Authentication-Results Header Field Appeal
Trend Micro
Trend Micro
The proposed [I-D.kucherawy-sender-auth-header] defines a header field used to capture email verification results obtained at border receptions has been approved for publication. However, serious deficiencies remain in its secure use and has prompted an appeal of the publication decision. This new header field is to convey to Mail User Agents (MUA) and downstream processes the verification results that are intended to augment handling decisions and message annotations that might be made visible to recipients. For such use, it is crucial to include within an "authenticated-results" header, a truly authenticated identity. The draft acknowledges that it confuses authorization with authentication in section 1.5.2. This confusion has lead the draft to incorrectly elevate the authorization of an SMTP client into the authentication of an email-address domain. Elevating the *authorization* of the SMTP client into the *authentication* of an email-address domain incorrectly assumes current email practices adequately restrict the use of an email-address domain based upon the originating IP address of the SMTP client. In an era of carrier grade NATs, virtual servers, aggregated services, and other techniques that overload the IP address, this assumption is neither safe nor practical. Although the draft explicitly declares Sender-ID and SPF as the authorization of the transmitting SMTP client, it fails to offer the authenticated identity being trusted. A truly authenticated identity is essential for reputation assessments which section 4.1 indicates should be made prior to results being revealed. A reputation check of a truly authenticated identifier is often a necessary step needed to mitigate fraud and abuse. In addition, it is unfair to attribute fraud or abuse to the unauthenticated identifiers. Even so, the header offers no assurance that any reputation check has been made, nor does it ensure that an authenticated identity, the IP address of the SMTP client, can be determined by the MUA or downstream process. The goal of the appeal is to ensure adequate information is available when annotating email.