More on Safe Senders

Following up from my previous post, how do we do safe senders?  On the MAIL FROM in the SMTP conversation?  Or the one in the message headers?  The message headers is more intuitive but there are drawbacks.

Consider the SMTP protocol.  Some senders want the name that appears in the message headers to be different than the name in the MAIL FROM.  The most common occurrence of this is a newsletter.  Many organizations like airlines will outsource their newsletters to email marketing firms.  So, when Email Marketing Inc. sends the message on behalf of Krazy Klown Airlines, the message is "from" Krazy Klown Airlines, updates@krazyklownairlines.com, and that is what the user sees in their email client.  However, the MAIL FROM is from Email Marketing Inc. 

Suppose Joe User wants to safelist Krazy Klown Airlines, updates@krazyklownairlines.com.  How do we apply the safe sender?  Do we apply it to the MAIL FROM? Or the message headers?

This question matters.  If we apply it to both, all a spammer would have to do is spoof Krazy Klown Airlines in the message headers and put a different return path in the P1 headers.  The receiving email server sees the safe sender in the P2 and sends the message through.  But since this header is spoofable, Joe User gets a side effect of something he didn't intend - spam that he got because he safelisted it.

The strength of using the P2 is that it is more intuitive to the user.  The drawback is that there are plenty of cases when the P2 is not who the message is actually from.  While the P1 and P2 frequently match, there are enough examples where they don't to cause problems.  This problem is not unresolveable, using safe senders and combining it with authentication technologies can fix this.  However, using the P2 does make it more complex.