John Levine writes: > Recording stuff in A-R is fine. Advice about how MUAs should display > them is not. Considering the dismal history of browser warnings about > bad SSL certs, I would expect any user interface advice we give to be > counterproductive.
Agreed. However, in case of "p=quarantine", IWBNI MUAs told the reader that there's a reason Aunt Sally's birthday greeting is in the spam folder, and it's more than just the that fact that she emailed you 27 invitations to join her Amway downline last month. Similarly in case of bypassing DMARC by wrapping the message, or a length limit on the DKIM signature, IWBNI the unauthenticated parts of the message were given a "nice UX" treatment semantically equivalent to displaying it in grey45 on grey50, adding a big warning in red explaining that From: header can't be trusted and clicking on links is not advised, and a button to make it readable (and make the annoying warning go away). I understand the reservations you and Dave are posting about trying to make concrete suggestions about UI/UX in RFCs. Still, unless we get closer to the end-user wetware than simply adding an invisible Authentication-Results field, the phishers are just going mimic our workarounds or create their own. Best would be direct coordination with the major MUA teams, but we should also document the semantics we'd like to convey. _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
