On 15 Oct 2016, at 11:33, Petr Bena wrote:

I don't understand your point. I started this discussion stating the
fact that SPF, DKIM and DMARC don't prevent people from being able to
spoof your email address.

And you tell me that I don't understand email security because SPF, DKIM and DMARC don't prevent people from being able to spoof my email address?

No. Note which part of your message Dianne responded to.

What exactly were you trying to tell me?

I can't answer for her but I can offer a more direct and verbosely explicit message:

"Spoofing" of the From header is not primarily a technical problem, it is a human problem. Humans want to see just another human's name in a "From" field but are accustomed to also seeing email addresses sometimes, because email clients vary in how and how well they can interpret the arcane variant formats that can exist in From headers. Complicating that further, people do things with email that can be surprising and problematic to model technically, only sometimes being formally wrong. To "guarantee" that From headers cannot be effectively spoofed you need to constrain the From headers of ALL mail you handle to a much simpler family of formats than what RFC5322 allows, which WILL cause the rejection of legitimate mail.

On 10/15/16 16:57, Dianne Skoll wrote:
On Sat, 15 Oct 2016 15:35:25 +0200
Petr Bena <petr@bena.rocks> wrote:

Believe me, there are people or organizations who would happily
exchange ability to use mailing lists within some domain for
guarantee that their emails can't be spoofed in no way (at least
within their own domain).
You seriously don't understand email security.

Here's a thought experiment:  How does your email reader display the
following in the From: column?

From: "Petr Bena <petr@bena.rocks>" <unrela...@spammer.org>

and imagine that SPF, DKIM and DMARC for spammer.org all pass just fine.



Reply via email to