[I hesitated a lot about the subject, feel free to flame this first
Last Call message.]
The whole purpose of Sender-ID is to disclose the real email address
used for the last introduction of the message. This can conflict with
privacy expectations (think of the example in
draft-ietf-marid-submitter-03.txt, where Alice (unknowingly?) reveals
that she is at such or such hotel).
The problem already exists with the Received headers but the advice in
-core (7.5 "MUA implementers") to display the addresses used in the
PRA makes it stronger, IMHO.
I do not find an easy solution (it is an inherent conflict) but I
suggest to add to "Security considerations" in -core:
Automatically adding headers like Resent-From and Sender, as mandated
here, may have privacy consequences for the users. MUA implementors
may make this header addition optional, at the risk of seeing the mail
rejected later. Alternatively, users and administrators should be
aware of other solutions like [RFC 2476] or various tunnels.