summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4406.txt
blob: 41dbdff97d0addc405bb84e4e0716c48e9ce6f4d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
Network Working Group                                            J. Lyon
Request for Comments: 4406                               Microsoft Corp.
Category: Experimental                                           M. Wong
                                                               pobox.com
                                                              April 2006


                    Sender ID: Authenticating E-Mail

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

IESG Note

   The following documents  (RFC 4405, RFC 4406, RFC 4407, and RFC 4408)
   are published simultaneously as Experimental RFCs, although there is
   no general technical consensus and efforts to reconcile the two
   approaches have failed.  As such, these documents have not received
   full IETF review and are published "AS-IS" to document the different
   approaches as they were considered in the MARID working group.

   The IESG takes no position about which approach is to be preferred
   and cautions the reader that there are serious open issues for each
   approach and concerns about using them in tandem.  The IESG believes
   that documenting the different approaches does less harm than not
   documenting them.

   Note that the Sender ID experiment may use DNS records that may have
   been created for the current SPF experiment or earlier versions in
   this set of experiments.  Depending on the content of the record,
   this may mean that Sender-ID heuristics would be applied incorrectly
   to a message.  Depending on the actions associated by the recipient
   with those heuristics, the message may not be delivered or may be
   discarded on receipt.

   Participants relying on Sender ID experiment DNS records are warned
   that they may lose valid messages in this set of circumstances.
   Participants publishing SPF experiment DNS records should consider





Lyon & Wong                   Experimental                      [Page 1]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   the advice given in section 3.4 of RFC 4406 and may wish to publish
   both v=spf1 and spf2.0 records to avoid the conflict.

   Participants in the Sender-ID experiment need to be aware that the
   way Resent-* header fields are used will result in failure to receive
   legitimate email when interacting with standards-compliant systems
   (specifically automatic forwarders which comply with the standards by
   not adding Resent-* headers, and systems which comply with RFC 822
   but have not yet implemented RFC 2822 Resent-* semantics).  It would
   be inappropriate to advance Sender-ID on the standards track without
   resolving this interoperability problem.

   The community is invited to observe the success or failure of the two
   approaches during the two years following publication, in order that
   a community consensus can be reached in the future.

Abstract

   Internet mail suffers from the fact that much unwanted mail is sent
   using spoofed addresses -- "spoofed" in this case means that the
   address is used without the permission of the domain owner.  This
   document describes a family of tests by which SMTP servers can
   determine whether an e-mail address in a received message was used
   with the permission of the owner of the domain contained in that
   e-mail address.


























Lyon & Wong                   Experimental                      [Page 2]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


Table of Contents

   1. Introduction ....................................................3
      1.1. Conventions Used in This Document ..........................4
   2. Problem Statement ...............................................4
   3. SPF 2.0 Records .................................................5
      3.1. Version and Scope ..........................................5
           3.1.1. Minor Version .......................................6
      3.2. Multiple Records ...........................................6
      3.3. Positional Modifiers .......................................7
      3.4. Compatibility ..............................................8
   4. Decision Model ..................................................8
      4.1. Arguments ..................................................9
      4.2. Results ....................................................9
      4.3. Record Lookup ..............................................9
      4.4. Record Selection ...........................................9
   5. Actions Based on the Decision ..................................10
      5.1. Neutral, None, SoftFail, or PermError .....................11
      5.2. Pass ......................................................11
      5.3. Fail ......................................................11
      5.4. TempError .................................................11
   6. Security Considerations ........................................11
      6.1. DNS Attacks ...............................................12
      6.2. TCP Attacks ...............................................12
      6.3. Forged Sender Attacks .....................................12
      6.4. Address Space Hijacking ...................................12
      6.5. Malicious DNS Attacks on Third Parties ....................13
   7. Implementation Guidance ........................................13
      7.1. Simple E-Mailers ..........................................14
      7.2. E-Mail Forwarders .........................................14
      7.3. Mailing List Servers ......................................15
      7.4. Third-Party Mailers .......................................15
      7.5. MUA Implementers ..........................................15
   8. Acknowledgements ...............................................16
   9. References .....................................................17
      9.1. Normative References ......................................17
      9.2. Informative References ....................................17

1.  Introduction

   Today, a huge majority of unwanted e-mail contains headers that lie
   about the origin of the mail.  This is true of most spam and
   substantially all of the virus e-mail that is sent.

   This document describes a mechanism such that receiving Mail Transfer
   Agents (MTAs), Mail Delivery Agents (MDAs), and/or Mail User Agents
   (MUAs) can recognize mail in the above category and take appropriate
   action.  For example, an MTA might refuse to accept a message, an MDA



Lyon & Wong                   Experimental                      [Page 3]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   might discard a message rather than placing it into a mailbox, and an
   MUA might render that message in some distinctive fashion.

   In order to avoid further fragmentation of the Internet e-mail
   system, it is desirable that the Internet community as a whole come
   to a consensus as to what mail senders should do to make their mail
   appear non-spoofed, and how mail receivers should determine whether
   mail is spoofed.  On the other hand, it is not necessary to reach a
   consensus regarding the actions that various parties take once a
   message has been determined to be spoofed.  This can be done
   unilaterally -- one agent might decide to discard a spoofed message
   whereas another decides to add a disclaimer.

   This document defines a pair of closely-related tests.  One validates
   a message's Purported Responsible Address (PRA) as defined in
   [RFC4407].  The other validates a message's Reverse-Path (also known
   as MAIL-FROM address) as defined in [RFC4408].

   An e-mail sender complying with this specification SHOULD publish
   information for both tests, and SHOULD arrange that any mail that is
   sent will pass both tests.  An e-mail receiver complying with this
   specification SHOULD perform at least one of these tests.

1.1.  Conventions Used in This Document

   In this document, the key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
   and "OPTIONAL" are to be interpreted as described in [RFC2119].

2.  Problem Statement

   Briefly stated, the mechanisms of this document allow one to answer
   the following question:

      When a message is transferred via SMTP between two unrelated
      parties, does the SMTP client host have permission to send mail on
      behalf of a mailbox referenced by the message?

   As seen from the question, this mechanism applies to unrelated
   parties:  It is useful at the point where a message passes across the
   Internet from one organization to another.  It is beyond the scope of
   this document to describe authentication mechanisms that can be
   deployed within an organization.

   The PRA version of the test seeks to authenticate the mailbox
   associated with the most recent introduction of a message into the
   mail delivery system.  In simple cases, this is who the mail is from.
   However, in the case of a third-party mailer, a forwarder, or a



Lyon & Wong                   Experimental                      [Page 4]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   mailing list server, the address being authenticated is that of the
   third party, the forwarder, or the mailing list.

   On the other hand, the MAIL-FROM version of the test seeks to
   authenticate the mailbox that would receive Delivery Status
   Notifications (DSNs, or bounces) for the message.  In simple cases,
   this too is who the mail is from.  However, third-party mailers,
   forwarders, and mailing list servers MUST specify an address under
   their control, and SHOULD arrange that DSNs received at this address
   are forwarded to the original bounce address.

   In both cases, the domain associated with an e-mail address is what
   is authenticated; no attempt is made to authenticate the local-part.
   A domain owner gets to determine which SMTP clients speak on behalf
   of addresses within the domain; a responsible domain owner should not
   authorize SMTP clients that will lie about local parts.

   In the long run, once the domain of the sender is authenticated, it
   will be possible to use that domain as part of a mechanism to
   determine the likelihood that a given message is spam, using, for
   example, reputation and accreditation services. (These services are
   not the subject of the present mechanism, but it should enable them.)

3.  SPF 2.0 Records

   Domains declare which hosts are and are not authorized to transmit
   e-mail messages on their behalf by publishing Sender Policy Framework
   (SPF) records in the Domain Name System.  [RFC4408] defines a format
   for these records identified by the version prefix "v=spf1".  This
   section defines an amended format, identified by the version prefix
   "spf2.0", that allows sending domains to explicitly specify how their
   records should be interpreted, and provides for additional
   extensibility.  Sending domains MAY publish either or both formats.

   Since the two formats are identical in most respects, the following
   subsections define the "spf2.0" format relative to [RFC4408].

3.1.  Version and Scope

   Under Sender ID, receiving domains may perform a check of either the
   PRA identity or the MAIL-FROM identity.  Sending domains therefore
   require a method for declaring whether their published list of
   authorized outbound e-mail servers can be used for the PRA check, the
   MAIL-FROM check, or both.

   This section replaces the definition of the version identifier in
   Section 4.5 of [RFC4408] and adds the concept of SPF record scopes.




Lyon & Wong                   Experimental                      [Page 5]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   SPF records begin with a version identifier and may also include a
   scope:

      record      = version terms *SP
      version     = "v=spf1" | ( "spf2." ver-minor scope)
      ver-minor   = 1*DIGIT
      scope       = "/" scope-id *( "," scope-id )
      scope-id    = "mfrom" / "pra" / name

   For example, the SPF record

          spf2.0/mfrom,pra +mx +ip4:192.168.0.100 -all

   defines an SPF record that can be used for either MAIL FROM or PRA
   checks.

   This document only defines the existence of two scopes: "mfrom" and
   "pra".  The details of these two scopes are defined in other
   documents: "mfrom" is defined in [RFC4408]; "pra" is defined in
   [RFC4407].

   Other scopes may be defined by future documents only.  There is no
   registry for scopes.  A scope definition must define what it
   identifies as the sending mailbox for a message, how to extract that
   information from a message, how to determine the initial arguments
   for the check_host() function, and what the compliant responses to
   the result are.  This ensures that domains with published records and
   mail receiver agree on the semantics of the scope.

   A compliant domain SHOULD publish authorizations for every defined
   scope.

3.1.1.  Minor Version

   All published records that use the "spf2" version identifier MUST
   start with "spf2.0".  This document only specifies records with a
   minor version of "0".

   Future versions of this document may define other minor versions to
   be used.

3.2.  Multiple Records

   A domain MAY publish multiple SPF 2.0 records, provided that each
   scope appears in at most one SPF 2.0 record.  In addition, a domain
   MAY also publish an SPF record that uses the "v=spf1" version
   identifier defined in [RFC4408].  The selection rules in Section 4.4
   define the precedence of these records.



Lyon & Wong                   Experimental                      [Page 6]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


3.3.  Positional Modifiers

   This section replaces Section 4.6.3 of [RFC4408] and adds the concept
   of positional modifiers.

   Modifiers are key/value pairs that affect the evaluation of the
   check_host() function.

   Modifiers are either global or positional:

      Global modifiers MAY appear anywhere in the record, but SHOULD
      appear at the end, after all mechanisms and positional modifiers.

      Positional modifiers apply only to the mechanism they follow.  It
      is a syntax error for a positional modifier to appear before the
      first mechanism.

   Modifiers of either type are also either singular or multiple:

      Singular modifiers may appear only once in the record if they are
      global, or once after each mechanism if they are positional.

      Multiple modifiers may appear multiple times in the record if they
      are global, or multiple times after each mechanism if they are
      positional.

   A modifier is not allowed to be defined as both global and
   positional.

   The modifiers "redirect" and "exp" described in Section 6 of
   [RFC4408] are global and singular.

   Ordering of modifiers does not matter, except that:

   1. positional modifiers must appear after the mechanism they affect
      and before any subsequent mechanisms; and

   2. when a multiple modifier appears more than one time, the ordering
      of the appearances may be significant to the modifier.

   Other than these constraints, implementations MUST treat different
   orders of modifiers the same.  An intended side effect of these rules
   is that modifiers cannot be defined that modify other modifiers.

   These rules allow an implementation to correctly pre-parse a record.
   Furthermore, they are crafted to allow the parsing algorithm to be
   stable, even when new modifiers are introduced.




Lyon & Wong                   Experimental                      [Page 7]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   Modifiers that are unrecognized MUST be ignored.  This allows older
   implementations to handle records with modifiers that were defined
   after they were written.

3.4.  Compatibility

   Domain administrators complying with this specification are required
   to publish information in DNS regarding their authorized outbound
   e-mail servers.  [RFC4408] describes a format for this information
   identified by the version prefix "v=spf1".  Many domains have
   published information in DNS using this format.  In order to provide
   compatibility for these domains, Sender ID implementations SHOULD
   interpret the version prefix "v=spf1" as equivalent to
   "spf2.0/mfrom,pra", provided no record starting with "spf2.0" exists.

   Administrators who have already published "v=spf1" records SHOULD
   review these records to determine whether they are also valid for use
   with PRA checks.  If the information in a "v=spf1" record is not
   correct for a PRA check, administrators SHOULD publish either an
   "spf2.0/pra" record with correct information or an "spf2.0/pra ?all"
   record indicating that the result of a PRA check is explicitly
   inconclusive.

4.  Decision Model

   Sender ID enables receiving e-mail systems to answer the following
   question:

   Given an e-mail message, and given an IP address from which it has
   been (or will be) received, is the SMTP client at that IP address
   authorized to send that e-mail message?

   This question will usually be asked by an SMTP server as part of
   deciding whether to accept an incoming mail message.  However, this
   question could also be asked later by a different party.  An MUA, for
   example, could use the result of this question to determine how to
   file or present a message.

   There are three steps to answering this question:

   1. From an e-mail message, extract the address to verify.  The PRA
      variant of this test does so as specified in [RFC4407], or
      alternatively, using the submitter address as specified in
      [RFC4405].  The MAIL FROM variant of this test does so as
      specified in [RFC4408].

   2. Extract the domain part of the address determined in step 1.




Lyon & Wong                   Experimental                      [Page 8]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   3. Call the check_host() function defined in [RFC4408] and modified
      by the following subsections.

   If the Sender ID check is being performed by an MTA as part of
   receiving an e-mail message, and it cannot determine an address in
   step 1 above (because the message or address is malformed), then the
   message SHOULD be rejected with error "550 5.7.1 Missing Purported
   Responsible Address" or error "550 5.7.1 Missing Reverse-Path
   address".

4.1.  Arguments

   Sender ID modifies the check_host() function by the addition of a
   scope parameter.  Thus, for Sender ID the check_host() function is
   called passing the following parameters:

      a. A scope of "pra" (for the PRA variant of the test), or "mfrom"
         (for the MAIL FROM variant of the test).
      b. The IP address (either IPv4 or IPv6) from which the message is
         being or has been received.
      c. The domain from step 2 above.
      d. The address from step 1 above.

4.2.  Results

   The result of the check_host() function is one of the values
   "Neutral", "Pass", "Fail", "SoftFail", "None", "TempError", or
   "PermError".  Section 5 describes how these results are used by MTAs
   receiving messages.  This specification imposes no requirements on
   parties performing this test in other environments.

4.3.  Record Lookup

   SPF records are looked up in DNS in accordance with Section 4.4 of
   [RFC4408].

   When performing the PRA version of the test, if the DNS query returns
   "non-existent domain" (RCODE 3), then check_host() exits immediately
   with the result "Fail".

4.4.  Record Selection

   This section replaces the record selection steps described in Section
   4.5 of [RFC4408].

   Starting with the set of records that were returned by the lookup,
   record selection proceeds in these steps:




Lyon & Wong                   Experimental                      [Page 9]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   1. If any records of type SPF are in the set, then all records of
      type TXT are discarded.

   2. Records that do not begin with proper version and scope sections
      are discarded.  The version section for "spf2" records contains a
      ver-minor field that is for backward-compatible future extensions.
      This field must be well formed for a record to be retained, but is
      otherwise ignored.

   3. Records that use the "spf2" version identifier and do not have a
      scope-id that matches <scope> are discarded.  Note that this is a
      complete string match on the scope-id tokens: If <scope> is "pra",
      then the record starting "spf2.0/mfrom,prattle,fubar" would be
      discarded, but a record starting "spf2.0/mfrom,pra,fubar" would be
      retained.

   4. If the lookup returned two records, one containing the "v=spf1"
      version identifier and the other containing the "spf2" version
      identifier, the "spf2" version takes precedence for the desired
      scope-id.  If the "spf2" record does not contain the desired
      scope-id, then the "v=spf1" record is selected.

   5. If an "spf2" record does not contain the desired scope-id and
      there is no "v=spf1" record for the domain, then no record is
      selected.

   After the above steps, there should be one record remaining and
   evaluation can proceed.  If there are two or more records remaining,
   then check_host() exits immediately with the error "PermError".

   If there are no matching records remaining after the initial DNS
   query or any subsequent optional DNS queries, then check_host() exits
   immediately with the result "None".

5.  Actions Based on the Decision

   When the Sender ID test is used by an SMTP server as part of
   receiving a message, the server should take the actions described by
   this section.

   The check_host() function returns one of the following results.  See
   [RFC4408] for the meaning of these results.









Lyon & Wong                   Experimental                     [Page 10]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


5.1.  Neutral, None, SoftFail, or PermError

   An SMTP server receiving one of these results SHOULD NOT reject the
   message for this reason alone, but MAY subject the message to
   heightened scrutiny by other measures, and MAY reject the message as
   a result of this heightened scrutiny.

   Such additional security measures MAY take into account that a
   message for which the result is "SoftFail" is less likely to be
   authentic than a message for which the result is "Neutral".

5.2.  Pass

   An SMTP server receiving this result SHOULD treat the message as
   authentic.  It may accept or reject the message depending on other
   policies.

5.3.  Fail

   When performing the Sender ID test during an SMTP transaction, an MTA
   that chooses to reject a message receiving this result SHOULD reject
   the message with a "550 5.7.1 Sender ID (xxx) yyy - zzz" SMTP error,
   where "xxx" is replaced with "PRA" or "MAIL FROM", "yyy" is replaced
   with the additional reason returned by the check_host() function, and
   "zzz" is replaced with the explanation string returned by the
   check_host() function.

   When performing the Sender ID test after accepting an e-mail message
   for delivery, an MTA that chooses to reject a message receiving this
   result SHOULD NOT deliver the message.  Instead, it should create a
   DSN message, consistent with the usual rules for DSN messages.

5.4.  TempError

   An SMTP server receiving this result MAY reject the message with a
   "450 4.4.3 Sender ID check is temporarily unavailable" error code.
   Alternatively, an SMTP server receiving this result MAY accept a
   message and optionally subject it to heightened scrutiny by other
   anti-spam measures.

6.  Security Considerations

   This entire document describes a new mechanism for mitigating spoofed
   e-mail, which is today a pervasive security problem in the Internet.

   Assuming that this mechanism is widely deployed, the following
   sections describe counter attacks that could be used to defeat this
   mechanism.



Lyon & Wong                   Experimental                     [Page 11]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


6.1.  DNS Attacks

   The new mechanism is entirely dependent on DNS lookups, and is
   therefore only as secure as DNS.  An attacker bent on spoofing
   messages could attempt to get his messages accepted by sending forged
   answers to DNS queries.

   An MTA could largely defeat such an attack by using a properly
   paranoid DNS resolver.  DNS Security (DNSSEC) may ultimately provide
   a way to completely neutralize this class of attacks.

6.2.  TCP Attacks

   This mechanism is designed to be used in conjunction with SMTP over
   TCP.  A sufficiently resourceful attacker might be able to send TCP
   packets with forged from-addresses, and thus execute an entire SMTP
   session that appears to come from somewhere other than its true
   origin.

   Such an attack requires guessing what TCP sequence numbers an SMTP
   server will use.  It also requires transmitting completely in the
   blind -- the attack will be unable to hear any of the server's side
   of the conversation.

   Attacks of this sort can be ameliorated if IP gateways refuse to
   forward packets when the source address is clearly bogus.

6.3.  Forged Sender Attacks

   This mechanism chooses an address to validate either from one of a
   number of message headers or from the RFC 2821 MAIL command, and then
   uses that address for validation.  A message with a true Resent-From
   header or Return-Path, but a forged From header, will be accepted.
   Since many MUAs do not display all of the headers of received
   messages, the message will appear to be forged when displayed.

   In order to neutralize this attack, MUAs will need to start
   displaying at least the address that was verified.  In addition, MTAs
   could subject messages to heightened scrutiny when the validated
   address differs from the From header.

6.4.  Address Space Hijacking

   This mechanism assumes the integrity of IP address space for
   determining whether a given client is authorized to send messages
   from a given PRA.  In addition to the TCP attack given in Section
   6.2, a sufficiently resourceful attacker might be able to alter the
   IP routing structure to permit two-way communication using a



Lyon & Wong                   Experimental                     [Page 12]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   specified IP address.  It would then be possible to execute an SMTP
   session that appears to come from an authorized address, without the
   need to guess TCP sequence numbers or transmit in the blind.

   Such an attack might occur if the attacker obtained access to a
   router that participates in external BGP routing.  Such a router
   could advertise a more specific route to a rogue SMTP client,
   temporarily overriding the legitimate owner of the address.

6.5.  Malicious DNS Attacks on Third Parties

   There is class of attacks in which an attacker A can entice a
   participant P to send a malicious message to a victim V.

   These attacks are undertaken by A citing the address of V in the SMTP
   MAIL FROM request and then by causing P to generate (or invoke the
   generation of) a Delivery Status Notification 'bounce' message
   (RFC3464), which is sent to the victim V.

   The attacker relies upon it being common practice to copy the
   original message into the 'bounce' report, thereby causing the malice
   to be sent onward to V.

   This mode of attack has the advantages (to the attacker) of
   obfuscating the location of the host from which the attack was
   mounted, and of possibly damaging the reputation of P by making it
   appear that P originated or was an active participant in the sending
   of the malicious message.

   In current practice, A causes P to cause the 'bounce' by addressing
   the original message to a nonexistent recipient.

   Sender ID enables a new variant of this attack.

   In this variant, the attacker A sends a message whose PRA (Section 4)
   is selected by the attacker to be such that, when P undertakes the
   Sender ID test, a Fail will result (Section 5.3).

   The message will be rejected (as the attacker intended) and a
   malicious 'bounce' message may be generated and sent to the victim V.

7.  Implementation Guidance

   This section describes the actions that certain members of the
   Internet e-mail ecosystem must take to be compliant with this
   specification.





Lyon & Wong                   Experimental                     [Page 13]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


7.1.  Simple E-Mailers

   A domain that injects original e-mail into the Internet, using its
   own name in From headers, need do nothing to be compliant.  However,
   such domains SHOULD publish records in DNS as defined by [RFC4408]
   and this specification.

   In the majority of cases, the domain's published information will be
   the same for both the PRA and MAIL FROM variants of this test.  In
   this case, domains SHOULD publish their information using an SPF
   record with the prefix "v=spf1".  Doing so will render their
   published information usable by the older SPF protocol, too.  (See
   [RFC4408] for information on the SPF protocol.)

7.2.  E-Mail Forwarders

   In order to pass the PRA variant of the test, a program that forwards
   received mail to other addresses MUST add an appropriate header that
   contains an e-mail address that it is authorized to use.  Such
   programs SHOULD use the Resent-From header for this purpose.

   In order to pass the MAIL FROM variant of the test, a program that
   forwards received mail to other addresses MUST alter the MAIL FROM
   address to an address under its control.  Should that address
   eventually receive a DSN relating to the original message, that DSN
   SHOULD be forwarded to the original MAIL FROM address.  However, if
   this altered address receives any messages other than DSNs related to
   the original message, these messages MUST NOT be forwarded to the
   original MAIL FROM address; they SHOULD be refused during an SMTP
   transaction.

   In addition, e-mail forwarders SHOULD publish Sender ID records for
   their domains, and SHOULD use MTAs for which the Sender ID check
   yields a "pass" result.

   Some of today's forwarders already add an appropriate header
   (although many of them use Sender rather than Resent-From.) Most of
   them do not perform the address-rewriting specified above.

   Note that an e-mail forwarder might receive a single message for two
   or more recipients, each of whom requests forwarding to a new
   address.  In this case, the forwarder's MTA SHOULD transmit the
   message to each new recipient individually, with each copy of the
   message containing a different newly inserted Resent-From header
   field.






Lyon & Wong                   Experimental                     [Page 14]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


7.3.  Mailing List Servers

   In order to pass the PRA variant of the test, a mailing list server
   MUST add an appropriate header that contains an e-mail address that
   it is authorized to use.  Such programs SHOULD use the Resent-From
   header for this purpose.

   In order to pass the MAIL FROM variant of the test, a mailing list
   server MUST alter the MAIL FROM address to an address under its
   control.

   In addition, mailing list servers SHOULD publish Sender ID records
   for their domains, and SHOULD use MTAs for which the Sender ID check
   yields a "pass" result.

   Most of today's mailing list software already adds an appropriate
   header (although most of them use Sender rather than Resent-From),
   and most of them already alter the MAIL FROM address.

7.4.  Third-Party Mailers

   In order to pass the PRA variant of this test, a program that sends
   mail on behalf of another user MUST add an appropriate header that
   contains an e-mail address that it is authorized to use.  Such
   programs SHOULD use the Sender header for this purpose.

   In order to pass the MAIL FROM variant of this test, a program that
   sends mail on behalf of another user MUST use a MAIL FROM address
   that is under its control.  Defining what the program does with any
   mail received at that address is beyond the scope of this document.

   In addition, third-party mailers, servers SHOULD publish Sender ID
   records for their domains, and SHOULD use MTAs for which the Sender
   ID check yields a "pass" result.

   Many, but not all, of today's third-party mailers are already
   compliant with the PRA variant of the test.  The extent to which
   mailers are already compliant with the MAIL FROM variant of this test
   is unknown.

7.5.  MUA Implementers

   When displaying a received message, an MUA SHOULD display the
   purported responsible address as defined by this document whenever
   that address differs from the RFC 2822 From address.  This display
   SHOULD be in addition to the RFC 2822 From address.





Lyon & Wong                   Experimental                     [Page 15]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


   When a received message contains multiple headers that might be used
   for the purported responsible address determination, an MUA should
   consider displaying all of them.  That is, if a message contains
   several Resent-From's, a Sender, and a From, an MUA should consider
   displaying all of them.

   Sender ID also does not validate the display name that may be
   transmitted along with an e-mail address.  The display name is also
   vulnerable to spoofing and other forms of attacks.  In order to
   reduce the occurrence and effectiveness of such attacks, MUA
   implementers should consider methods to safeguard the display name.
   This could include the following:

   * Not presenting the display name to the user at all, or not
     presenting the display name unless the corresponding e-mail address
     is listed in the user's address book.

   * Treating as suspicious any e-mail where the display name is itself
     in the form of an e-mail address, especially when it differs from
     the actual e-mail address in the header.

   * Making it clear to users that the e-mail address has been checked
     rather than the display name.

8.  Acknowledgements

   This design is based on earlier work published in 2003 in [RMX] and
   [DMP] drafts (by Hadmut Danisch and Gordon Fecyk, respectively).  The
   idea of using a DNS record to check the legitimacy of an e-mail
   address traces its ancestry to "Repudiating Mail From" draft by Paul
   Vixie [Vixie] (based on suggestion by Jim Miller) and to "Domain-
   Authorized SMTP Mail" draft by David Green [Green], who first
   introduced this idea on the namedroppers mailing list in 2002.

   The current document borrows heavily from each of the above, as well
   as earlier versions of [RFC4408] and [CallerID], and incorporates
   ideas proposed by many members of the MARID working group.  The
   contributions of each of the above are gratefully acknowledged.













Lyon & Wong                   Experimental                     [Page 16]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


9.  References

9.1.  Normative References

   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4405]   Allman E. and H. Katz, "SMTP Service Extension for
               Indicating the Responsible Submitter of an E-Mail
               Message", RFC 4405, April 2006.

   [RFC4407]   Lyon, J., "Purported Responsible Address in E-Mail
               Messages", RFC 4407, April 2006.

   [RFC4408]   Wong, M. and W. Schlitt, "Sender Policy Framework (SPF)
               for Authorizing Use of Domains in E-Mail", RFC 4408,
               April 2006.

9.2.  Informative References

   [CallerID]  Microsoft Corporation, Caller ID for E-Mail Technical
               Specification, http://www.microsoft.com/mscorp/safety/
               technologies/senderid/resources.mspx

   [DMP]       Fecyk, G., "Designated Mailers Protocol",
               http://www.pan-am.ca/dmp/draft-fecyk-dmp-01.txt, December
               2003.

   [Green]     David Green, "Mail-Transmitter RR",
               http://ops.ietf.org/lists/namedroppers/namedroppers.2002/
               msg00656.html, June 2002.

   [RMX]       H. Danisch, "The RMX DNS RR and method for lightweight
               SMTP sender authorization",
               http://www.danisch.de/work/security/txt/
               draft-danisch-dns-rr-smtp-04.txt

   [Vixie]     Paul Vixie, "Repudiating Mail From",
               http://ops.ietf.org/lists/namedroppers/namedroppers.2002/
               msg00658.html, June 2002.











Lyon & Wong                   Experimental                     [Page 17]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


Authors' Addresses

   Jim Lyon
   Microsoft Corporation
   One Microsoft Way
   Redmond, WA 98052
   USA

   EMail: jimlyon@microsoft.com


   Meng Weng Wong
   Singapore

   EMail: mengwong@dumbo.pobox.com




































Lyon & Wong                   Experimental                     [Page 18]
^L
RFC 4406            Sender ID: Authenticating E-Mail          April 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).







Lyon & Wong                   Experimental                     [Page 19]
^L