On Monday, December 26, 2016 5:34 PM, John Levine wrote: >>By that argument, there's no excuse for the big mailer providers for >>bouncing List mail because of DMARC. They could just reference the >>List-ID field, and display something like this: >> >> <From> via mailing list <list-id header contents> > > Great idea. Because there is no possibility whatsoever that if mail > systems did that, bad guys would put in fake List-IDs to get their > phishes delivered. Of course, they will. A system like that only works if the MUA is reasonably sure that the mail was in fact sent by the specified "sender", and that the sender was some reputable list forwarder that the user trusts. But your mail and many comments on this lists point to the huge responsibility of the MUA with respect to phishing. Phishing is about duping the user by displaying misleading information. The effective defenses have to rely on proper user interface design, using all the information in the user context. Attempting to do that by just using network rules makes the network more complex, but cannot solve the problem. -- Christian Huitema