On Wed, 08 Sep 2004, jpinkerton wrote:
Without getting too bogged down here - I'm of the belief that we need to
protect the vast majority of mail users against the false ReplyTo: SPF does
it for the sending domain, provided there's no intermediate hops mangling
the headers, but it'd be nice to go the extra mile if possible.
Reply-To is set in the DATA phase of the email transaction, so it's
beyond the purview of SPF.
Plus, how to you plan to validate or verify, the authenticity or
authorization, of a particular sender to use a particular Reply-To.
At least with SPF, you have a verified origin that you can go back to.
There are too many valid legitimate uses of From and Reply-To being
different, like this list (most lists, in fact), to have an easy time
changing that behavior.
The very same people you want to protect from reply-to, are the ones who
are for whom the 'Reply-To: list' headers were thought of.
You now face a choice of letting people learn how to read the Reply-To
header, or training them to change the reply address when the respond to
their yahoo-group list.
It's the same education either way.
-Tim
--
There are 10 types of people on Earth. Those who understand binary, and those
who don't.