Principles of Operation
Sender ID is heavily based on SPF, with only a few additions. These differences are discussed here.
Sender ID tries to improve on a principal deficiency in SPF: that SPF does not verify the header addresses that indicates the sending party. Such header addresses are typically displayed to the user and are used to reply to emails. Indeed such header addresses can be different from the address that SPF tries to verify; that is, SPF verifies only the "MAIL FROM" address, also called the envelope sender.
However there are many similar email header fields that all contain sending party information; therefore Sender ID defines in RFC 4407 a Purported Responsible Address (PRA) as well as a set of heuristic rules to establish this address from the many typical headers in an email.
Syntactically, Sender ID is almost identical to SPF except that v=spf1 is replaced with one of:
- spf2.0/mfrom - meaning to verify the envelope sender address just like SPF.
- spf2.0/mfrom,pra or spf2.0/pra,mfrom - meaning to verify both the envelope sender and the PRA.
- spf2.0/pra - meaning to verify only the PRA.
The only other syntactical difference is that Sender ID offers the feature of positional modifiers not supported in SPF. In practice, so far no positional modifier has been specified in any Sender ID implementation.
In practice, the pra scheme usually only offers protection when the email is legitimate, while offering no real protection in the case of spam or phishing. The pra for most legitimate email will be either the familiar From: header field, or, in the case of mailing lists, the Sender: header field. In the case of phishing or spam, however, the pra may be based on Resent-* header fields that are often not displayed to the user. To be an effective anti-phishing tool, the MUA (Mail User Agent or Mail Client) will need to be modified to display either the pra for Sender ID, or the Return-Path: header field for SPF.
The pra tries to counter the problem of phishing, while SPF or mfrom tries to counter the problem of spam bounces and other auto-replies to forged Return-Paths. Two different problems with two different proposed solutions.
Read more about this topic: Sender ID
Famous quotes containing the words principles of, principles and/or operation:
“A bureaucracy is sure to think that its duty is to augment official power, official business, or official members, rather than to leave free the energies of mankind; it overdoes the quantity of government, as well as impairs its quality. The truth is, that a skilled bureaucracy ... is, though it boasts of an appearance of science, quite inconsistent with the true principles of the art of business.”
—Walter Bagehot (1826–1877)
“Magic is akin to science in that it always has a definite aim intimately associated with human instincts, needs, and pursuits. The magic art is directed towards the attainment of practical aims. Like other arts and crafts, it is also governed by a theory, by a system of principles which dictate the manner in which the act has to be performed in order to be effective.”
—Bronislaw Malinowski (1984–1942)
“An absolute can only be given in an intuition, while all the rest has to do with analysis. We call intuition here the sympathy by which one is transported into the interior of an object in order to coincide with what there is unique and consequently inexpressible in it. Analysis, on the contrary, is the operation which reduces the object to elements already known.”
—Henri Bergson (1859–1941)