Re: (DMARC) We've been here before, was Why mailing lists

[Theodore Ts'o <tytso@mit.edu>]

On Fri, Apr 18, 2014 at 08:20:55AM -0700, Murray S. Kucherawy wrote:
> 
> http://tools.ietf.org/html/draft-kucherawy-dmarc-base-04#section-15.1
> 
> One of the key points about DMARC's design is that it's concerned
> specifically with From:.  The reason is that the content of From: is what's
> typically shown to the recipient by MUAs.  If DMARC keyed off Sender:
> instead, then this would work:
> 
> MAIL FROM: haha@badguy.example.com
> 
> From: security@paypal.com
> Sender: haha@badguy.example.com
> DKIM-Signature: v=1; d=badguy.example.com; ...
> 
> If DMARC pays attention to Sender: in favor of From:, then this passes, but
> what the user is shown that the message is from security@paypal.com with a
> DMARC pass.  Not good.

So what happens if MUA's, because users don't want to see the "From: "
line when it's been reset to a mailing list address, ends up showing
the users what they want, which is the original sender of the mailing
list post?  It doesn't matter how or where we encode this information,
whether it's in a comment in the rewritten From: field, or in a
"X-Really-From: " header, or in the body of the message.  If there's a
convention, whether it is in a standard or de facto, there **will** be
cases when the users really want the original From header, and then
what will the DMARC promoters do then?

Try to ram through DMARC II that forces alignment of the
"X-Really-From: " header, or whatever else we end up using?

		  	     	      	      	  - Ted