On 6/2/2020 10:11 AM, Brandon Long wrote:
And if the mail client displays the Author, then we're kind of back to
square one
with displaying unvalidated data to the user.
No we aren't.
Your comment implies that what is displayed to the user is important in
anti-abuse efforts, but there is no data to support that view, and some
significant data to support the view that that's wrong. (cf, the
extensive literature review that was done during early BIMI discussions.)
What matters is what is done by your filtering engine -- and what is in
the message content -- not what is displayed to the user in the From
field. I understand that DMARC has been useful, but I believe this is
confusing correlation with causation. The cause is down in the
filtering engine.
There's no reason that DMARC couldn't have included the sender or
tried to have some kind of
PRA like spf v2... but that's not the goal.
But the Sender: field is not reliably present and, of course, DMARC
needs an identifier that is reliably present.
At some point, you're going up against the existing mail client design
and of course
how users act, and of course all of that is messy. The "clean"
strictness and mechanical nature
of DMARC is ultimately up against the fuzzy ux design and fuzzier humans.
DMARC is a triumph of infrastructure operator demands over end-user
experience. it's created a markedly Procrustean email identification
environment.
The standards and the practice, for 45 years, have permitted certain
freedoms in the From: field and DMARC eliminated them.
It's easy to be cavalier about this, since some operators run highly
controlled environments and have no incentives for paying attention to
those who have used those freedoms legitimately, for 45 years.
On top of that, the author domains basically want to control who can
send on their behalf, which is
a reasonable goal as well.
That's a rather small subset of domain owners. While DMARC was original
developed for that select community, its vastly broader use results in
over-applying that restriction.
AGAIN, I'm not suggesting changing DMARC or the current reality for the
From: field.
RATHER, I'm suggesting making it possible for recipients to regain
usefulness of the author information that the From: field was intended
to provide but no longer does.
FOR THOSE FEW DOMAINS that really want to get strict about who gets to
claim to be an author associated with a domain, then do something like
add a DMARC option that prohibits use of the Author: field. (Note that
just having DKIM and ARC pre-sign a non-existent Author field
accomplishes this, too...)
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
