On Fri, Apr 18, 2014 at 08:06:35AM +1200, Brian E Carpenter wrote: > > > > The Reply-To: field is adjusted to be the author's address, > > Oh, OK. Most UAs will probably do what you describe, but I think > there are exceptions. However, if I want to reply to the author > alone, it's now the simple Reply that will fail me, because it > will reply to the list. And in my mail folders, messages will > all appear to come from the list; if I want to find the message > that Sabahattin sent me two years ago, I can't, because my UA > doesn't allow for searching on the Reply-To field. > > It's still got very poor semantics. It's all about semantics, isn't? Suppose we made the mailing list software take the contents of the >From field, and moved it to something like "X-Originally-From: ", and changed the From field to be "ietf@xxxxxxxx". That would be what the DMARC people would want, right? Except then, a couple of years later, because users might actually want to find the message that was written by "Brian Carpenter", or "Sabahattin Gucukoglu", and not from "ietf@xxxxxxxx", MUA's might start using the Originally-From field in the summary field, and start emphasizing the "Originally-From" from field in the UI. At which point, the spammer/scammer/whatever could start forging the the "Originally-From" field, and then Lo! There will be a DMARC II, demanding that "Originally-From" field be aligned with the From field, and we're right back to where we started. It was the same argument about why a DKIM or DMARC couldn't just verify the Sender field, and call it a day. The problem is that the >From field is what people pay attention to. And this is true of whatever solution we want to better support mailing lists. Suppose the answer is to rewrite the from field to something like this: From: ietf-resend+brian.e.carpenter=gmail.com@xxxxxxxx Or this: From: ietf@xxxxxxxx (Originally from Brian E Carpenter: brian.e.carpenter@xxxxxxxxx) It doesn't matter. Eventually, the UA's will start emphasizing and parsing out the original From field information, because that's what people will want to be automatically added to their address book, and not ietf@xxxxxxxx, and that's what they will want to see in their e-mail summary. And then the DMARC folk will say, "Oh, Noes! Spammers and scammers and bears, oh my! They are using this loophole to fool the naive user." We must have DMARC II... and DMARC III.... and DMARC IV.... and it will never end. - Ted