spf-discuss
[Top] [All Lists]

Re: change of version string

2004-08-07 07:20:45
Seth Goodman wrote:

Since the two most common MUA's on the planet (built by 
guess who?) _don't_ display Resent-From: to the user, even
though that's the address PRA will give a "pass" to, anyone
who uses one of those MUA's will only see From:Thomas
Moneybuckets<CEO(_at_)BankOfAmerica(_dot_)com>.  Where's the
anti-phishing capability?

Probably MUAs should be modified to display the PRA.  As long
as the definition of PRA includes "must match the MAIL FROM
(Return-Path)" it can be done offline without any SPF tests.

The classic Received-SPF header could then be used to further
identify a "verified" (SPF PASS) vs. "unverified" (else) PRA.

[...] 
I've obviously missed something, but what is SPF/FROM-HDR?

wayne mentioned it some days ago in MARID.  Apparently it was
meant as a fallback position if the open patent issues kill 
Sender-Id (that's only my interpretation):

<http://www.ietf.org/internet-drafts/draft-schlitt-marid-spf-from-hdr-00.txt>

The major problem with it from my POV:  Users like their From:
mailboxes, and they won't accept solutions where they can't use
their From: address everywhere.  Even with a third party MSA
enforcing a different MAIL FROM.
                                 Bye, Frank