> always be suspicious, even if the email is from a trusted domain and dkim/dmarc/spf all pass

This was the default state of email for a long time, and is still the level of caution some people apply to email: never trust `From`.

▲

globular-toast 2 days ago | parent [-]

I've blown people's minds by spoofing "From" before. It's amazing the completely unwarranted level of trust people have in things. I tell people it's no different from me typing up a letter and putting "love from Mum" at the bottom.

I blame shiny email clients like Outhouse etc. It's really dangerous to make something look like a better system than it is. If email were still viewed as plain text I don't think it would be seen the same.

▲

bawolff 2 days ago | parent [-]

Note, you can't forge the from header if DMARC is turned on. The From header was not forged in the article afaict.

It doesnt really matter because email clients usually dont even show the email part of the from header.

▲

JoshTriplett 2 days ago | parent | next [-]

> email clients usually dont even show the email part of the from header.

Good email clients should, though.

▲

Biganon 2 days ago | parent | prev [-]

Isn't it also SPF's role to check that the From domain is allowed for the sender IP ?

	▲	bawolff 2 days ago \| parent [-]
		No. (If you mean the from header) SPF (without dmarc) validates the envelope from, not the from header. When DMARC is present, it changes this to be the normal from header (dmarc requires one of either spf or dkim to match the from header. So if dkim matches then spf doesn't have to)