--------------------------
Message-Body-Authenticator
--------------------------

Message-Body-Authenticator is a tentative option
to SPF (http://spf.pobox.com).

Revisions:
  0.01 2004-03-26 evertonsm@yahoo.com.br

Summary:
  - MBA fights email address forgery and
  - makes it easier to identify spams, worms, and viruses
  - when domain owners publish message body authenticators in DNS, so that
  - SMTP receivers can distinguish legitimate mail from spam
  - by verifying a hashing of the message body 
  - against the authenticator published by the envelope sender domain

Notes:
  - It does not break forwarding.
  - The record expiration date is used for database
    space management.
  - The message digest is required to prevent replay of
    a captured authenticator for other messages.
  - The message might be rejected after SMTP DATA.

EXAMPLE for Message-Body-Authenticator
======================================

BEGIN

bobsite.tld is publishing:

  _mba.bobsite.tld. IN TXT "policy=mba-header-required"
  _mba.bobsite.tld. IN PTR mba.bobsite.hosting.tld.

  ('_mba' stands for 'message body authenticator')

Bob's MUA issues the message:

  -- original RFC2822 message -- begin --
  Subject: Party
  From: "Bob" <bob@bobhome.tld>
  To: "Alice" <alice@alicehome.tld>

  Hello Alice,

  Are you coming next week?

  Cheers,
  Bob
  -- original RFC2822 message -- end --

bobsite.tld MTA stores in a publicly-readable database (DNS):

  key:    message-id  = 0123456789
  value:  md5         = 415f3c454c31fb7dbcf4d861a66adbe5
  expire: valid-until = 2004-04-30 14:50:22 GMT

bobsite.tld publishes in the DNS:

  0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5"

bobsite.tld MTA sends to alicehome.tld:

  -- sending authenticated message -- begin --
  EHLO mail.bobsite.tld
  MAIL FROM: <bob@bobsite.tld>
  RCPT TO: <alice@alicehome.tld>
  DATA
  Subject: Party
  From: "Bob" <bob@bobhome.tld>
  To: "Alice" <alice@alicehome.tld>
  Message-Body-Authenticator: 0123456789

  Hello Alice,

  Are you coming next week?

  Cheers,
  Bob
  .
  QUIT
  -- sending authenticated message -- end --

After MAIL FROM, alicehome.tld MTA extracts
bobsite.tld from <bob@bobsite.tld>.

Then alicehome.tld MTA finds:

  _mba.bobsite.tld. IN TXT "policy=mba-header-required"
  _mba.bobsite.tld. IN PTR mba.bobsite.hosting.tld.

If alicehome.tld MTA wants to adhere to the policy published,
the message would be rejected unless the header
"Message-Body-Authenticator:" is available.

alicehome.tld MTA finds: 

  0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5"

After DATA, alicehome.tld MTA finds the message MD5
matches the published MD5, then accepts the message.

On 2004-04-30 14:50:22 GMT, bobsite.tld removes from DNS:

  0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5"

END