> On 21 Jul 2020, at 02:18, Murray S. Kucherawy <superu...@gmail.com> wrote: > > On Mon, Jul 20, 2020 at 1:59 AM Laura Atkins <la...@wordtothewise.com > <mailto:la...@wordtothewise.com>> wrote: > There was a research project done by an inbox provider and a major supporter > of DMARC presented at a MAAWG meeting a few years ago. They tried adding > trust indicators to the message list but found no statistically significant > behavioral changes by users. Given the conference policies, I hesitate to > mention it here, but there is research. There’s also a conference paper I > found, done by a computer science research team at VA Tech that looked at > this as well. > > I remember something about the former. I'll see if I can find a public > reference to it. > > "Data, data, data; we cannot make bricks without clay."
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf <https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf> is the conference talk I was mentioning. I’ll be honest, I do think both phishing and UX has evolved significantly since DMARC was initially announced. The protocol has not kept up with the evolution and it’s benefits are much less obvious than when it was initially launched. We’re forcing a lot of damage on normal email usage, for non-obvious benefits. > > Most clients these days seem to be hiding the RFC5322.From domain from the > individual end users. Mail.app on OSX does unless you change that setting > specifically (and it seems every few upgrades they reset the setting and then > hide the checkbox again). The iOS mail app doesn’t even have a setting to > change that I’ve been able to find. I seem to remember the last time I set up > a mailbox on Thunderbird (pre-2016 election as I was tracking some candidate > mail) they also hid the 5322.From address. > > I could be wrong but I seem to recall that at the time DMARC was published, > this wasn't the case. (See my previous remarks about Gmail.) But I agree > that it does seem to be the case now. I don’t remember, either. I think clients were going down that route, though. I know, for instance, that the iOS mail client has never shown the email address, always the friendly from. > I'm not sure we've ever fully faced the idea that what MUAs choose to display > needs to be factored into the evolution of these protocols. For as long as > I've been working on this, it's been the opposite. When we’re basing a protocol on “what the user sees” and “what the user can trust” then I think we have to. DMARC says “users can trust that mail from @domain.example is really from @domain.example” but if the user never sees that, how do they know? laura -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
