On Thursday, October 22, 2015 12:41 PM, Brian E Carpenter wrote: > > On 23/10/2015 02:57, Russ Housley wrote: > > ... > > It seems to me that DMARC re-writing is a more important feature for this > community. I think we should drop support for the password messages and > move to a newer version. I'd like the tools team to check this out, and then > if the newer version will not introduce other surprises, move to the newer > version. > > The primitive rewriting of the From is a bug in itself, because it destroys > important information (who sent the message, even if they are a non- > subscriber). +1. Rewriting the "From:" header trains users to only look at the user friendly name, and to overlook the rewritten address. The potential for phishing is interesting. > What John Levine describes is hopeful, but it would be nice to have some > assurance from Google that they will actually wait until it's available before > changing their DMARC policy. Yes. But we may want to look a little bit at privacy issues. The privacy problems with disclosing the current IP address of the user in the Received field are flagged in RFC 7624. We need to make sure that the new ARC field does not amplify this issue. -- Christian Huitema