User:David MacQuigg/Sender ID: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>David MacQuigg
No edit summary
imported>David MacQuigg
 
(One intermediate revision by the same user not shown)
Line 2: Line 2:
{{TOC|right}}
{{TOC|right}}
'''Definition:''' Email authentication method that verifies the domain name in a "purported" sender address.
'''Definition:''' Email authentication method that verifies the domain name in a "purported" sender address.
'''Sender ID''' is an email authentication method that seeks to correlate the domain name in a "purported" sender address with the IP address of an SMTP client currently connected and waiting for confirmation that a message was received.  The purported address is determined by looking at the headers on the message data.  After receiving the message data, but before the client is disconnected, the server does a DNS query for a Sender ID record on the domain name.
If the IP address is listed in the Sender ID record, the authentication result is PASS, and the message may be processed in accordance with the reputation assigned to the domain.  If the authentication result is FAIL, the message may be immediately rejected.  Often, however, the result is neither PASS nor FAIL, but unclear.  This is a result of the many domains that don't publish Sender ID records, or that have records giving unclear results.


'''Sender ID''' is an email authentication method that uses the [[IP address|source IP address]] in a [[TCP]] connection to verify the domain name in a Purported Responsible Address (PRA). A Pass result provides strong assurance that the message came from a transmitter authorized by the domain owner.  A Fail result allows immediate rejection of the message, while the transmitter is still connected, and before transferring any data.
'''Sender ID''' is an email authentication method that uses the [[IP address|source IP address]] in a [[TCP]] connection to verify the domain name in a Purported Responsible Address (PRA). A Pass result provides strong assurance that the message came from a transmitter authorized by the domain owner.  A Fail result allows immediate rejection of the message, while the transmitter is still connected, and before transferring any data.
Line 17: Line 12:


=== Limitations ===
=== Limitations ===
 
Sender seeks to avoid the [[Email forwarding problem|forwarding problem]] by using the Forwarder's domain instead of the original domain


  |--- Sender's Network ---|          |--------- Recipient's Network --------|
  |--- Sender's Network ---|          |--------- Recipient's Network --------|
Line 25: Line 20:
                     /      Border    /
                     /      Border    /
                   /                  /
                   /                  /
                   ------ DNS -------
                   ------ DNS -------
 


=== How it works ===
=== How it works ===

Latest revision as of 20:42, 23 October 2009

See also: Email authentication for a general overview and terminology.

Definition: Email authentication method that verifies the domain name in a "purported" sender address.

Sender ID is an email authentication method that uses the source IP address in a TCP connection to verify the domain name in a Purported Responsible Address (PRA). A Pass result provides strong assurance that the message came from a transmitter authorized by the domain owner. A Fail result allows immediate rejection of the message, while the transmitter is still connected, and before transferring any data.

This method is very similar to SPF, except that the PRA is used instead of the envelope Return Address. In simple cases, the PRA is the address that appears in the "From" header of the message. In cases where forwarding has occurred, there may be various "Resent" and "Sender" headers. Sender ID uses a complex patented algorithm to determine which of these headers to use in selecting the PRA.

Like SPF, the domain in the PRA is verified by doing a DNS query for an SPF record under the domain name. If the IP address is listed in that record, the result is Pass. Thus Sender ID security depends on the security of Internet IP addresses and of the Domain Name System.

Like SPF, Sender ID prevents the "replay" abuse possible with signature methods like DKIM, because the verified domain owner can be held responsible for high-volume replication of a message.

Limitations

Sender seeks to avoid the forwarding problem by using the Forwarder's domain instead of the original domain

|--- Sender's Network ---|           |--------- Recipient's Network --------|
                                /
Author ==> MSA/Transmitter --> / --> Receiver/Forwarder ~~> MDA ==> Recipient
                    /         /        /
                   /       Border     /
                  /                  /
                  ------ DNS -------

How it works

Explanatory notes

Bibliography

RFC-4406 (2006), "Sender ID: Authenticating E-Mail", J. Lyon, M. Wong, http://tools.ietf.org/html/rfc4406. Microsoft's variation on SPF.
RFC-4405 (2006), "SMTP Service Extension for Indicating the Responsible Submitter of an E-Mail Message", E. Allman, H. Katz, http://tools.ietf.org/html/rfc4405. Solution to forwarding problem.
RFC-4407 (2006), "Purported Responsible Address in E-Mail Messages", J. Lyon, http://tools.ietf.org/html/rfc4407. Key difference with SPF.