Each Domain has its own Authentication Server (Dedicated or Shared) that is defined by the Domain DNS TXT Record. It can be maintained by the Domain Holder or it can be outsourced. The Authentication Server is in the control of the Domain Holder.

The purpose of the Authentication Server is to provide the following functionalities:

1. Generate new AuthKey periodically for each email address within the Domain that is used to send mail
2. Send the new AuthKey to the email address
3. Accept VERIFY requests from SMTP Servers and send back VERIFY_REPLY with the results
4. Remove expired AuthKeys

In an environment where the same administrator maintains the SMTP Servers and the Authentication Server, the SMTP Servers can retrieve the newest AuthKey for the email address directly from the Authentication Server. This will eliminate step 2 mentioned above.

Generation of New Authentication Keys

Each Email Address in the Authentication Server has two types of records:

· Email Address Settings Record
· AuthKey Record

Here is a sample Email Address Settings Record:

Email Address	AGI	AVT
my@domain.com	7200 (min)	2880 (min)

Using the Email Address AGI Value (Address Authentication Key Generation Interval), a new AuthKey is generated every AGI, recorded into the Authentication Server Database and sent to the email address.

Below is a sample AuthKey Record on the Authentication Server:

Email Address	Expiration Time	AuthKey
my@domain.com	2005-01-01 22:08:15	my64charbyteskey-01

Expiration time is calculated at the time of new AuthKey Generation as follows:

Expiration Time = Current Time + AGI + AVT

After the Expiration Time the AuthKey is deleted. So in the example above after 2005-01-01 22:08:05, the AuthKey my64charbyteskey-01 for my@mydomain.com will be deleted.

As a matter of implementation, in order to avoid overload of the systems, the process that generates the keys should have the logic to distribute the key generation initially evenly over the span of the AGI Time.

The process and management of Email Address Settings Records is implementation specific. Clearly, it is most beneficial but not required that the Email Hosting Provider that has the capabilities to manage creation and deletion of mail accounts will also manage the Authentication Server. At least, there should be a mechanism to integrate both services.

Sending New AuthKey

When a new AuthKey is generated, it is sent to the email address as a regular email message with specific header information. The content, subject and body of the message are not important.

The header should include the new AuthKey in the following format: X-New-Auth-Key: string-of-your-new-key-from-now-on.

Obviously, a company like AOL will not require a new AuthKey; their SMTP Server can retrieve the current AuthKey directly from their own Authentication Server.

Handling VERIFY Requests

The Authentication Server listens to TCP and UDP Ports and can accept VERIFY requests.

When the Authentication Server gets the VERIFY Request (see Protocol) it validates the email address and the AuthKey against it's Authentication Key Database. If there is a match, it replies with VALIDKEY, if there is no match, it replies with INVALIDKEY.

As a matter of implementation, the Authentication Server can collect the requests for later reporting.