user to filter incoming
messages based on the presence of an Authorized-By header.
MUAs MAY allow the user to further filter authorized messages
based on the domain of the From header.
5. Security Considerations
If a user's ISP does not support at least the removal of
Authorized-By headers as stated in section 3, incoming mail may
be easily forged.
Additionally, any host between the sender and recipient, or who
can otherwise masquerade as the sender, can also masquerade
as an authorized transmitter for the domain of the sender.
Author's Address
David N. Green
563 Bill Rutledge Rd
Winder, GA 30680 USA
Phone: +1-770-868-0754 (w)
+1-770-868-1572 (h)
Fax +1-770-220-1937
EMail: green(_at_)couchpotato(_dot_)net
signature.asc
Description: This is a digitally signed message part