Great, I knew I was probably wrong on this. Thanks to both of you guys for the feedback and suggestions, really appreciate it.
Dale On May 4, 9:58 am, John Adams <j...@twitter.com> wrote: > On May 4, 2009, at 5:15 AM, Arik Fraimovich wrote: > > > > > The from address is always of the form: twitter-dm-[name]=[domain] > > @postmaster.twitter.com, so if your email address is u...@example.com > > the from address will be: twitter-dm- > > user=example....@postmaster.twitter.com. If you set the address to be > > something random and non public, like MD5(time)@yourdomain.com, it > > will make it hard to guess/fake. And then all you have to verify when > > receiving the email is the from address. > > Ah, but then your email address wouldn't be very human readable and > you'd have to change your email address all the time (if you were > using the current time as your MD5 seed.) > > > Maybe using both methods will give you maximum security. > > @netik - would love to hear your opinion on that. > > Domain Keys is very secure, and easier than the address hack method > you describe. You could also validate received: headers, or the > originating message path if you don't want to implement domain keys. > There exists many standard libraries to do so, though. > > -j > > --- > John Adams > Twitter Operations > j...@twitter.comhttp://twitter.com/netik