Opened 2 years ago

Last modified 20 months ago

#73 assigned defect

Need decision on importance of From domain

Reported by: fenton@… Owned by: todd.herr@…
Priority: critical Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: Active WG Document Keywords: alignment


As part of a different discussion, the question of the importance of the From domain identity was raised. Previous comments in the discussion had made the points that only the "friendly" part of the From address is visible in many current email clients, and that research has shown that user behavior (e.g., response to phishing) is not much affected by the From domain even when it is visible.

Since the alignment of the From domain to the SPF- or DKIM-authenticated domain is a central part of the DMARC concept, the WG needs to come to rough consensus as to whether the From domain is indeed relevant.

Change History (4)

comment:1 Changed 2 years ago by kboth+ietf@…

  • Summary changed from Need decision on importance of From domain alignment to Need decision on importance of From domain

This ticket is mis-titled; it is asking whether the 5322.from domain matters, not whether alignment is important.

comment:2 Changed 2 years ago by tim@…

From: is one of the few required headers to be present for email to be considered, well, a piece of email. Without From:, a piece of email is considered malformed.

If alignment of DKIM and SPF is going to align with anything, From: is the only header that is required to be present that is relevant to the question of "where does this email come from?".

What end users see via their email client of choice is orthogonal to the question of what operators can act on before email is delivered to users.

Sure, abusers will use domains that are not protected by DMARC to spread fraud. That misses the point. The point is, operators can base delivery choices on email where From: is associated with a strong DMARC policy... whereas without DMARC, operators have to go back to square one of trying to figure out if the email in front of them that says its from the bank really does comes from the bank.

The question/concern of "what will email clients do to protect users" belongs somewhere else, IMO.

Last edited 2 years ago by tim@… (previous) (diff)

comment:3 Changed 20 months ago by todd.herr@…

  • Owner set to todd.herr@…
  • Status changed from new to accepted

comment:4 Changed 20 months ago by todd.herr@…

  • Status changed from accepted to assigned
Note: See TracTickets for help on using tickets.