On 7/5/25 1:11 PM, John Levine via NANOG wrote:
Do you have any visibility into, say, MAAWG and why they don't take this up as a standards effort? Honestly, they'd just laugh. It's not a new idea, and there is a great deal of experience that says asking users to make security decisions in the UI mostly adds confusion.
The research paper I pointed to disagrees. It's not a panacea, but it's helpful. But yeah, dysfunction is the most likely answer rather than oversight. Email is full of that, so I'm not surprised.
On the other hand, if you use Thunderbird, I don't think it'd be very hard to write a plugin that looks at the Authentication-Results: header and adds locks or skulls and crossbones to the message display. Try it, tell us how you like it.
You can start with this one:
https://addons.thunderbird.net/en-US/thunderbird/addon/dkim-verifier/
Authentication-Results is not intended by itself to be a UI element, so that's not what I'm talking about. Any effort would require collaboration with security human factors experts for starters. Mike