On Mon, Jul 14, 2014 at 04:47:19PM -0400, Scott Kitterman wrote: > > > However, DMARC is problematic for mail that does not flow from > > > operators having a relationship with the domain owner, directly to > > > receivers operating the destination mailbox. Examples of such > > > "indirect" flows are mailing lists, publish-to-friend functionality, > > > mailbox forwarding (".forward"), and third-party services that send > > > on behalf of clients. The working group will explore possible updates > > > and extensions to the specifications in order to address limitations > > > and/or add capabilities. It will also provide technical > > > implementation guidance and review possible enhancements elsewhere in > > > the mail handling sequence that could improve could DMARC > > > compatibility. This is a solved problem, the "Rfc822.Sender" field should have from the outset trumped the "Rfc822.From" field when determining message origin, and the DMARC policy should be that of the "Sender" domain. Some MUAs already expose "Sender != From" by displaying "From <sender> on behalf of <author>". This needs to become standard MUA behaviour. -- Viktor.