> On Tue, Jul 15, 2014 at 09:06:55AM +0100, t.p. wrote: > > > MUAs should expose message origin when different from author. > > > > Viktor, > > > > A fine idea, but, as a pragmatic engineer, I know that changes to an MUA > > will take five, may be ten, years to achieve widespread deployment, > > whereas changes to MTA could happen in a matter of weeks, if needs must. > We could have started 5 years ago. Better late than never. The > problem being tackled has no instant gratification solutions. > Pretending the problem is simpler than it is has a way of coming > back to bite you. I've always held that no amount of sender origin > authentication will save the clueless from themselves, any real > protection is at the gateway, and the gateway sees all the headers. > In the mean-time "citibank.com.dukhovni.org" will look plausible > enough to the helpless and will not be foiled by DMARC. > The expedient approach has not worked, it should have been done right > long ago, and should still be done right in the present. You know, I'm finding it difficult to argue with this. I've long been a supporter of using From/Sender semantics, but I've also bought into the assumption that current client behavior made use of these semantics problematic. But current client behavior also includes, in many cases, showing personal name information and not addresses. Which renders the entire from domain authorization check approach moot. This has led people to suggest that we need to do something about validating personal name information in From: header fields. This, along with all the various schemes that are being proposed to work around the myraid issues with third party message handling, increasingly looks to me like a tottering edifice built of hack piled on hack piled on hack. I think that at a minimum any change we propose needs to be compared against the alternative of using the semantics defined for email 30+ years ago. Ned