On Wed, Nov 2, 2016 at 3:51 PM, Dave Crocker <dcrocker@xxxxxxxxx> wrote:
On 11/2/2016 2:58 PM, Brandon Long wrote:
The difference is mostly cosmetic, though depending on your mail client,
there may be other downsides. And it may violate RFC 5322.
Brandon,
You know that I know that the attacks that generated the use of DMARC, which is causing the current situation, are serious. I'm mentioning that here to make sure the context for what follows is clear...
Email is communication between an author and one or more recipients.
Everything in between them is 'overhead'. The overhead functions need to be careful to avoid cavalierly reducing the utility of email, even as the changes are meant to aid in the use of email.
Identification of the author and recipients is meaningful to them. That's not 'cosmetic'.
And software tools employed by users take advantage of this identification, for searching and for organizing.
Including Gmail, which doesn't handle this workaround well, either.
In a highly diverse world, one of the problems of being a very major player is that it becomes far too easy not to see all the diversity or to appreciate its import to others. After all, most of that diversity is seen as such a tiny percentage of the activity. This is the essence of ethnocentrism.
Changing the contents of the rfc5322.From field is changing basic statements about authorship.
Perhaps there's no practical choice right now, but please let's not be cavalier about its import.
I think technical fans of email perhaps attach more import to the rfc5322.from field than does the average user. Certainly, downsides exist. That said, facebook notifications today all come from the same per-user address, with the actual commenter as just the display name. Various forum software, email ticketing software, the email notifications from various web based messaging systems, they all fail to apply authorship in how you say.
Yes, mailing lists have existed in this form for some time, and they are a good and vital system, and the downsides are real.
Note also that I imagine that mailing list software which supports EAI messages might also need to munge the From header to downgrade the message for delivery to non-EAI enabled receivers.
I'm not sure if my comment was heard in the recent ARC round table, where folks were questioning the overall complexity of ARC, but I'm fairly serious in saying that all of our discussions on work arounds and technical methods for trying to make DMARC work with mailing lists, and from header munging is by far the simplest. No trust/reputation systems, no manual whitelisting, no "magic sauce", no new software to be installed by receivers.
ARC will add greatly to the size of mail headers, which some folks on mailop still think should be tiny and talk about automatically marking large headers as spam.
ARC will add greatly to the privacy concerns which were raised last week on the DKIM IETF list, where now not only is a message have attestation of origin, but that attestation will survive some amount of forwarding/modification, and the path it took will also be attested to.
ARC will require new software to be installed by mailing list providers and any receivers who implement DMARC. Even after being installed, there is still more work in order to allow the mailing list messages through.
Brandon