On 4/23/15 10:53 AM, Terry Zink wrote: > Doug, > >> It takes seconds using OS X Mail … >> >> For Thunderbird, users will need to access … >> >> For other MUAs this may require plugins or similar >> tinkering… >> >> Nonetheless, Sender header protection is >> available and likely something better configured using a >> script offered by the provider. > Requiring users to have to do something is not a good solution because the > average user doesn’t understand and won’t do it. We’d have to convince mail > clients to show it by default, and at least two large providers (Hotmail and > Gmail) don’t do it today, and most largely-deployed mail clients don’t, > either (Outlook being an exception). > > I don’t understand the flow of things for a Sender: header alignment that you > propose. Is it something like this: > > Message 1 > ======== > 5321.MailFrom: <tz...@example.com> > From: Terry Zink <tz...@example.com> > Sender: Terry Zink <tz...@example.com> > To: mailing list <mailing-l...@mailing-list.com> > Subject: Here is a message > DKIM-Signature: d=example.com [Signature is intact] > > Message 2 after replaying > =================== > > 5321.MailFrom: <mailing-l...@mailing-list.com> > From: Terry Zink <tz...@example.com> > To: Doug Otis <..> > Sender: Terry Zink <tz...@example.com> > Subject: [MAILING LIST] Here is a message > DKIM-Signature: d=example.com [Signature broken] > DKIM-Signature: d=mailing-list.com [Signature intact] > > What’s supposed to happen next? If DMARC is not in the way and forgoing friendly names...
Message 2 after replaying =================== 5321.MailFrom: mailing-l...@mailing-list.com From: Terry Zink <tz...@example.com> To: Doug Otis <..> Sender: mailing-l...@mailing-list.com Subject: [MAILING LIST] Here is a message DKIM-Signature: d=example.com [Signature broken] DKIM-Signature: d=mailing-list.com [Signature intact] When DMARC is in the way... Message 2 after replaying =================== 5321.MailFrom: mailing-l...@mailing-list.com From: mailing-l...@mailing-list.com IM-From: [MAILING LIST]:Terry Zink <tz...@example.com> To: Doug Otis <..> Sender: mailing-l...@mailing-list.com Subject: [MAILING LIST] Here is a message DKIM-Signature: d=example.com [Signature broken] DKIM-Signature: d=mailing-list.com [Signature intact] Dear Terry, Which is why is seems proper for popular MUA configurations to be offered by the provider but we may need better hooks. What happens with a message depends on recognized trust establish with the sender, not just the from. TPA-Label via DMARC feedback can help assist in preventing the misapplication of trust. > -- Terry > > From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Terry Zink > Sent: Thursday, April 23, 2015 10:34 AM > To: Brandon Long; Douglas Otis > Cc: dmarc ietf > Subject: Re: [dmarc-ietf] Dmarc-escape draft available > > I’ve played around a bit with Gmail, Hotmail/outlook.com, and Outlook desktop > client. Here’s what I have found so far. > > Gmail and Hotmail have similar but not identical behavior: > > > 1. If the 5322.From address is in your address book or you have a > conversational history (implicit contact) or is on your safe senders (in > Hotmail), then Gmail, Hotmail, and Outlook show only the Friendly From > (display from) and not the 5322.From full address. If it isn’t in your > contacts, then all show the display from + 5322.from email address. > > 2. If the 5321.mailfrom is different than the 5322.From, Gmail shows > “Display From <and 5322.From if not in address book> via 5321.mailfrom” > whereas outlook.com and Outlook desktop don’t show the discrepancy at all > (i.e., no equivalent of ‘via’ in Hotmail or Outlook desktop). Gmail does not > show the via if the 5322.from domain and 5321.mailfrom domains are the same > which is why there is a recommendation to authenticate with SPF and DKIM. > > 3. Neither Gmail nor Hotmail show the Sender: header at all. Outlook > desktop shows “<sender> on behalf of <from>.” > > I haven’t done a large matrix of testing but I have played around with > different rendering; obviously, spam filtering and searching for > conversational history may have something to do with it, too. Where possible, disable friendly email displays. Too many years offered plenty reasons not to trust its rules. Iconix is a good example for what is possible with Web email as well. They greatly increase user comprehension while affording better protection. Show recipients verified information when possible. <Sender> on behalf of <From> at least shows identities contained in both headers. DMARC will not prevent all spoofing, but a less disruptive scheme that does not require name munging helps more than hurts. People groping for messages in spam folders hurts more than helps. The 5321.mailfrom is not part of DKIM, only SPF which fails From header alignment beyond the first hop for most mediated messages. Our domain asserts a DMARC record without requesting either Reject or Quarantine and instead relies on administrative relationships or LE after determining malefactors. It took a fair amount of effort, but we made a difference in Turkey and Brazil, for example. With DMARC, it is increasingly common to only see From header fields or a munged From header field rather than a proper Sender. How does less verifiable information because of DMARC policies help anyone? Just as people are not better protected using Chip and Signature rather than Chip and Pin, the same can be said of email lacking proper Sender header fields replaced by munged Froms. Regards, Douglas Otis > -- Terry > > From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Brandon Long > Sent: Wednesday, April 22, 2015 5:29 PM > To: Douglas Otis > Cc: dmarc ietf > Subject: Re: [dmarc-ietf] Dmarc-escape draft available > > Gmail will display the Sender information with a on behalf of or similar in > certain circumstances when we think its necessary to give the user more > information. > > 99% of users won't use the more information for anything useful or even > really notice it or at best get confused, but eh. > > More information: https://support.google.com/mail/answer/1311182?hl=en > > So, the messages on this list have "via ietf.org<http://ietf.org>" next to > the author, for example. > > Brandon _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
