> > > proposal of mailfrom dns record - http://www.vix.com/~vixie/mailfrom.txt or > > > > I've had a look at vixies proposal and it's a good one. I certainly would > > welcome something like the mailfrom dns record. > actually I'd call it a nonstarter in its current form. I would have to agree. > given that > - mail from is used for nondelivery reports and other notifications; > users need to make sure it gets set to an address that they'll read > - nomadic users have valid reasons to post from random places on the net > (including multiple ISPs) and keep the same mail from address. > - many ISPs won't let you forward or submit mail through someone else's > SMTP server, even if you have permission to do so. so you can't > forward your mail through your "home" ISP's mail server to allow the > "mail from" check to work. In addition to these valid concerns I'd add that various sorts of autoforwarding exist that don't change the MAIL FROM. These would also tend to break if such a scheme were implemented. I'm also concerned about the management aspects of having lists of authorized "multistage relays" and all that implies. > trying to reuse any of the existing return addresses in email as a > spam identifier just won't fly. a separate identifier might work. But there's also a problem with NOT using the MAIL FROM -- one of the things that's being counted on here is that mailing list expanders will (optionally) check the MAIL FROM against this new DNS record, but then change it unconditionally to an address associated with the list expander rather than with the originator. > (actually Sender is the closest thing to what is needed here, > unfortunately it's routinely munged by mailing lists) To the extent that sender is munged by mailing lists to refer to the list expander it would actually be a feature here, not a bug. But just as you cannot count on it being left alone, you also cannot count on it being changed. Perhaps the real problem here isn't the use of MAIL FROM but rather the assumption that binding ipsource to the MAIL FROM domain is a useful validation check. A specific ipsource is just not a property a legitimate user of a given domain can be expected to have. Although I am reluctant to suggest anything involving public key crypto, another approach would be to put a public key in the MAIL-FROM DNS record and add a new header field containing a signature covering the message's MAIL FROM and the current date. Ned