Christian Huitema wrote:
Brian E Carpenter wrote:
On 23/10/2015 02:57, Russ Housley wrote:
...
It seems to me that DMARC re-writing is a more important feature for this
community. I think we should drop support for the password messages and
move to a newer version. I'd like the tools team to check this out, and then
if the newer version will not introduce other surprises, move to the newer
version.
The primitive rewriting of the From is a bug in itself, because it destroys
important information (who sent the message, even if they are a non-
subscriber).
+1.
Rewriting the "From:" header trains users to only look at the user
friendly name, and to overlook the rewritten address.
The potential for phishing is interesting.
I do not see any increased potential for phishing
Rather the opposite -- DMARC could be abused to give users a false
sense of security and fall to the flawed assumption that it would
authenticate the EMail author (which it doesn't).
Interestingly, there essentially is a legal requirement for rewriting
the From: header field for addresses that publish DMARC records when
delivering EMail to places where DMARC processing isn't outright illegal
(DMARC processing is clearly illegal in the EU), because handing an
EMail to an MTA that might be processing DMARC will be illegal in the EU
just as processing DMARC oneself. So one of the alternatives to
unconditionally bouncing a DMARC-impaired EMail, will be rewriting the From:.
-Martin