On Wed 03/Jun/2020 18:43:16 +0200 Dave Crocker wrote: > On 6/3/2020 9:38 AM, Alessandro Vesely wrote: >> MUAs should be discouraged from displaying or using Author:, unless >> (verifiably) signed by a trusted domain or otherwise configured by the user. > > Why?
That avoids the dreaded back-to-square-one path that Brandon conjectured. It prevents attacks based on this field, while maintaining the DMARC paradigm. I, for example, would configure to display Author: in the listing of [dmarc-ietf] and similar folders. Reply-to-Author would also be a useful button, if not abused. It's fine to fulfill advanced users' wishes as long as average user behavior is not forced to change. Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
