On 4/1/2015 9:00 PM, Michael Jack Assels wrote:
To avoid a new header field or a "v=" increase, to make DMARC failure a really
reliable indication of genuine invalidity, at least where mailing lists
are concerned, why not focus on the fact that RFC5322.From headers clearly
allow multiple addresses, and invite Mediators such as mailing list to take
responsibility for their changes by adding an address in their own domain
to the RFC5322.From header and adding their own DKIM-Signature?
Which address would be first? The 3rd party or the first party? Will
the 3rd party first do a POLICY check to determine is this is allowed?
Maybe the first party doesn't want or expect any 3rd party signature?
I think the MLS/MLM needs to first respect the wishes of the 1st party
before trying to circumvent the security by modifying the 5322.From.
RFC7489 seems to hem and haw a bit about multiple From addresses (in a
single From header). E.g., in Section 6.6.1:
o Messages bearing a single RFC5322.From field containing multiple
addresses (and, thus, multiple domain names to be evaluated) are
typically rejected because the sorts of mail normally protected by
DMARC do not use this format;
and a little later in the same section:
The case of a syntactically valid multi-valued RFC5322.From field
presents a particular challenge. The process in this case is to
apply the DMARC check using each of those domains found in the
RFC5322.From field as the Author Domain and apply the most strict
policy selected among the checks that fail.
While it is technically allowed by 5322. I have yet to see this in the
wild and many software components simply are not ready for such
multiple From field, especially at gateways and transformations or
online hosting systems or MUAs where only one from is expected.
(The word "fail" leaves me confused. Shouldn't that be "pass"?)
At any rate, it seems to me that if DMARC would be satisfied by a Mediator
making substantial modifications to my message, changing the RFC5322.From
to ....
Its far easier to just a DNS lookup of the 1st party to determine if
the 3rd party is a trusted, authorized resigner, "mediator."
YesNo = Is_Signer_Authorized(Author, Signer)
Far easier and least expensive solution.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
