On Wed, Dec 22, 2021 at 11:42:02AM -0800, Junio C Hamano wrote: > > This would require pretending that we're authorized to send mail from the > > domain name of the commit author, so this unfortunately won't work (and hence > > the reason why GGG does it this way). E.g. say you have: > > > > From: foo@xxxxxxxxxx > > Subject: [PATCH] Fix foo > > Would it help to use "Sender:"? When GGG or any other automation > are trying to send e-mail on behalf of the person shown on "From:", > I thought that it is the mechanism for them to use to identify > themselves. Indeed, that's how the DKIM standard wanted to deal with this problem, however when the DMARC RFC was being drafted, this approach was deemed insufficient. They have a good explanation for it -- there is no standard among UI clients to handle the Sender/From discrepancy. Most MUAs will happily ignore the Sender: field and will only show what is in From:, so this approach was considered ineffective against phishing attacks. An attacker could easily register a domain, set DKIM records, and then use any From: they wanted as long as they used a valid Sender: header, knowing that it would be ignored by most mail clients. So, DMARC deliberately ignores the Sender: header and *only* pays attention to the From: field for its purpose. -K
