Stuart D. Gathman wrote:
Seth's idea is that the most popular MUAs *already* display
From + Sender.
These two O?-tools - one of them is IMHO more a nice calendar,
not a real MUA, anything else ? Okay, that's beside the point,
let's assume that it's true or at least possible.
If they didn't match it against the Return-Path displaying
From+Sender doesn't help, for SPF the checked identities are
Helo and Return-Path, not From or Sender or PRA.
Even your idea of adding the missing Sender is a win -
because the MUA will then display it to the user!
In that case we're automagically sure that a redundant Sender
matches the Return-Path. I thought the MUA does this, and
then it would also handle the other three cases, especially
the one utter dubious case, From, Sender, and Return-Path all
different.
[[ Oops, I forgot the special fifth case, empty Return-Path ]]
*_BUT_* you say "leverage what the MUA is already displaying":
Existing MUAs might display, but they don't match. This is an
"update all MUAs" idea.
Another non-blocking technique would be simply *change* the
Sender if neither it not From match.
Now you moved it to "build a smarter MDA". Apparently Seth
likes this plan, but mail admins will have difficulties with
it, add / modify the Sender at the MDA beause some MS-O*-tools
will display it ?!?
If my postmaster did this I'd first shoot him before asking
questions (don't worry, in old Europe that's not literally ;-)
Voila, user sees "From xxyyfasdf(_at_)xxyyzz(_dot_)com on behalf
of admin(_at_)ebay(_dot_)com".
Methinks a POP proxy is better, if a user wants modified mail
let him modify it on his box. Not at the MDA. Or only for
users who want it. For those who want it it's cute... ;-)
All but the most terminal stupid users will at least have
the true source of the message in front of them without
having to click obscure menu options.
Grmmbl, you're not authorized to say that my MUA is stupid.
Only I'm allowed to do this. Yes, it's stupid, and I like it
this way, and three clicks Options -> Headers -> All are easy.
It's not the only way, I could also filter suspicious mails
into a separate folder. A job for SIEVE for those who have it.
You are correct in that if we are going to modify the MUA,
why not just show Return-Path.
[...]
Seth's idea is to feed a validated MAIL FROM into what the
worlds most popular MUAs do in fact display.
Something, user, MUA, or separate tool, has to do the matching
for Seth's idea. With your MUA you can do it, because you see
the Return-Path. A tool could still simplify this for you, for
cases like Return-Path xyz(_at_)paypa1(_dot_)example (=> PAYPA1.EXAMPLE).
the MTA could even block or quarantine messages where neither
From nor Sender matches MAIL FROM.
For that we need either an op=secy or the "add default sender"
trick. The latter is better, it is completely independent of
any sender policy. But it should be some kind of "opt-in" on
the side of the receiver.
Bye, Frank