On 2025-10-10 14:27:51, Laura Atkins via mailop wrote: > > > On 10 Oct 2025, at 14:06, Michael Orlitzky via mailop <[email protected]> > > wrote: > > > > Going one step further: display only verified email addresses. If the > > email address itself is forged, preferring it over the friendly name > > isn't much of an improvement. With DKIM this is straightforward, but > > if we are going to allow SPF to pass DMARC, then we need to display > > the email address that was verified by SPF and not the one in the > > "From" header. (Though most of DMARC becomes moot if you have the > > courage to display unverified addresses as From: Unverified.) > > Who is going to verify the addresses? Did it ever occur to you that some > folks don’t want major tech companies not to have any more information about > us? That collecting “verified” addresses makes the organization doing the > verification an even bigger target for hackers. > https://www.bbc.com/news/articles/c8jmzd972leo > > Let’s stop insisting people hand over data that can be used against them to > organizations that have proven they are unable to protect personal info for > shit. >
None of the technologies I mentioned involve a third party. Senders verify their own addresses by putting magic beans in the DNS; this part is not even hypothetical. The only change I proposed is for MUAs to tell the truth: if there's no way to verify the sender, the message is "From" whatever some dude typed in a box, and presenting that string to the recipient as if it has meaning is dangerous. This is not a serious proposal, but I do believe that the issue boils down to a simple choice: 1. Stop lying to the user 2. Accept forgery/phishing as inevitable "No Way To Prevent This," says only medium that confidently presents unsanitized attacker-supplied misinformation directly to the victim. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
