Geoff Shang writes: > 2. One idea I came up with for rejecting spoofed mail is for the > receiving SMTP server to somehow check if the sending one is an MX for the > domain given in the From header. Are there any obvious problems with this > approach? Is anyone actually doing this? It seems so simple that there > surely must be some reason why it's not done.
It is being done, although not via the MX for the reasons Larry Stone gives. What you're looking for is call "SPF" or "DKIM" (these are actually two different protocols, and I think with the standardization of DKIM, SPF is probably dead). The way DKIM works is that hosts authorized to send mail from a domain are given special resource records in their DNS which provide a public key, and then some portion of the mail and/or headers is signed with an appropriate private key. The problem is that setup is quite finicky, so most hosts not run by well-paid professionals don't do it. If all of your users are on Google or Yahoo, you'll be OK, I guess. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org
