On Monday, June 09, 2014 10:54 AM [GMT+1=CET], Stephen J. Turnbull wrote: > John Levine writes: > > > Recording stuff in A-R is fine. Advice about how MUAs should > display > them is not. Considering the dismal history of browser > warnings about > bad SSL certs, I would expect any user interface > advice we give to be > counterproductive. > > Agreed. However, in case of "p=quarantine", IWBNI MUAs told the > reader that there's a reason Aunt Sally's birthday greeting is in the > spam folder, and it's more than just the that fact that she emailed > you 27 invitations to join her Amway downline last month. > > Similarly in case of bypassing DMARC by wrapping the message, or a > length limit on the DKIM signature, IWBNI the unauthenticated parts of > the message were given a "nice UX" treatment semantically equivalent > to displaying it in grey45 on grey50, adding a big warning in red > explaining that From: header can't be trusted and clicking on links is > not advised, and a button to make it readable (and make the annoying > warning go away). > > I understand the reservations you and Dave are posting about trying to > make concrete suggestions about UI/UX in RFCs. Still, unless we get > closer to the end-user wetware than simply adding an invisible > Authentication-Results field, the phishers are just going mimic our > workarounds or create their own. Best would be direct coordination > with the major MUA teams, but we should also document the semantics > we'd like to convey.
+1 I couldn't agree more. DMARC should not stay only in the MTA realm, after all DMARC deals with the Header-From just because that's something the final user SEES, and not because that's something the MTA naturally deals with. Therefore DMARC should leak to the final user who SEES that Header-From, and that means MUAs have to enter the big picture of DMARC, somehow. And yes, that "somehow" is the difficult part, but it should not be left aside, I think. And I think the recommendation to MUA authors should go into the standard itself, not on a side document (BCP or whatever) which may or may not be easy notice/find/know-about. Regards, J.Gomez _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
