I am no fan of header rewrite, but... If you are going to talk about "Trust Indicators", we need to define terms, which has not been done. Here are my definitions: - The From header is an Identity Assertion. - DMARC is an Identity Verification technique. - A text message saying, "This message verified by DMARC", is a Trust Indicator. My definitions are consistent with the way that that one study used a trust indicator. Using these definitions, From rewrite has nothing to do with Trust Indicator research. If anyone wants to assert different definitions, please get them on the table.
The fact that users complain about From rewrite is proof that they look at the information. This is because it is an Identity Assertion, not a Trust Indicator. I accept that actual Trust Indicators have a small effect, but rounding down to zero seems like an overstatement. When fighting malware, I will take all the help that I can get, even small help. Lots of organizations use trust indicators and lots of organizations use DMARC for validating the From address. Message annotation has gone up exactly because many MUAs are making the From address visible only on request. Common tag lines are now of the form: "This message is from an external source, so be careful." I don't see that it is our job to tell domain owners that they are wrong, Domain administrators are within their rights to block any incoming message for any reason. Users routinely work with their domain administrators to ensure that the messages that they want get accepted and messages that they do not want get blocked. If users and domain administrators cannot solve their differences, the user can communicate using a different domain. If DMARC produces false positives that cannot be resolved by this process, we would do well to ask why. I see no relevance between the EV experience and DMARC. EV is an identity verification technique, but it lacked a policy mechanism. As a website user, I have no way of knowing whether a particular website MUST have an EV certificate or not. If such a policy mechanism existed, it would have been automated and the site would be blocked. DMARC has a policy mechanism, and it has been automated, so messages are blocked. Forwarding hides information that the email filter needs to make a correct decision. Header rewrite hides the problem, but does not solve it. When we get the automation right, predicting user behavior will not be necessary. Doug Foster > >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
