[ih] Design choices in SMTP (custom emails per recipient)
Dave Crocker
dhc at dcrocker.net
Thu Feb 9 13:27:57 PST 2023
On 2/9/2023 1:03 PM, Jack Haverty via Internet-history wrote:
> I remember that hack. You could send email posing as anyone you
> liked, by just putting whatever you wanted into the From: header
> field. It drove me crazy trying to get my mail server, which tried
> to parse and verify those fields, to deal with all the poetry people
> put into email headers.
>
> Sadly, it's not just a problem of the ancient 1970s/80s. I regularly
> receive emails now, in 2023, which look like I sent them. I can
> recognize them as phishing blackmail, but I suspect many people cannot
> tell that they're forged.
Note:
1. The content From: header field has 3 components: Free-form display
'name', author mailbox, and author domain.
2. There is a continuing constituency of anti-abuse folk who want to
find a way to restrict the 'abuses' of the display-name. They have
never come up with anything that has any hope of doing a generally
useful job. Some sites, however, do reject or sideline mail that
has a display-name with the syntax of an email address.
3. There is literally no empirical evidence that any of this affects
recipient behavior. Users are primarily affect by the actual
content, not the From field.
DMARC was created to prevent spoofing the From: field domain name. It's
effective, but created serious collateral damage for mail going through
alias forwarders and mailing lists. Among the anti-abuse community,
people are quite cavalier about the collateral damage.
In response to the damage, it is common for mailing lists to now recast
the From field, along the lines of what this list does: They replace the
From: field with the address of the mailing list, recase display-name to
annotate that they've messed with the field, and set Reply-To: to be the
author's address. The irony is that this is now an accepted means of
bypassing DMARC protection.
In architectural terms, this has turned the From: field pretty much into
what was (and is) originally the semantics of the Sender: field.
In response, I recently did RFC 9057, Email Author Header Field, to
provide a place for unmodified author information. While I'm amused to
see exactly three people are sending mail to my inbox using that field,
I believe it has, so far, had virtually no uptake.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker at mastodon.social
More information about the Internet-history
mailing list