Wietse Venema wrote:
> Enough already. Here's a From: header
>
> From: Firstname Lastname <some...@example.com>
> display name email address
>
> Many mail user agents, especially the GUI based ones, display the
> "Firstname Lastname" part, not the sender address. To see the address
> one has to take additional steps which many people won't take.
You can mark me down as being really old school because I do actually
see most of the interesting headers. For example in the message from
you I see exactly this in the headers. (I display this set of message
headers in this ordering, From: Reply-To: Resent-From: To: Cc:
Mail-Followup-To: Subject: Date:)
Date: Thu, 22 Oct 2020 19:17:35 -0400 (EDT)
From: Wietse Venema <wie...@porcupine.org>
To: Postfix users <postfix-users@postfix.org>
Subject: Re: sanity-check postfix XCLIENT usage ?
Reply-To: Postfix users <postfix-users@postfix.org>
:-)
> What does this mean for ordinary users? There is a sender address
> that they never see, that is "secured" with DMARC and so on, but
> it could be total garbage because the user won't see it.
>
> What they do see is the completely unprotected "Firstname Lastname"
> part. Oh, and maybe an indicator that the email it is secure.
I take advantage of that around April Fool's Day and send them
messages from their dog and things like that. :-)
> Demi M. Obenour:
> > That's because MUAs display the From: header, not the envelope address.
> > DMARC is aimed at preventing spoofing. If someone sends a message
> > that claims to be from me, but is not, that could damage my reputation
> > or worse. If GMail had p=reject, such a message would be dropped
> > as a forgery. If a relative of mine gets a message that claims to
> > be from me, but is actually from <demiobenour@notgmail.invalid>,
> > they at least have a chance of knowing the message is bogus.
The tragicomical thing is that Gmail does follow policy and when the
policy of the sending site is strict DMARC and the mailing list does
not rewrite then Gmail subscribers to mailing lists will get
automatically unsubscribed when/if the bounce ratio exceeds the
threshold! That's perhaps a surprising unintended consequence.
Because the sender's message from the mailing list re-sent to the
Gmail subscriber is bounced by Gmail back to the mailing list then the
mailing list management software counts it as a bounce from the Gmail
end against that subscriber. The sender is unmarked. So it depends
upon the amount of mailing list traffic and the ratio of mail from
strict DMARC sites and not strict. A large flow of non-DMARC traffic
will keep the ratio low. But then if on a single day even one strict
DMARC sender sends many messages causing many bounces it will trip
over the threshold for the Gmail subscribers and result in all of them
being unsubscribed all at once.
And then a bunch of Gmail subscribers are all left wondering why they
were unsubscribed. Sometimes they will even write in to the list
admins asking that question. Yes these are actual events.
I think the best compromise is that mailing lists must rewrite the
headers when handling mail from sites with a strict DMARC policy.
Although there are others that have disagreed and wished their email
to be discarded rather than modified in any way.
Bob
