But unfortunately, once the UI recognizes this case, would we not be
imposing harm vis-a-vis phishing in particular? And then DMARC Mark
II (as it were) would have to prohibit the wrapping and require a wrap
of a wrap, etc.
DMARC is only useful because many crooks are remarkably lazy or
stupid. I've seen numbers showing that it blocks vast amounts of spam
with From: addresses like <security(_at_)paypal(_dot_)com> which means that a
lot
of crooks just uses the exact address they're attacking But it's not
effective against stuff like this, which they also use:
From: <security(_at_)paypaI(_dot_)com>
From: security at paypal.com <boris(_at_)rbn(_dot_)ru>
For that second one, remember that a lot of MUAs only show the
comment on the From: line, not the address.
While I believe that it does block considerable phish now, I also
believe it's a lot of long term pain for only short term benefits. I
also agree that if we invent ways to circumvent DMARC issues, the bad
guys will quickly adapt unless those ways have a different, ideally
better, threat model. See the appsawg archives and the new dmarc list
for further discussion on this point.
R's,
John