On 2025-10-10 09:50:40, Tim Bray via mailop wrote: > Hi, > > I've been wondering about how email clients could change to make > phishing less effective. > > 1) Display the email address not the name in your email folders
Going one step further: display only verified email addresses. If the email address itself is forged, preferring it over the friendly name isn't much of an improvement. With DKIM this is straightforward, but if we are going to allow SPF to pass DMARC, then we need to display the email address that was verified by SPF and not the one in the "From" header. (Though most of DMARC becomes moot if you have the courage to display unverified addresses as From: Unverified.) > 2) in html email, the a tag contents are replaced with the URL you will > go to. > so <a href='https://dvla.tax.scam.domain.example.org' style='button'> > Vehicle tax</a> becomeshttps://scam.example.org/ <https://scam.example.org/> This can't be fixed with ad-hoc workarounds for the exploits we've already seen. Having strangers send you a program and then running that program will never be secure, and modern HTML/CSS are effectively a program. To make matters worse, the standards are dead; HTML/CSS are whatever Google says they are today, so you can't plan ahead. The only real solution is to turn it off, which would greatly improve the lives of everyone... except for the people involved in the decision. Good luck convincing the largest advertising company in history to disable ~100% of all spam. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
