On 7/23/20 8:07 AM, Joseph Brennan wrote: >> I think that we just have to agree that From-munging by MLMs is a permanent >> reality. It needs to be documented more prominently (and promoted as part >> of the DMARC marketing) so that implementations are more consistent, so that >> un-munging tactics and/or MUA behavior can be consistently implemented. >> > I'd be happier for the proposed standard to say that DMARC policy > "SHOULD NOT" be compromised by rewriting From lines-- and see how that > goes over. My reasoning is that blessing the practice makes it easier > for bad actors to craft spoofed mail and get it accepted. The opposite > of the purpose of DMARC, isn't it?
(sorry, I forgot to reply earlier) I realize that your worry is valid if anyone attempted to un-munge the messages and then use the un-munged state somehow to validate authenticity. I assume that un-munging would only be attempted locally if the message passes DMARC and is trusted by local policy. (Similarly, as I've suggested in other contexts, it would be nice if the Receiver could preemptively communicate this trust to the Intermediary so that the munging didn't need to occur in the first place and ARC could come to fuition, but I digress.) As others have said, munged messages sent via a MLM aren't much different than someone posting to a web form and it then distributing the post to a set of email recipients. That web form isn't expecting to be able to use the author's domain, and the pattern it uses in the Friendly From is somewhat arbitrary and could be co-opted by spammers. I don't think that bad actors crafting is a huge worry since I think that in both scenarios it would just fall back on the reputation of the domain (and other factors). (just spit balling... it's getting late on a Friday...) Perhaps an interesting local policy enforcement (to get at your concern) would be to require that messages with certain Friendly From patterns to be DMARC aligned (regardless of policy) since I could assume that any MLM (that I care about) that's DMARC aware enough to munge would also have aligned SPF and/or DKIM results. Jesse _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
