Hector Santos wrote:
Earl Hood wrote:
IMHO, if robust anti-spoofing is desired, MUA support is needed.
MUAs have much greater capabilities of displaying verification results
to the end-user versus anything an MTA can do.
MUA support would be nice to have, but I think there's a fair
amount that can be done within the existing confines... enough
that we're not requiring any sort of flag day.
I'm not sure I agree with this, simply because there are many forms of a
MUA. I think what is needed are new 822 header standards to offer
"material" to better train the MUA presentation of information.
Something that we need to keep in mind here is that the 80/20
rule almost certainly applies: the object here is to get miscreants
to find something else to do rather than spoofing a legitimate
domain's email addresses. It does not require 100% coverage on
MUA's to make the practice unappealing for the bad guys. I'd
venture to say that a few strategic MUA/webclients (like, oh
say, Mark's Y! client, and few other strategic ones) could make
a very large impact.
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org