Yeah, I know, I know, everyone has come up with their own FUSSP (Final Ultimate Solution to Spam Problem). Well, here is an idea I had that is losely based on SPF. It is called “DNS Mail”, see what you think.
————————————–
DNS Mail (stands for “Do Not Spam”).
DNS Mail is somewhat like SPF (Sender Policy Framework) in that it uses DNS TXT
resource records to assist in message verification. Where it differs is
how it uses TXT records (and how it allows you to forward email without
any issues).
Here is how it works.
martha@domain.com wants to send an email to claire@nonprofit.org.
When she sends her message to her outbound SMTP server, the SMTP server
dynamically updates DNS with a special TXT record for this message. It
would look something like this
1wsed45rtgyh5678.domain.com. TXT “To:claire@nonprofit.org*From:martha@domain.com*date=Thu, 03 Aug 2006 09:10:49 -0400″
Once DNS is updated with this temporary record, the SMTP server adds a header to
the email message that looks something like this
DNS-Mail-ID: 1wsed45rtgyh5678.domain.com
The outbound SMTP server then does a DNS MX lookup for nonprofit.org and once
it finds the server (ex: mx.nonprofit.org) it attempts to deliver
the message to that server.
If the server mx.nonprofit.org is set to use the DNS Mail protocol
it will look for a TXT entry within @domain.com DNS called
dnsmail.domain.com that lists the DNS server(s) that can be queried
to look for the TXT entry that corresponds to the message. Here is an
example.
dnsmail.domain.com. TXT “155.47.64.164,155.47.64.165″
NOTE: My guess is that most sites would have only one server listed (for
a couple of reasons).
1. They would most likely want to designate a separate DNS server. This
could be for performance reasons, security reasons, or to keep their
main DNS server zone files down to a manageable size.
2. Having one server eliminates a zone transfer timing issue.
If you have multiple DNS servers for DNS Mail, all the servers
would have to be updated pretty quickly via zone transfers
when the Outbound SMTP server updates one server with a new TXT
entry. If you have more than one DNS Mail server listed and
one of the servers is not up to date when an outside MX server
queries it, that server would have to wait to try again (causing
delays) or it might reject the message.
Once the receiving MX server finds the DNS server to query, it
does a lookup of the TXT record for that message ID (ex: 1wsed45rtgyh5678.domain.com).
If it can find the TXT record and match the “To:” and “From:” headers it
will know that the message was sent using an SMTP server that is “allowed”
by the sender.
As far as cleanup goes, either the Outbound SMTP server or the DNS server
can look for message ID TXT records that are older than “x” days or hours
and can delete them.
What if the recipient, claire@nonprofit.org, has her email forwarded
to her home address claire@my_isp.net? When the @nonprofit.org mail server
receives the message and goes to forward it, it should first make
a Dynamic DNS entry in its own DNS Mail DNS server(s) for this message
and append a new DNS-Mail-ID: header to the message. It will also include
the original DNS-Mail-ID: header in the message. When the @nonprofit.org
Outbound SMTP server connects to the MX server for @my_isp.net, the @my_isp.net
MX server will inspect the headers and verify both DNS-Mail-ID: headers.
Once you have something like this in place it makes reputation based subscription
services for spam a lot more effective.
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment