It appears that Laura Atkins <[email protected]> said: >Is this another issue we should document and make recommendations about? I was >thinking along the line that transactional SaaS >providers should fully support DMARC and should not allow companies using >p=reject in their business mail to access the >service?
Section 2.4 says that everything other than the From: header is out of scome. Section 11.4 describes display name attacks and it looks OK to me. I suppose we might tweak 2.4 to clarify that anything other than the mailbox in the RFC5322.From field is out of scope to avoid any implication that we're talking about the comment part. It's not exactly a secret that bad guys can use misleading connents as easily as good gyys. If we tried to enumerate all the ways that people might do dumb things, we would die of old age before we finished so I would prefer not to start. At M3 people occasionally have talked about extending DMARC to cover the From comment but it's such an ill-defined problem (what's allowable? how could you tell?) that it has never gone anywhere. R's, John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
