I don't understand why this topic is debatable. We are faced with a constant stream of mail which we do not want. We need to block the nuisance stuff as well as the dangerous stuff, so that the important stuff gets processed in a timely manner, and so that our labor efforts can be spent on things more productive than reading nuisance emails. Ergo, if a message contains a lie, I want to block it. If the identifier is a lie, the content will not be any better. IETF settled on standards for filtering identifiers because it is simply more feasible than filtering free-form text.
As to consequences: Was no one present during the 2016 election cycle, when a phony GMAIL password reset compromised a U.S. Presidential campaign? I'll admit that I have not seen that specific message's From header, but supposedly it convinced John Podesta and his I.T. person, so I am pretty confident the From domain was "@gmail.com", not sstealyourd...@badguys.r.us" Someone said that the Sender Address is all we can trust. Nonsense. The only thing that is "true" in an email header is the IP Address, and that is true only if the recipient assumes that no nation state has a NAT-translating device in front of their internet connection. Everything else can and will be fraudulent at times. As to identifiers: The RFC 5321 MAILFROM sender is intended, at least in my understanding, to represent the login account used to create the message, while the RFC 5322 From Header represents the "speaker", the person whose ideas are being represented by the content. It matters if someone puts words in someone else's mouth, and From fraud is exactly that type of fraud. It is reasonable to require senders to demonstrate authority to speak on behalf of someone else. DMARC provides two ways to demonstrate that authority: if there is domain alignment, the implication is that the security environment of the sender domain has chosen to allow one sender to act as agent for another, because it would be in their power to prevent him from doing so.. Therefore intra-domain agency is not a significant concern to the recipient. However, when the sender address (login account) represents a different security domain than the sender address, the recipient has no reason to ignore the discrepancy. The DKIM signature is the alternative credential which demonstrates authority to send on behalf of the From address entity.. I simply cannot grasp how DMARC conflicts with RFC 5321 or RFC 5322, inhibits authorship, or creates any other attribution problem. This assertion was simply not explained. Feel free to do this test to see if From address matters: Start sending inflammatory stuff with a From address @WHITEHOUSE.GOV to major news organizations or foreign governments around the world. See how long it takes the Secret Service to pay you a visit. As to visibility: The business world still runs on Microsoft Outlook, and Outlook presents the From Address when a message is read. So it is odd to assert that no one ever sees that data. The real scandal is that the Sender Address is never displayed. It would be very interesting if MUAs would say From: market...@bigretailer.com by: bigretai...@massmailer.com Whose ideas was it to keep the sender secret? If the integrity of identifiers does not matter, why are we here? Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc