On 15 Oct 2016, at 11:33, Petr Bena wrote:
I don't understand your point. I started this discussion stating the
fact that SPF, DKIM and DMARC don't prevent people from being able to
spoof your email address.
And you tell me that I don't understand email security because SPF,
DKIM
and DMARC don't prevent people from being able to spoof my email
address?
No. Note which part of your message Dianne responded to.
What exactly were you trying to tell me?
I can't answer for her but I can offer a more direct and verbosely
explicit message:
"Spoofing" of the From header is not primarily a technical problem, it
is a human problem. Humans want to see just another human's name in a
"From" field but are accustomed to also seeing email addresses
sometimes, because email clients vary in how and how well they can
interpret the arcane variant formats that can exist in From headers.
Complicating that further, people do things with email that can be
surprising and problematic to model technically, only sometimes being
formally wrong. To "guarantee" that From headers cannot be effectively
spoofed you need to constrain the From headers of ALL mail you handle to
a much simpler family of formats than what RFC5322 allows, which WILL
cause the rejection of legitimate mail.
On 10/15/16 16:57, Dianne Skoll wrote:
On Sat, 15 Oct 2016 15:35:25 +0200
Petr Bena <petr@bena.rocks> wrote:
Believe me, there are people or organizations who would happily
exchange ability to use mailing lists within some domain for
guarantee that their emails can't be spoofed in no way (at least
within their own domain).
You seriously don't understand email security.
Here's a thought experiment: How does your email reader display the
following in the From: column?
From: "Petr Bena <petr@bena.rocks>" <unrela...@spammer.org>
and imagine that SPF, DKIM and DMARC for spammer.org all pass just
fine.
Regards,
Dianne.
