On Mon 21/Oct/2024 05:50:09 +0200 Dave Crocker wrote:
On 10/18/2024 7:38 AM, Bill Cole via mailop wrote:
The real original sender is preserved in the Reply-To here (and on most lists
using Mailman today.)
In other words, to get around DMARC fragility and false positive damage, an
intermediary must
1. Break DMARC, by changing the rfc5322.From address to be something other
than the original address
2. Break From semantics, since it no long has the address of the author,
3. Break any existing Reply-to semantics, so it no longer specifies an address
other than the author's, though that's what Reply-to was define to permit.
Collateral damage abounds.
Those changes can sometimes (not always) be undone, For your message I got:
Authentication-Results: wmail.tana.it;
spf=pass smtp.mailfrom=mailop.org;
dkim=pass reason="Original-From: transformed" header.d=dcrocker.net;
dmarc=pass header.from=mailop.org;
arc=fail (1 set(s)) smtp.remote-ip=91.132.147.157
DMARC has turned the From field into what the Sender field was intended to
provide; it now primarily serves to specify the handling platform. If the
author address survives in the From: field, that is merely a collateral
benefit, but not required.
Well, formally that's what SMTP specifies. Even the new draft says that
changes that involve more than the envelope addresses "need to be viewed as
MUAs that accept a message delivery and then submit a new message for multiple
recipients."
/Forwarding/ is not specified. Confirmed opt-in is a de-facto practice which
does not let the receiver know about the setting up of a new mail flow. If the
recipient knew, it could trust the sender's ARC and pass those messages with
the original From:. However, I talked to Google people and they consider it
too complicated to manage users subscriptions.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
