On 6/2/20 10:35 AM, Dotzero wrote: > > As part of the original DMARC team, the goal was to make clear whether > the email was authorized by the domain being used, hence the reliance > on SPF and DKIM. These are clearly under the domain > owner/administrator's control to the extent they choose to exercise > that control. There was much discussion in the community at the time > to use thei= field to enable more granular signing. it never gained > traction. Because the intent was to protect end users from fake emails > purporting to be from (primarily) commercial domains such as financial > institutions, greeting card companies, etc., the Sender field was not > a significant issue. Also, when the Sender is in the same domain as > the From, there is no DMARC issue.
I'm all confused about why alignment matters. Back around the time DKIM was standardized, we were concerned about phishing attacks from look-alike domains, i.e., substitutions of 1 for l, that might be registered by attackers and sign their messages with valid DKIM signatures. But now a lot of people don't see anything but the Friendly Name; the email address isn't displayed at all. For that (apparently increasing) proportion of users, the From or Sender addresses aren't visible; the attacker might as well use any Friendly Name of their choosing with any domain they can sign for there. So they get DMARC alignment, but what has it accomplished? -Jim
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc