On Fri, Oct 23, 2015 at 08:36:31PM +0200, Martin Rex wrote: > I do not see any increased potential for phishing > Rather the opposite -- DMARC could be abused to give users a false > sense of security and fall to the flawed assumption that it would > authenticate the EMail author (which it doesn't). Precisely. My spamtraps observe messages all day, every day that pass whatever validation happens to be in play -- but are clearly forgeries. And it's a VERY rare end user who is capable of making that same determination. Thus the warm fuzzies provided by mail clients that mark messages as "validated" or "authenticated" or whatever term is used are going to make these problems worse, not better. Until the underlying security issues are fixed -- and I see absolutely no signs that any of the 500-pound gorillas even *intend* to address those at scale, let alone are actively engaged in doing so -- this (DMARC and related) just wallpapers over the problem. ---rsk