Authentication-Results Header Field Security Issues
draft-otis-auth-header-sec-issues-00

Abstract

The proposed [I-D.kucherawy-sender-auth-header] defines a header field used to capture email verification results of border receptions. These results are then conveyed to Mail User Agents (MUA) and downstream filters. This header field is to augment filtering decisions and message annotations that can be made visible to recipients. The annotations could affirm originating domains or content integrity when based upon Domainkeys or DKIM results, or a domain's authorization of a publicly transmitting SMTP client IP address when based upon Sender-ID or SPF results, or that the SMTP client IP address maps to a matching domain within the DNS reverse namespace. Although the draft acknowledges the conflation of authorization with authentication in section 1.5.2, and explicitly declares Sender-ID and SPF as the authorization of the transmitting SMTP client, it still fails to offer the authenticated entity being trusted in the exchange, the IP address of the SMTP client. An authenticated entity is essential for reputation assessments which section 4.1 indicates should be made prior to results being revealed. A reputation check is often a necessary step to mitigate abuse and fraud. Even so, the header offers no assurance that any reputation check has been made, nor does it ensure that the trusted entity, the IP address of the SMTP client, can be determined by the MUA or downstream filter.

Authors

Douglas Otis

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)