Email Nutshells

Simple Email System with Four Actors

|--- Sender's Network ---|           |-- Recipient's Network -|
                                /
Author ==> MSA/Transmitter --> / --> Receiver/MDA ==> Recipient
                              /
                           Border


See MHS Models for more models and terminology.

Email Identities
    Helo Name
    Envelope Addresses:       (used by mail system)
        Return Address
        Recipient Addresses
    Header Addresses:         (for users' convenience)
        From Address
        Reply-To Address

The Helo Name identifies an MTA requesting a mail session.  The identity of the Agent responsible for this session is usually the last few parts of the Helo Name.  This should be a registered domain name.
    HELO this is server7.dallas.texas.mailsystem.us
The Return Address identifies the Author of each message in the session.
    I have mail from richard@example.com
The From Address is how the author would like his address to be seen by the Recipient.
The Reply-To Address allows the author to designate a different address for replies.

Authentication Methods
  IP-based  (SPF, SenderID, CSV, PTR)
    - check the IP address of the transmitter
    - fast, minimum mail-transfer overhead
  Digital-signature-based  (DKIM)

    - cryptographically verify the entire message including headers and body
    - end-to-end protocol allows arbitrary forwarding
    - high security


Barriers to adoption of authentication methods
Hurdles that authentication methods must avoid or overcome, in order of decreasing severity:
1) Required simultaneous upgrades in software or setup. (Flag Day)
2) Required widespread adoption by Agents before any benefit is realized by Recipients.
    (The "chicken-and-egg" problem")
3) Required widespread adoption of one company's method or service.
4) Changes that cause a temporary degradation in service. 
   (Don't worry, things will get better when deployment is complete.)
5) Changes in current practices.
    a) A well-established and standards-compliant practice.
    b) A widespread but non-standardized practice. ("Misuse" of Return Address)
    c) A widespread but non-compliant practice. (bad HELO name)
    d) An already unacceptable practice. (open relays)
6) Costs to senders.
    a) Loss of mail due to mistakes by others. (SPF "forwarding problem")
    b) Registration fees or administrative costs.


Economics of email abuse
  $200B   annual benefit of email
   $20B   cost of abuse
          100M users x ($.25/day deleting spam + $100/yr false rejects)
    $2B   benefit to anti-spam industry
          100 companies x $20M/yr
  $0.2B   benefit to spammers
          10K spammers x $20K/yr
  $0.02B  cost of an effective authentication/reputation system
          10M users x $2/yr
          100K companies x $200/yr (90% internal, 10% external services)

It is difficult to get a man to understand something when his salary depends on his not understanding it.  -- Upton Sinclair