Here is an attempt at language which explains why multiple-from messages are excluded from DMARC processing.:
"RFC 5322 allows the From header to include a list of address terms. This format is uncommon and some mail systems are known to reject such messages. The source mail system is unlikely to have explicitly authorized use of each listed name. When multiple domains are involved, successful DMARC authentication of all domains is unlikely. Consequently, messages with multiple From addresses are inherently difficult to authentication, and produce a DMARC result of MULTIPLEFROM. Organizations that wish to accept such messages should do so based on local policy considerations." Doug Foster On Fri, Nov 25, 2022 at 4:52 AM Alessandro Vesely <[email protected]> wrote: > On Thu 24/Nov/2022 22:57:51 +0100 Dotzero wrote: > > On Thu, Nov 24, 2022 at 2:22 PM Neil Anuskiewicz <[email protected]> > wrote: > >> On Nov 24, 2022, at 7:10 AM, Dotzero <[email protected]> wrote: > >>> On Tue, Nov 15, 2022 at 12:29 PM Douglas Foster < > [email protected]> wrote: > >>> > >>>> Your solution is straightforward, but I am not sold. > >>>> > >>>> DMARC PASS means that the message is free of author impersonation. > This > >>>> can only be true if all authors are verifiable and verified. > >>> > >>> This is absolutely not true. An attacker can use homoglyphs, cousin > >>> domains and other means of impersonating a sender. An attacker can > >>> impersonate a sender within the same domain and DMARC will happily > give a > >>> pass because the right hand side of the from address matches. Author > != > >>> sending domain. DMARC only addresses direct domain impersonation. > >> > >> Can we assume that in the context of DMARC, passing means passing with > >> alignment when it stops exact domain impersonation. I think we can > assume > >> that nobody on this list thinks me using my own passing spf and dkim > with > >> sketchythreatactor.com and spoofing your header from isn’t what > anyone > >> means by pass in this context. If the effect can stop impersonation > it’s > >> ipso facto in alignment. > > > > In the context of a standards working group, no, we cannot assume > anything. > > There have been plenty of misstatements and factually incorrect > statements > > in this group. This includes "DMARC PASS means that the message is free > of > > author impersonation". DMARC pass means it passed DMARC validation. If a > > homoglyph From email address passes DMARC validation, there has indeed > been > > impersonation of the purported From address. And for purposes of DMARC, > > Author is not necessarily the same as From. We've had that discussion > > multiple times before. > > > Some mail sites don't allow users to arbitrarily change From:. That way, > the > authenticity of the identity is granted. Other mail sites allow to freely > set > From:. Since they sign it, it goes without saying that any question about > true > identity of the author passes through the domain admin. > > About homoglyphs, there are studies on the subject. For example, it is > possible to distinguish mixed alphabets. It is a hard task. Certainly, > it > makes no sense working on it until the mode is to not reject blatant > impersonations. In a sense, we're working at the preparatory step. > > > Best > Ale > -- > > > > > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
