On Sat, Apr 19, 2014 at 08:47:37AM +1200, Brian E Carpenter wrote: > > So, if the From says > > From: goodguy@xxxxxxxxx <haha@xxxxxxxxxxxxxxxxxx> > > many UAs would show only goodguy@xxxxxxxxx as the sender, > but badguy could have passed DMARC, no? > > This would not exactly enhance goodguy's reputation, > or Yahoo's for that matter. I realise it isn't the exploit > that Yahoo is trying to stop, but it suggests to me that > DMARC is only plugging one small hole in a very leaky dam. Iif the problem is trying to protect goodguy or yahoo.com's reputation, I wonder if a better approach would have been to have yahoo.com issue all of its users S/MIME certificates, and then had a DMARC-like policy requesting recipients: "if the e-mail has the From: field of yahoo.com, and it's not an S/MIME-signed e-mail with a yahoo.com certificate, reject the e-mail". After all, we know S/MIME successfully passes through mailing lists, and if in fact the message was appropriately signed using an S/MIME cert, it would be quite natural to have the UA's display the information from the Common Name field of the cert. That would solve a host of problems, including the hand-wringing around how S/MIME has lots of deployed users, but very few deployed certs. - Ted