Oh, and one more thing...
Even if there were a magic bullet to absolutely detect forged From:
addresses and forged envelope senders... it would not help with
phishing attacks and spoofing. That's because every email reader I've
ever used shows neither the From: address nor the envelope sender by
default. They all default to showing the full name on the From: line,
which naturally is impossible to protect or verify. On the DMARC list quite
a while ago, I was agitating for a recommendation that mail readers SHOULD
show the domain part of the from header, just like Slashot displays the
domain associated with a link. So if the From: header looked like this:
From: "Dianne Skoll <d...@roaringpenguin.com>" <unrela...@spammer.org>
I would love for mail readers to display this in the sender column:
Dianne Skoll <d...@roaringpenguin.com> [spammer.org]
However, the DMARC people said UI design was not in DMARC's scope. Meh.
(And I'm not even convinced that would offer much protection... end-users
are wonderful at ignoring red flags.)