Mail From path registration was aimed at reducing a "backscatter" spoofing. This problem had grown to where now most adopt strategies that keep abusive messages from being issued by their servers in the form of DSNs and where MTAs now normally verify valid recipients prior to acceptance. The levels of abuse often required valid recipient checks to conserve server resources. Secondly, most automated sources of DSNs are now better at removing much of the body to keep abuse out. IMHO, a "report" mime subtype for auto responses could also reduce false positives.
Nevertheless, some now hope to base email acceptance upon Mail From path registration or upon valid Author Domain Signatures. Some expect either technique can be used to white-list their domain, and to limit the issuance of DSNs. Unfortunately, determining whether a message is within a registered Mail From path can expend many transactions, and may fail for forwarded messages. Some have proclaimed DKIM can amend Mail From path registration to include valid Author Domain Signatures as alternative acceptance criteria. While that might sound good, neither Mail From or PRA path registration prevent deceptive use of From email addresses. The general goal behind ADSP was to prevent From email address deception. So the other question that might be asked, should ADSP practices be amended to include Mail From path registration as an optional acceptance criteria for mailing-lists or other third-party signers? Those wanting to cross-the-beams, or to splice together the different kinds of Mail Tubes are likely to expose users to fraudulent messages that are indistinguishable from those of genuine mail. For SMTP to survive, it needs to deal with abuse early within the process, which entails acceptance at connections likely based upon consistent use of hostnames. Receivers need to pay attention to hostnames reported by any particular IP address, and not dismiss it because some path registration had been found. This should not be hard, since normally only a few hostnames used by each over long periods. Exceptions can be handled separately. Sources that appear genuine then need to be monitored individually, where this too is not hard when limited to trusted sources. DNS based self references are easily manipulated, and often DNS servers are also compromised systems. As such, finding a matching address record in the forward direction says little unless published by a trusted domain. The question of trust becomes more difficult as a slew of new TLDs are added. It would be nice to have a protocol that offered an easier way to determine answers to question of who can be trusted without needing a massive database or a centralized service. So which are the trustworthy domains? DKIM/ADSP is really about mitigating ongoing fraud. Connecting the Mail From Tube together with the From Tube defeats the From Tube's otherwise good protection. The TPA-Label scheme offers a safe way to combine Tubes via an authorization strategy. By not depending upon path registration, a receiver is more likely to monitor for connection abuse that can be determined without any additional transactions. A trusted name list can be developed based upon those domains being authorized-by-name. Third-party handlers would receive "votes of trust" from domains who are attempting to protect against fraud in disguise. Lately, I have received several mailing-list like messages designed to appear as if from a mailing list or a social network with whom I have subscribed. It is not hard to establish reasonable thresholds of genuine traffic that would be needed to keep this type of assessment from being easily gamed. Unless your domain is a likely phishing target or perhaps a Fortune 500 company, ADSP is unlikely to offer the type of handling that may be desired. However, the web today has become a massive voting scheme, which is a fairly democratic trend. Admittedly, many have learned how to game the system, but the gaming can be mitigated through greater participation. Delegating domains can be detrimental, and exchanging keys and synchronously setting up DNS references is error prone and expensive, which together reduces the needed participation. The TPA-Label scheme should make it easy for domains to vote for the services being trusted by-name. Trust-by-name, the only scheme that scales. :^) -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
