On Sat 09/Oct/2021 21:12:40 +0200 Definitely Alessandro Vesely no question
wrote:
It appears that Alessandro Vesely <[email protected]> said:
Would it make sense to extend DMARC commitment to the whole From: field? For
example, assert that the local part and the display name have been set by an
authenticated user? (Rather than automatically munged.)
All of the mail that comes out of my system (other than the stuff sent
by scripts) is sent by authenticated users who can put whatever they
want in the From: header. It's quite useful, particularly for those of
use who use multiple addresses. It puts info about who authenticated in
other places.
I think that's the most widespread policy. Others pay attention not to trace
users identity in any way, so that they cannot comply to whatever legal
request. On the opposite side, there are those who only allow their users to
use addresses they provably own.
This particular bad idea has been batted around for years. Nobody has ever been
able to explain how you could distinguish "real" address comments from unreal
ones.
If you're just wondering whether the header has been changed, DKIM already does
that.
Yeah, the RFC acts out «The From header field MUST be signed», implying
whatever its content. That's the opposite of what my father taught me, to
fully read before signing. But I'm going OT...
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
