How does SPF work?
It adds information in a domain's DNS record indicating
which machines may legitimately send email for that
domain. Domain must identify the machines that are
authorized to send email on their behalf.
When mail server recieves email, they can check which
computers are authorized to send mail for the domain
of the email address in the From: field, and see if
this message actually came from one of those authorized
computers. If it did, the message is assumed to be legitimate
and allowed through. If it did not, or if it is questionable,
the receiving mail server can accept the message, mark
it and accept it, or refuse to receive it.
For example: Suppose xyzzx.com receives mail at 198.0.2.1
and 198.0.2.2. When it sends mail, it uses those two
servers, as well as 198.0.2.3. xyzzx.com would publish
an SPF record that said: "v=spf1 ip4:198.0.2.1 ip4:198.0.2.2
ip4:198.0.2.3 -all".
When a mail server gets mail that claims to be from
someone at xyzzx.com, that server can fetch xyzzx.com's
SPF record and see if the connecting SMTP client is
designated.
Limitations
-
It
doesn't do much to
prevent the growing trend of spam sent from hijacked
computers and spammers. They can still send emails
from their domains.
-
Incompatibility of SPF with some email forwarding
services and websites that use mail-forwarding features.
- SPF may be hacked
by the spammers before it is fully implemented.
At present the domains
having published records are AOL, Amazon, Google, O'Reilly,
SAP, TicketMaster,Mail. com, w3.org, Earthlink and Verizon
etc.
Sender ID
frame work
Sender
ID frame work is the result of Microsoft's Caller ID
for E-Mail proposal, Meng Wong's Sender Policy Framework
(SPF), and a third specification called the Submitter
Optimization. However, the Internet Engineering Task
Force (IETF) has provisionally rejected Sender ID.
The Sender ID Framework is tasked with verifying that
each e-mail message originates from the Internet domain
from which it claims to come based on the sender's server
IP address. Only authenticated messages are allowed
to reach the Receiver.
- The steps in the
process are:
-
The
Sender sends an e-mail message to the Receiver.
-
The
Receiver's inbound mail server receives the mail.
-
The
Receiver's server checks for the SPF record of the
sending domain published in the Domain Name System
(DNS) record.
-
The
inbound e-mail server determines if the sending
e-mail server's IP address matches the IP address
that is published in the DNS record.
However, The
Internet Engineering Task Force (IETF) has provisionally
rejected Sender ID because of a possible intellectual
property rights conflict. It was said that it
should not be made a mandatory part of Marid (MTA
Authorization Records in DNS) eventual standard.
Caller ID
Microsoft's
Caller ID allows Internet domain owners to publish the
IP address of their outgoing e-mail servers in an XML
(Extensible Markup Language) format e-mail "policy"
in the DNS record for their domain. E-mail servers can
query the DNS record and match the source IP address
of incoming e-mail messages to the address of the approved
sending servers.
Caller ID involves two key steps:
One, sender of e-mail publishes the IP [Internet Protocol]
addresses of their outgoing mail servers in DNS [Domain
Name System] in an e-mail policy document.
Two, the e-mail software at the receiving end of a message
queries DNS for the e-mail policy and determines the
"purported responsible domain" of the message. This
is done by comparing the information in DNS to ensure
it matches the information on the originating mail.
Caller ID claims to confirm legitimate senders.
|
