Q and A for Operators of Internet Transmitters
Q1: What exactly do you mean by "Internet transmitter", and why do we need this new terminology?
Internet "transmitters" are computers that initiate communications and "push" information over the public Internet. This includes public email servers, but not most other servers. Web servers, for example, do not initiate communications, but only respond to requests from a client. The definition above also excludes mail servers within an organization that do not send to external receivers. Internet transmitters are a small, well-defined class of machines, that are of great concern due to their impact on the security and reliability of the Internet. Unauthorized transmitters ("zombies") have been organized into huge criminal networks. and some of these "botnets" are now large enough to threaten our critical infrastructure.
The word "transmitter" has all the right connotations for readers who might not be familiar with our definition. It is also free of the the conflicting meanings that have accumulated around words like "server" and "sender". The more common association of this word with radio and TV does not conflict with our usage.
A closely related term is "Border MTA". These are the Mail Transfer Agents (computers) that connect with unrelated MTA's on the public Internet. A Border MTA can be a transmitter or a receiver.
Q2: What are the similarities and differences between a radio transmitter and an Internet transmitter?
Both provide a means to send advertisements to large numbers of receivers. Radio and TV commercials are expensive. Unsolicited bulk email (spam) is cheap, but illegal in most countries. Illegal radio transmitters are rare. Illegal Internet transmitters generate the vast majority of messages on the Internet.
Radio stations identify themselves with "call letters" assigned by government agencies to specific stations operated by trained and licensed personnel. Identities on the Internet are "domain names" available to anyone who pays a small fee. There is no requirement for training or licensing, or even making the owner's name public. There is no connection between domain name ownership and station or network ownership.
Legitimate transmitters, both radio and Internet, proudly declare their identities. Illegal transmitters try to hide the identity of their operator, using fictitious or forged domain names, or no identity at all. Unidentified transmitters sending legitimate mail are "broken" according to Internet standards, but are still not rare enough that receivers can simply refuse to accept their mail.
Radio signals are broadcast to all receivers in a small area. Internet data packets are routed over linked networks to designated receivers anywhere in the world. The number of radio stations in one area is limited by the available bandwidth. The number of Internet transmitters is unlimited.
Control of radio transmissions is entirely in the hands of station owners, who are fully responsible for content. Responsibility for email transmissions is confusingly split among network owners, station owners, and domain name owners. Network owners can block unauthorized stations within their networks, but there is little incentive to do so. Their role is to provide "bandwidth", and they do not want to get involved in regulating their customers' behavior. Station owners can ensure that their equipment is not used by unauthorized senders, but many Internet "stations" are nothing but home computers that have been hijacked by criminals without the owner's knowledge or consent.
Q3: What are the various identities associated with transmitting email, and who controls each?
The hardest to forge identity is the IP address of the transmitter. Without a correct source address, an email session cannot be established. The IP address is a 32-bit number assigned by a semi-governmental Regional Registry to a network owner, and by the network owner to a particular transmitter. The name and address of the network owner is publicly available through an IPwhois query.
OrgName: AltaVista Company
Address: 701 First Ave
City: Sunnyvale CA 94089
NetRange: 188.8.131.52 - 184.108.40.206
According to Internet Standards, every IP address assigned to a transmitter should have a name assigned by the network owner. These "IP names" are controlled by network owners via their exclusive access to the ARPA database. IP names typically provide the name of the network and of the specific machine to which an IP address is assigned, e.g. "web84013.mail.dcn.yahoo.com".
220.127.116.11 PTR record: web84013.mail.dcn.yahoo.com. [TTL 1200s] [A=18.104.22.168]
At the start of every email session, the transmitting station is supposed to identify itself with a HELO command. The "HELO identity" in this command is controlled by the station operator via configuration of his MTA. HELO names often differ from IP names, but they are both supposed to name the specific machine and identify the responsible organization.
 CONNECT 22.214.171.124 web84013.mail.dcn.yahoo.com 2006Jun30 11:56:42
 HELO web84013.mail.dcn.yahoo.com
Received: from web84013.mail.dcn.yahoo.com (web84013.mail.dcn.yahoo.com
[126.96.36.199]) by open-mail.org (8.13.1/8.13.1) with SMTP id
k5UFugVp020324 for <email@example.com>; Fri, 30 Jun 2006 11:56:43 -0400
After the email session is established, various other identities are associated with individual messages, recipients, and addresses in the header lines of the message (From: Reply To: etc.). Authentication methods are available to verify many of these other identities.
All of these identities make use of the Domain Name System (DNS) to provide unique names for each organization. The DNS is completely separate from network ownership, however. You don't need an IP address to register a domain name, and nothing prevents network owners and station operators from using your name in their ARPA records and HELO commands.
Domain name owners control only the DNS records under their name, but that is the key to building an email system based on identity and reputation. A domain owner can publish a list of authorized transmitter addresses, and any receiver that cares to check that list can reject all mail from transmitters attempting to forge that name.
To summarize: There are three players involved in transmitting email - the network owner, the station operator, and the domain-name owner. The network owner controls the "IP name" which appears in the ARPA database. The station operator controls the "HELO name" at the start of each session. The domain owner controls the DNS records under his name, and through those records, can control who is allowed to use that name.
Q4: Why is it not sufficient to publish just an A or MX record for my domain? Why do I need special authentication records?
If you publish only A and MX records, the Border Patrol™ will accept your mail, but might not reject forgeries, especially if the transmitter's address is "close" to one in your published records. Abuse that cannot be rejected will count against your reputation, even if your name was forged. By publishing an authentication record, you avoid responsibility for any forgeries that should be rejected.
Why do we accept addresses that are only close to yours? Many large domains transmit from addresses other than those listed in their A and MX records. There really should have been something like an "MZ" record to list these addresses, but the need for it wasn't recognized until recently, and now we have various authentication methods to perform that function and a lot more.
The bottom line is, we cannot tell if a transmitter using your name is unauthorized by simply looking at A and MX records. We need an explicit statement from you saying "ONLY these addresses are allowed to transmit under my name." If you are a small domain with a simple setup, you can say this by publishing _auth.<your domain name> TXT "helo=A,MX" See Notes for Senders.