[ih] Design choices in SMTP (custom emails per recipient)

Dave Crocker dhc at dcrocker.net
Thu Feb 9 13:27:57 PST 2023 

On 2/9/2023 1:03 PM, Jack Haverty via Internet-history wrote:
> I remember that hack.  You could send email posing as anyone you 
> liked, by just putting whatever you wanted into the From: header 
> field.   It drove me crazy trying to get my mail server, which tried 
> to parse and verify those fields, to deal with all the poetry people 
> put into email headers.
>
> Sadly, it's not just a problem of the ancient 1970s/80s.  I regularly 
> receive emails now, in 2023, which look like I sent them.   I can 
> recognize them as phishing blackmail, but I suspect many people cannot 
> tell that they're forged. 

Note:

 1. The content From: header field has 3 components:  Free-form display
    'name', author mailbox, and author domain.
 2. There is a continuing constituency of anti-abuse folk who want to
    find a way to restrict the 'abuses' of the display-name. They have
    never come up with anything that has any hope of doing a generally
    useful job.  Some sites, however, do reject or sideline mail that
    has a display-name with the syntax of an email address.
 3. There is literally no empirical evidence that any of this affects
    recipient behavior.  Users are primarily affect by the actual
    content, not the From field.

DMARC was created to prevent spoofing the From: field domain name. It's 
effective, but created serious collateral damage for mail going through 
alias forwarders and mailing lists. Among the anti-abuse community, 
people are quite cavalier about the collateral damage.

In response to the damage, it is common for mailing lists to now recast 
the From field, along the lines of what this list does: They replace the 
From: field with the address of the mailing list, recase display-name to 
annotate that they've messed with the field, and set Reply-To: to be the 
author's address.  The irony is that this is now an accepted means of 
bypassing DMARC protection.

In architectural terms, this has turned the From: field pretty much into 
what was (and is) originally the semantics of the Sender: field.

In response, I recently did RFC 9057, Email Author Header Field, to 
provide a place for unmodified author information.  While I'm amused to 
see exactly three people are sending mail to my inbox using that field, 
I believe it has, so far, had virtually no uptake.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker at mastodon.social

More information about the Internet-history mailing list