Authentication Standards

One of the major sources of headaches with Internet email is the lack of sender authentication in SMTP. SMTP provides no mechanism to verify that the sender address, specified in the SMTP MAIL FROM command or in the visible From header, is being legitimately used. In fact, SMTP specifically provides for a number of cases where these addresses can be “spoofed” for legitimate purposes. The reality is that you cannot always trust, or always mistrust, the sender address.

With the wide adoption of email and SMTP to transfer it, it’s extremely unlikely that a change in the protocol itself would be welcomed. It would be difficult to justify—despite its problems, SMTP has been scaling to meet the global Internet email volumes for almost 30 years.