Certified Server Validation
Encyclopedia
Certified Server Validation (CSV) is a
technical method of Email authentication
intended to fight spam
. Its
focus is the
SMTP
HELO-identity of Mail transfer agent
s.
CSV was designed to address the problems of
MARID
and the ASRG, as defined in detail
as the intent of
Lightweight MTA Authentication Protocol (LMAP)
in an expired
ASRG draft.
As of January 3, 2007, all Internet Draft
s have expired and the mailing list has been closed down since there had been no traffic for 6 months.
SMTP
session:
CSV answers these questions as follows: to validate an SMTP session from an unknown sending SMTP client using CSV, the receiving SMTP server:
If the level of trust is high enough, process all
email from that session in the traditional manner,
delivering or forwarding without the need for
further validation. If the level of trust is too
low, return an error showing the reason for not
trusting the sending SMTP client. If the level of
trust is in between, document the result in a
header in each email delivered or forwarded,
and/or perform additional checks.
If the answers to both of the questions at the top
of this article are 'Yes', then receivers can
expect the email received to be email they want.
Mail sources are motivated to make the answers
yes, and it's easy for them to do so (unless their
email flow is so toxic that no reputable
independent accreditation service will vouch for
them).
CSV is designed to be efficient and elegant, and
in this respect it certainly beats
SPF
's
coverage of HELO identities.
Client SMTP Authorization (CSA) was a proposed mechanism whereby a domain admin can advertise which mail servers are legitimate originators of mail from his/her domain.
This is done by providing appropriate SRV RRs
in the DNS infrastructure.
technical method of Email authentication
intended to fight spam
Spam (electronic)
Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
. Its
focus is the
SMTP
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
HELO-identity of Mail transfer agent
Mail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
s.
CSV was designed to address the problems of
MARID
MARID
MARID was an IETF working group in the applications area tasked to propose standards for E-mail authentication in 2004.The name is an acronym of MTA Authorization Records In DNS.- Background :Lightweight MTA Authentication Protocol...
and the ASRG, as defined in detail
as the intent of
Lightweight MTA Authentication Protocol (LMAP)
in an expired
ASRG draft.
As of January 3, 2007, all Internet Draft
Internet Draft
Internet Drafts is a series of working documents published by the IETF. Typically, they are drafts for RFCs, but may be other works in progress not intended for publication as RFCs. It is considered inappropriate to rely on Internet Drafts for reference purposes...
s have expired and the mailing list has been closed down since there had been no traffic for 6 months.
Principles of Operation
CSV considers two questions at the start of eachSMTP
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
session:
- Does a domain's management authorize this MTA to be sending email?
- Do reputable independent accreditation services consider that domain's policies and practices sufficient for controlling email abuse?
CSV answers these questions as follows: to validate an SMTP session from an unknown sending SMTP client using CSV, the receiving SMTP server:
- Obtains the remote IP addressIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
of the TCPTransmission Control ProtocolThe Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
connection. - Extracts the domain name from the HELO command sent by the SMTP client.
- Queries DNS to confirm the domain name is authorized for use by the IP (CSA).
- Asks a reputable Accreditation Service if it has a good reputation (DNA).
- Determines the level of trust to give to the sending SMTP client, based on the results of (3) and (4)
If the level of trust is high enough, process all
email from that session in the traditional manner,
delivering or forwarding without the need for
further validation. If the level of trust is too
low, return an error showing the reason for not
trusting the sending SMTP client. If the level of
trust is in between, document the result in a
header in each email delivered or forwarded,
and/or perform additional checks.
If the answers to both of the questions at the top
of this article are 'Yes', then receivers can
expect the email received to be email they want.
Mail sources are motivated to make the answers
yes, and it's easy for them to do so (unless their
email flow is so toxic that no reputable
independent accreditation service will vouch for
them).
CSV is designed to be efficient and elegant, and
in this respect it certainly beats
SPF
Sender Policy Framework
Sender Policy Framework is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF...
's
coverage of HELO identities.
Client SMTP Authorization (CSA) was a proposed mechanism whereby a domain admin can advertise which mail servers are legitimate originators of mail from his/her domain.
This is done by providing appropriate SRV RRs
SRV record
A Service record is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. It is defined in RFC 2782, and its type code is 33...
in the DNS infrastructure.
External links
- CSV home page and CLEAR list archive
- CSV specification
- CSA Client SMTP Authorization
- DNA Domain Name Accreditation
- John Leslie's CSV material
- Dave Crocker's anti-spam material; not just CSV
- Datamation article "an idea that's so simple and brilliant that it could actually succeed."
- Tony's Quick Guide to CSA