On Mon 17/Apr/2023 22:59:29 +0200 Dotzero wrote:
On Mon, Apr 17, 2023 at 12:05 PM John Levine <jo...@taugh.com> wrote:
It appears that Laura Atkins <la...@wordtothewise.com> said:
Is this another issue we should document and make recommendations
about? I was thinking along the line that transactional SaaS providers
should fully support DMARC and should not allow companies using p=reject
in their business mail to access the service? >>
Section 2.4 says that everything other than the From: header is out of
scope. Section 11.4 describes display name attacks and it looks OK to
me. I suppose we might tweak 2.4 to clarify that anything other than
the mailbox in the RFC5322.From field is out of scope to avoid any
implication that we're talking about the comment part.
+1
It's not exactly a secret that bad guys can use misleading comments as
easily as good guys. If we tried to enumerate all the ways that people
might do dumb things, we would die of old age before we finished so I
would prefer not to start.
+1
Section 11.4 also brings an example of rewritten From:. It doesn't say that
that in several cases doing such sort of construct is necessary because of
DMARC. Perhaps it could?
At M3 people occasionally have talked about extending DMARC to cover
the From comment but it's such an ill-defined problem (what's
allowable? how could you tell?) that it has never gone anywhere.
There are things that can be done but to me they fall under local policy
and not interoperability. For example, if an email address is displayed but
doesn't match the From email address, don't display it. Some sites never
display the comment and only display the From email address. Things like
that.
Perhaps when DMARC will work smoothly, someone will find out how to tell
legitimate rewriting from plain spoof.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
