On Dec 27, 2016, at 1:46 PM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net> wrote:
Worse, Viktor's line of logic presumes the modified From field somehow gets
the message past filters better, and that is just plain wrong.
I was not suggesting any modification of the message From: line. Rather
I was applauding the fact that Outlook (for one) presents a more detailed
view of the message headers than is common practice. In particular, it
augments the displayed origin information with Sender context when present.
If "Sender + From" are displayed as in Outlook, then it becomes reasonable
to authenticate Sender when present, and not apply authentication policy
to "From", since the message is not in fact *from* the author. It is from
the sender, (purportedly) on behalf of the author.
It is rather implausible that phishers will want to present their messages
this way (on behalf of), most users don't receive such email, and it will
stand out as unexpected. And users who still believe such messages to be
legitimately *from* the purported author and fall victim to scams will fall
for a myriad other misdirections.
Breaking legitimate use-cases (lists) in order to fail to "solve phishing"
is counterproductive in my view. Yahoo's DMARC cost reduction would also
be equally effective if they displayed "on behalf of" given "Sender:"
as in Outlook, and authenticated the Sender domain instead. This would do
no damage to mailing lists.
--
Viktor.