> On Dec 27, 2016, at 1:46 PM, Dave Crocker <dhc@xxxxxxxxxxxx> wrote: > > Worse, Viktor's line of logic presumes the modified From field somehow gets the message past filters better, and that is just plain wrong. I was not suggesting any modification of the message From: line. Rather I was applauding the fact that Outlook (for one) presents a more detailed view of the message headers than is common practice. In particular, it augments the displayed origin information with Sender context when present. If "Sender + From" are displayed as in Outlook, then it becomes reasonable to authenticate Sender when present, and not apply authentication policy to "From", since the message is not in fact *from* the author. It is from the sender, (purportedly) on behalf of the author. It is rather implausible that phishers will want to present their messages this way (on behalf of), most users don't receive such email, and it will stand out as unexpected. And users who still believe such messages to be legitimately *from* the purported author and fall victim to scams will fall for a myriad other misdirections. Breaking legitimate use-cases (lists) in order to fail to "solve phishing" is counterproductive in my view. Yahoo's DMARC cost reduction would also be equally effective if they displayed "on behalf of" given "Sender:" as in Outlook, and authenticated the Sender domain instead. This would do no damage to mailing lists. -- Viktor.