Seth Goodman wrote:
Since the two most common MUA's on the planet (built by
guess who?) _don't_ display Resent-From: to the user, even
though that's the address PRA will give a "pass" to, anyone
who uses one of those MUA's will only see From:Thomas
Moneybuckets<CEO(_at_)BankOfAmerica(_dot_)com>. Where's the
anti-phishing capability?
Probably MUAs should be modified to display the PRA. As long
as the definition of PRA includes "must match the MAIL FROM
(Return-Path)" it can be done offline without any SPF tests.
The classic Received-SPF header could then be used to further
identify a "verified" (SPF PASS) vs. "unverified" (else) PRA.
[...]
I've obviously missed something, but what is SPF/FROM-HDR?
wayne mentioned it some days ago in MARID. Apparently it was
meant as a fallback position if the open patent issues kill
Sender-Id (that's only my interpretation):
<http://www.ietf.org/internet-drafts/draft-schlitt-marid-spf-from-hdr-00.txt>
The major problem with it from my POV: Users like their From:
mailboxes, and they won't accept solutions where they can't use
their From: address everywhere. Even with a third party MSA
enforcing a different MAIL FROM.
Bye, Frank