On Mon, Dec 26, 2016 at 01:31:28PM -0500, Viktor Dukhovni wrote:
On Dec 26, 2016, at 9:49 AM, Theodore Ts'o <tytso(_at_)mit(_dot_)edu> wrote:
The need for email origin authentication to specify that "Sender" preempts
"From" has been well understood for a long time before there there was
DMARC.
If there is to be a non-broken replacement, it must correct this design
error
and place the "burden" of dealing with that on any MUAs that fail to
display
Sender (as e.g. from <sender> on behalf of <author>).
But if MUA's do this, then it becomes trivial to phish consumers,
which was the original excuse for DMARC. So if MUA's do this,
eventually Yahoo and the other big mail providers will promulgate a
non-standard "fix" that will bounce message with Sender lines that
aren't equal to the From field. And then what will you do?
You're still operating under the false assumption that DMARC's purpose
is to solve phishing. It's real purpose (at Yahoo et. al.) is to reduce
support desk workload at the sending domain. Any minimal efficacy at
reducing phishing is entirely incidental.
Anyway, there's no additional phishing risk. One of the few things
that Outlook does right is display both Sender and From, as
<sender> on behalf of <author>.
If the DMARC replacement authentication (via DKIM's d= or similar
is then applied to <sender>, there's no new phishing risk.
By that argument, there's no excuse for the big mailer providers for
bouncing List mail because of DMARC. They could just reference the
List-ID field, and display something like this:
<From> via mailing list <list-id header contents>
But they don't do this. Why, pray tell? And is this a reason for
them not prusueing your suggestion? Why aren't they doing this
instead of waiting and hoping ARC will solve the problem? Maybe
because users are clueless enough that they would still be getting
confused?
- Ted