On May 4, 1:26 pm, John Adams <j...@twitter.com> wrote: > On May 4, 2009, at 12:02 AM, Dale Cook wrote: > > > So my question is, is there anyway to authenticate that the email is > > actually coming from twitter and not someone else? > > It's pretty easy to prove the mail was sent from us. We use > DomainKeys. Validate our domainkey signature at the top of the email, > and if it doesn't validate, it's not from us.
Another (simpler) trick you can do: The from address is always of the form: twitter-dm-[name]=[domain] @postmaster.twitter.com, so if your email address is u...@example.com the from address will be: twitter-dm- user=example....@postmaster.twitter.com. If you set the address to be something random and non public, like MD5(time)@yourdomain.com, it will make it hard to guess/fake. And then all you have to verify when receiving the email is the from address. Maybe using both methods will give you maximum security. @netik - would love to hear your opinion on that. Arik (@arikfr)
