On Mon 10/Jun/2019 22:17:01 +0200 Dave Crocker wrote:
> On 6/10/2019 1:17 AM, Alessandro Vesely wrote:
>> On Sat 08/Jun/2019 18:49:03 +0200 Dave Crocker wrote:
>>
>>> Except that most users don't actually see that address because these days
>>> most
>>> MUAs only display the display address.
>>
>>
>> We often came across this realization. Since DMARC hinges on that field, I
>> think the spec should include some advice to MUA implementation.
>
> Unfortunately there is no 'advice' to give that has any utility.
>
> If you feel otherwise, please try to formulate it, including the basis for
> believing it useful, and then try to get community support for it.
I'd propose bullets like the following for Section 12.4:
o In the MUA, it is safe to only show the display name if its
correspondence to the email address can be verified by looking it up in
the address book or similar storage. In case a display name compares
equal to one that corresponds to a different email address, such
discrepancy should be enhanced unless the two email addresses are
established to be equivalent to each other. Email addresses are
equivalent when they correspond to the same person, or to the same role
within a given organization, or, in practice, when the user says that
they are.
o The authentication status of the message should be visible.
>> A trust on first use (TOFU) approach would seem to be possible.
>
> In practical terms, what does that mean? Who does what, exactly?
A discrepancy can be enhanced by bold characters, by a pop-up, or by a beep and
an alert message. Anything but silently displaying a familiar name which
actually stands for something else.
A user can then arrange her address book so as to make it clear to the MUA that
a class of email addresses are equivalent to one another, in order to avoid
meaningless alerts.
>> Does this subject deserve a ticket?
>
> Since it has nothing to do with errors or problems with the current spec, I
> don't see how to justify a ticket.
Section 12.4 seems to have some problems. The first bullet should be reworked,
because it can be understood as suggesting that in cases like, for example:
From: "[email protected] via Bug Tracker" <[email protected]>
a _MUA_ should "execute the DMARC mechanism on the domain name found there
rather than the domain name discovered originally." That sounds nonsense,
first, because MUAs should rather base on A-R records added by the MX. Second,
because checking example.org rather than example.com, in the example, would
defeat the only workaround for indirect mail flows which seems to be working
thus far.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
