[ih] Email behavior (better subject ID...)
Dave Crocker
dhc at dcrocker.net
Mon Sep 6 06:50:49 PDT 2021
On 9/6/2021 6:40 AM, Steffen Nurpmeso wrote:
> And RFC 9057 which added the Author: header field that likely
> would have avoided this obnoxious situation when it would have
> been shipped alongside DMARC.
> It felt it would be nice if the big players would bend their minds
> and enforce it instead (..so much i added at least production
> support for my tiny little MUA on June 23rd).
During development of the Author: field, it was interesting to see some
folk react against it by saying that it would get abused in the same way
the From: field has. That is, they did it once, so they'll do it again.
Given the nature of the protection benefit that DMARC provides, and
given that it is actually quite easy to circumvent -- as the mailing
list From field modification hacks demonstrate -- it means that the
DMARC benefit as not inherent. That is, it provides relatively
short-term correlation benefit, but isn't robust over time.
Note that most users don't even see the From field address and even for
those that do, there is no indication that their behavior changes if
that field is spoofed, and some indication it doesn't!
But since it validates the From field domain name, people tend to have
an unshakeable belief in it as a core protection.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
More information about the Internet-history
mailing list