[ih] Design choices in SMTP (custom emails per recipient)

Brian E Carpenter brian.e.carpenter at gmail.com
Thu Feb 9 14:58:12 PST 2023 

> I recently did RFC 9057

And it's Experimental/independent stream, which won't get the attention
of many product managers. Theoretically, any Thunderbird user can set it
up for themself, but that will only be a few geeks, and I suppose there
might be unintended consequences.

    Brian

On 10-Feb-23 10:27, Dave Crocker via Internet-history wrote:
> On 2/9/2023 1:03 PM, Jack Haverty via Internet-history wrote:
>> I remember that hack.  You could send email posing as anyone you
>> liked, by just putting whatever you wanted into the From: header
>> field.   It drove me crazy trying to get my mail server, which tried
>> to parse and verify those fields, to deal with all the poetry people
>> put into email headers.
>>
>> Sadly, it's not just a problem of the ancient 1970s/80s.  I regularly
>> receive emails now, in 2023, which look like I sent them.   I can
>> recognize them as phishing blackmail, but I suspect many people cannot
>> tell that they're forged.
> 
> Note:
> 
>   1. The content From: header field has 3 components:  Free-form display
>      'name', author mailbox, and author domain.
>   2. There is a continuing constituency of anti-abuse folk who want to
>      find a way to restrict the 'abuses' of the display-name. They have
>      never come up with anything that has any hope of doing a generally
>      useful job.  Some sites, however, do reject or sideline mail that
>      has a display-name with the syntax of an email address.
>   3. There is literally no empirical evidence that any of this affects
>      recipient behavior.  Users are primarily affect by the actual
>      content, not the From field.
> 
> DMARC was created to prevent spoofing the From: field domain name. It's
> effective, but created serious collateral damage for mail going through
> alias forwarders and mailing lists. Among the anti-abuse community,
> people are quite cavalier about the collateral damage.
> 
> In response to the damage, it is common for mailing lists to now recast
> the From field, along the lines of what this list does: They replace the
> From: field with the address of the mailing list, recase display-name to
> annotate that they've messed with the field, and set Reply-To: to be the
> author's address.  The irony is that this is now an accepted means of
> bypassing DMARC protection.
> 
> In architectural terms, this has turned the From: field pretty much into
> what was (and is) originally the semantics of the Sender: field.
> 
> In response, I recently did RFC 9057, Email Author Header Field, to
> provide a place for unmodified author information.  While I'm amused to
> see exactly three people are sending mail to my inbox using that field,
> I believe it has, so far, had virtually no uptake.
> 
> d/
>

More information about the Internet-history mailing list