North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Paper on Email Authentication (Authorization really) (was - Re:Micorsoft's Sender ID Authentication......?)

  • From: william(at)
  • Date: Mon Jun 13 16:27:24 2005

On Tue, 7 Jun 2005, Fergie (Paul Ferguson) wrote:

> -- "william(at)" <[email protected]> wrote:
> Since it appears NANOG continues to be used for mail-related discussions
> and a some of what goes here is based on not understanding technologies
> and issues involved, I'll make a link to a paper that I'm working on
> available (when its ready) and it will hopefully be good information
> to understand what's up in email authentication front and what each
> technology can and can not do.

That would be much appreciated. :-)
My paper on Email Security Anti-Spoofing Protection with Path and Cryptographic Authentication Methods is now available at

Printable PDF version of the paper (21 pages) is also available -

First parts (part 1-4) are an overview of the various email anti-spoofing technology proposals that were proposed (in IETF or IRTF ASRG) in the last 2-3 years, what email identities they focus on, their interactions and differences in proposals because of that. It should be easy enough for NANOG readers to read and understand even if you're not mail expert.

In part 5, I also go through why none of the proposals are really "anti-spam" and promotion of the methods as such is misleading. There are also chapters
on Accreditation and Reputation (including section on spamhaus .MAIL) and "authorization vs authenticity" question that has been raised by some when criticizing path authentication technologies like SPF - I explain that is really problem for both path and cryptographic proposals and its tied to question on if mail servers are "enforcing submission rights" at mail origin.

Part 6 may or may not be of interest here and is result of my research
presenting proposal on how to use cryptographic signatures to correct
for SPF failures after forwarding and allow for safe rejection based on SPF records.

Some people reported that PDF version is not readable in all circumstances,
in that case send me note privately when that happens with specs for your system, PDF reader version & OS and I'll try to get an idea of what needs to be corrected. Note that PDF is really just printout of html version
so if it does not work, read the original. In general if you know good
way to create PDF out of HTML for documents such as mine (perfect if it could insert page numbers into table of contents), let me know privately.

William Leibzon
Elan Networks
[email protected]