DKIM and SPF are mentioned as powerful mitigations for having your domain abused for phishing. But when I send a mail like this:
Return-Path: <me@mydomain.example.com>
From: Citibank security team <security@citi.com>
Reply-To: Noreply <noreply@citi.com>
Subject: Unauthorized attempt on your account
With Enveloppe From
<me@mydomain.example.com>
With a valid DKIM signature for
mydomain.example.com
- Sent from a host that is authorized to send according to the SPF policy for
mydomain.example.com
It is my understanding that the mail will be shown as if it actually was sent from Citibank. The mailserver logs may show something about an unaligned DKIM-signature, and a DMARC-report may be sent to Citibank eventually, but it doesn't at all prevent a scam-mail from being delivered.
Why does the specification check the From: address so loosely, while that is the only identifier a user would see directly in their mail client?