[ih] Design choices in SMTP (custom emails per recipient)

Brian E Carpenter brian.e.carpenter at gmail.com
Thu Feb 9 15:00:47 PST 2023 

And this is whatever Thunderbird produces...

Regards
    Brian

On 10-Feb-23 11:58, Brian E Carpenter wrote:
>> I recently did RFC 9057
> 
> And it's Experimental/independent stream, which won't get the attention
> of many product managers. Theoretically, any Thunderbird user can set it
> up for themself, but that will only be a few geeks, and I suppose there
> might be unintended consequences.
> 
>      Brian
> 
> On 10-Feb-23 10:27, Dave Crocker via Internet-history wrote:
>> On 2/9/2023 1:03 PM, Jack Haverty via Internet-history wrote:
>>> I remember that hack.  You could send email posing as anyone you
>>> liked, by just putting whatever you wanted into the From: header
>>> field.   It drove me crazy trying to get my mail server, which tried
>>> to parse and verify those fields, to deal with all the poetry people
>>> put into email headers.
>>>
>>> Sadly, it's not just a problem of the ancient 1970s/80s.  I regularly
>>> receive emails now, in 2023, which look like I sent them.   I can
>>> recognize them as phishing blackmail, but I suspect many people cannot
>>> tell that they're forged.
>>
>> Note:
>>
>>    1. The content From: header field has 3 components:  Free-form display
>>       'name', author mailbox, and author domain.
>>    2. There is a continuing constituency of anti-abuse folk who want to
>>       find a way to restrict the 'abuses' of the display-name. They have
>>       never come up with anything that has any hope of doing a generally
>>       useful job.  Some sites, however, do reject or sideline mail that
>>       has a display-name with the syntax of an email address.
>>    3. There is literally no empirical evidence that any of this affects
>>       recipient behavior.  Users are primarily affect by the actual
>>       content, not the From field.
>>
>> DMARC was created to prevent spoofing the From: field domain name. It's
>> effective, but created serious collateral damage for mail going through
>> alias forwarders and mailing lists. Among the anti-abuse community,
>> people are quite cavalier about the collateral damage.
>>
>> In response to the damage, it is common for mailing lists to now recast
>> the From field, along the lines of what this list does: They replace the
>> From: field with the address of the mailing list, recase display-name to
>> annotate that they've messed with the field, and set Reply-To: to be the
>> author's address.  The irony is that this is now an accepted means of
>> bypassing DMARC protection.
>>
>> In architectural terms, this has turned the From: field pretty much into
>> what was (and is) originally the semantics of the Sender: field.
>>
>> In response, I recently did RFC 9057, Email Author Header Field, to
>> provide a place for unmodified author information.  While I'm amused to
>> see exactly three people are sending mail to my inbox using that field,
>> I believe it has, so far, had virtually no uptake.
>>
>> d/
>>

More information about the Internet-history mailing list