On Monday, October 26, 2015 9:44 PM, Brian E Carpenter wrote: > ... > > Architecturally, we need to validate that phill@xxxxxxxxxxxxxxx is the > genuine sender even after the message has been relayed. DMARC doesn't do > that in its present form. Actually we need to validate two assertions: * That the mail came from the stated author, e.g. PHB. * That the mail was relayed by the IETF mailing list. Identity checks matter. Lots of the discussion focused on SPAM, but the "acute problem of the day" is actually phishing, and specifically forging a mail that appears to come from someone you trust, to entice you to open a document or visit a URL that you should not. That's a pretty common step in the chain of events that leads to another "42 million user accounts compromised in a breach." -- Christian Huitema