On 4/1/2015 9:00 PM, Michael Jack Assels wrote:

To avoid a new header field or a "v=" increase, to make DMARC failure a really
reliable indication of genuine invalidity, at least where mailing lists
are concerned, why not focus on the fact that RFC5322.From headers clearly
allow multiple addresses, and invite Mediators such as mailing list to take
responsibility for their changes by adding an address in their own domain
to the RFC5322.From header and adding their own DKIM-Signature?

Which address would be first? The 3rd party or the first party? Will the 3rd party first do a POLICY check to determine is this is allowed? Maybe the first party doesn't want or expect any 3rd party signature?

I think the MLS/MLM needs to first respect the wishes of the 1st party before trying to circumvent the security by modifying the 5322.From.

RFC7489 seems to hem and haw a bit about multiple From addresses (in a
single From header).  E.g., in Section 6.6.1:

    o  Messages bearing a single RFC5322.From field containing multiple
       addresses (and, thus, multiple domain names to be evaluated) are
       typically rejected because the sorts of mail normally protected by
       DMARC do not use this format;

and a little later in the same section:

    The case of a syntactically valid multi-valued RFC5322.From field
    presents a particular challenge.  The process in this case is to
    apply the DMARC check using each of those domains found in the
    RFC5322.From field as the Author Domain and apply the most strict
    policy selected among the checks that fail.

While it is technically allowed by 5322. I have yet to see this in the wild and many software components simply are not ready for such multiple From field, especially at gateways and transformations or online hosting systems or MUAs where only one from is expected.

(The word "fail" leaves me confused.  Shouldn't that be "pass"?)

At any rate, it seems to me that if DMARC would be satisfied by a Mediator
making substantial modifications to my message, changing the RFC5322.From
to ....

Its far easier to just a DNS lookup of the 1st party to determine if the 3rd party is a trusted, authorized resigner, "mediator."

     YesNo =  Is_Signer_Authorized(Author, Signer)


Far easier and least expensive solution.

--
HLS


_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to