> This has led people to suggest that we need to do something about validating personal > name information in From: header fields. This, along with all the various schemes that > are being proposed to work around the myriad issues with third party message handling, > increasingly looks to me like a tottering edifice built of hack piled on hack piled on hack. Of course people will suggest that we validate the personal name information. Because at the end of the day, spoofing is trying to make me believe that the message comes from "my friend Viktor" when in fact it does not. We may have perfect SPF, DKIM, DMARC and what have you, and still get spoofed messages "From: Viktor Dukhovni <viktor@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>." At that point, either people pay attention to domain names or they don't. If they do, presenting "from" and "sender" like Outlook does works fine. If they don't, as in the "punt security policy to Grandma" argument, then we need the system to validate information passed to the user. Maybe do some automated check against the address book, or maybe rely on PGP or S-MIME. But we definitely need to ask the question as "what's the best way to stop phishing attempts," not just "how to ensure that SMTP works as specified." -- Christian Huitema