Christian Huitema wrote: > Brian E Carpenter wrote: >> >> On 23/10/2015 02:57, Russ Housley wrote: >>> ... >>> It seems to me that DMARC re-writing is a more important feature for this >> community. I think we should drop support for the password messages and >> move to a newer version. I'd like the tools team to check this out, and then >> if the newer version will not introduce other surprises, move to the newer >> version. >> >> The primitive rewriting of the From is a bug in itself, because it destroys >> important information (who sent the message, even if they are a non- >> subscriber). > > +1. > > Rewriting the "From:" header trains users to only look at the user > friendly name, and to overlook the rewritten address. > The potential for phishing is interesting. I do not see any increased potential for phishing Rather the opposite -- DMARC could be abused to give users a false sense of security and fall to the flawed assumption that it would authenticate the EMail author (which it doesn't). Interestingly, there essentially is a legal requirement for rewriting the From: header field for addresses that publish DMARC records when delivering EMail to places where DMARC processing isn't outright illegal (DMARC processing is clearly illegal in the EU), because handing an EMail to an MTA that might be processing DMARC will be illegal in the EU just as processing DMARC oneself. So one of the alternatives to unconditionally bouncing a DMARC-impaired EMail, will be rewriting the From:. -Martin