On Mon, Apr 17, 2023 at 12:05 PM John Levine <jo...@taugh.com> wrote:
> It appears that Laura Atkins <la...@wordtothewise.com> said: > >Is this another issue we should document and make recommendations about? > I was thinking along the line that transactional SaaS > >providers should fully support DMARC and should not allow companies using > p=reject in their business mail to access the > >service? > > Section 2.4 says that everything other than the From: header is out of > scome. Section 11.4 describes display name attacks and it looks OK to > me. I suppose we might tweak 2.4 to clarify that anything other than > the mailbox in the RFC5322.From field is out of scope to avoid any > implication that we're talking about the comment part. > > +1 > > It's not exactly a secret that bad guys can use misleading connents as > easily as good gyys. If we tried to enumerate all the ways that people > might do dumb things, we would die of old age before we finished so I > would prefer not to start. > +1 > > At M3 people occasionally have talked about extending DMARC to cover > the From comment but it's such an ill-defined problem (what's > allowable? how could you tell?) that it has never gone anywhere. > There are things that can be done but to me they fall under local policy and not interoperability. For example, if an email address is displayed but doesn't match the From email address, don't display it. Some sites never display the comment and only display the From email address. Things like that. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc