I think technical fans of email perhaps attach more import to the
rfc5322.from field than
does the average user. Certainly, downsides exist. That said, facebook
notifications
today all come from the same per-user address, with the actual commenter as
just the
display name. Various forum software, email ticketing software, the email
notifications
from various web based messaging systems, they all fail to apply authorship
in how you say.
I think of myself as a technical email guy, but I’m surprised at how much of an
average user I am. If I were to get an email from someone (or I guess myself)
on this list like this:
From: Terry Zink via IETF-DMARC <dmarc(_at_)ietf(_dot_)org>
This already happens from other lists I am on, I don’t think twice about it. I
sort of even think “Hey, that works better for me!”
And if there were something like this in other headers that retains the
original senders:
Reply-To: originalSender(_at_)example(_dot_)com
Sender: dmarc <dmarc-bounces(_at_)ietf(_dot_)org>
Then so much the better, I don’t even notice them unless I hit Reply. As
Brandon says, I’ve already been conditioned to look for the same email address,
for example I get this from LinkedIn:
From: Example Person (via LinkedIn) <messages-noreply(_at_)linkedin(_dot_)com>
I get that some people don’t like how the From: address no longer reflects the
“real” sender, but I don’t just use the email address to identify a sender. I
use the Display Name, too, and putting someone’s name and the source into the
Display Name is helpful.
That doesn’t mean there aren’t better options. But this workaround – at least
for me – is not that painful.
--Terry
From: dmarc [mailto:dmarc-bounces(_at_)ietf(_dot_)org] On Behalf Of Brandon Long
Sent: Thursday, November 3, 2016 4:04 PM
To: Dave Crocker <dcrocker(_at_)bbiw(_dot_)net>
Cc: dmarc(_at_)ietf(_dot_)org; IETF <ietf(_at_)ietf(_dot_)org>
Subject: Re: [dmarc-ietf] Identification of an email author (was - Re: IETF
Mailing Lists and DMARC)
On Wed, Nov 2, 2016 at 3:51 PM, Dave Crocker
<dcrocker(_at_)gmail(_dot_)com<mailto:dcrocker(_at_)gmail(_dot_)com>> wrote:
On 11/2/2016 2:58 PM, Brandon Long wrote:
The difference is mostly cosmetic, though depending on your mail client,
there may be other downsides. And it may violate RFC 5322.
Brandon,
You know that I know that the attacks that generated the use of DMARC, which is
causing the current situation, are serious. I'm mentioning that here to make
sure the context for what follows is clear...
Email is communication between an author and one or more recipients.
Everything in between them is 'overhead'. The overhead functions need to be
careful to avoid cavalierly reducing the utility of email, even as the changes
are meant to aid in the use of email.
Identification of the author and recipients is meaningful to them. That's not
'cosmetic'.
And software tools employed by users take advantage of this identification, for
searching and for organizing.
Including Gmail, which doesn't handle this workaround well, either.
In a highly diverse world, one of the problems of being a very major player is
that it becomes far too easy not to see all the diversity or to appreciate its
import to others. After all, most of that diversity is seen as such a tiny
percentage of the activity. This is the essence of ethnocentrism.
Changing the contents of the rfc5322.From field is changing basic statements
about authorship.
Perhaps there's no practical choice right now, but please let's not be cavalier
about its import.
I think technical fans of email perhaps attach more import to the rfc5322.from
field than does the average user. Certainly, downsides exist. That said,
facebook notifications today all come from the same per-user address, with the
actual commenter as just the display name. Various forum software, email
ticketing software, the email notifications from various web based messaging
systems, they all fail to apply authorship in how you say.
Yes, mailing lists have existed in this form for some time, and they are a good
and vital system, and the downsides are real.
Note also that I imagine that mailing list software which supports EAI messages
might also need to munge the From header to downgrade the message for delivery
to non-EAI enabled receivers.
I'm not sure if my comment was heard in the recent ARC round table, where folks
were questioning the overall complexity of ARC, but I'm fairly serious in
saying that all of our discussions on work arounds and technical methods for
trying to make DMARC work with mailing lists, and from header munging is by far
the simplest. No trust/reputation systems, no manual whitelisting, no "magic
sauce", no new software to be installed by receivers.
ARC will add greatly to the size of mail headers, which some folks on mailop
still think should be tiny and talk about automatically marking large headers
as spam.
ARC will add greatly to the privacy concerns which were raised last week on the
DKIM IETF list, where now not only is a message have attestation of origin, but
that attestation will survive some amount of forwarding/modification, and the
path it took will also be attested to.
ARC will require new software to be installed by mailing list providers and any
receivers who implement DMARC. Even after being installed, there is still more
work in order to allow the mailing list messages through.
Brandon