As I was setting up my user account at Apache, I ran into a seemingly easy problem. Apache gives us a fowarding account, not a POP/IMAP account. Which is perfectly fine as far as receiving email is concerned. But now I would also like to send email using the apache.org email address as well.

A few years back, this wasn’t a problem at all. SMTP by itself didn’t have (still doesn’t) any notion of security. So you could fake any email address you want in the envelope, and SMTP would happily deliver it for you. However, with the proliferation of spam on the Internet, ISPs and SMTP servers have become very wary of faked from addresses.

What does a fake from address really mean? For most purposes, it simply means that the domain of the from address and the domain that the mail originated in don’t match up. A lot of ISPs only relay mails through their own mail servers (and block port 25 for any other mail servers). Their own mail servers frequently restrict from addresses to be the one that the ISP gave you. A large number of organizations have started using [[http://antispam.yahoo.com/domainkeys|DomainKeys]] or [[http://spf.pobox.com/|SPF]], which makes faking a sender address even harder.

Gmail allows sending messages through their SMTP servers using your gmail account, but no matter what sender address you put in there, it gets substituted by your gmail address. So thats no good is it?

Ideally, I think there should be a decoupling between owenership and authentication. Each email address has a unique owner, multiple email addresses can have the same owner. Then SMTP should authenticate the owner, not the email address. Of course its easier said than done. I’ll think about it a bit more and write something more thought out later on.