On Sun, Jan 28, 2024 at 5:40 AM Alessandro Vesely <[email protected]> wrote:
> > I think this point about alignment of Sender is definitely correct, > > Let's also recall there was a proposal to consider Sender: anyway. > And also let's recall that the community has previously rejected the idea of involving Sender in DMARC evaluations. Some text about why can be found in DMARC itself, i.e., RFC 7489, Appendix A.3. What do we think has changed since then that warrants reconsidering that position? Have we started to see multi-value From attacks? > > Having to evaluate Sender for DMARC adds a pile of complexity for very > minimal > > benefit. > > Yes. > +1. > We should leave this where it is and move on. > > No: substantially, /where it is/ is to ignore. To handle appropriately > means > receivers are on their own w.r.t DMARC.) It is a hole: > > From: [email protected] <lots of whitespace>, > user@attackdomain > As we described in that appendix, the main reason we care about From and nothing else is because it is the main identifier shown to end users and upon which human trust evaluations are done. Sender is not. If we start including Sender in the check, but From and Sender don't align, we create at least confusion if not an attack vector. Here be dragons. -MSK, participating
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
