The purpose of DMARC is to demonstrate that the purported author (From) is either the actual author or the authorized agent of the actual author.
Because of practical difficulties, this is an indirect process: DMARC PASS demonstrates that a specific sending domain is authorized to speak on behalf of the purported author's domain. We then presume that the local-part is authorized at origination. This occurs either (a) because the Mail From account was authenticated by the MSA and we have SPF alignment, or (b) because the Mail From account was authenticated by the MSA and its administrative controls ensure that other-domain signatures are only applied to Mail From accounts that have been duly authorized to use it. For forwarding, we accept aligned DKIM PASS because it implies that those criteria were met at origination, and the signature was preserved during transit. All of this falls apart with multiple From domains. SPF-alignment can only authenticate one Mail From account to one domain. ESPs have the sophistication to generate different DKIM signatures for different clients, but they only serve one client per message Every way I look at the problem, I conclude that: - If an MSA thinks it has reason to send a message with multiple From domains, it will either lack the ability or lack the controls to ensure that this is done with proper authorization. - If an MSA has the ability to authenticate multiple authors, it is an ESP which has no reason to send messages from multiple author domains because it only serves one client per message. Email is not a legal document. If someone wants to assert multiple authorship, they should use the Friendly Name and Body closing to assert this information. If someone insists on sending messages with multiple >From domains, the message will be received as not fully authenticated and will be at the mercy of the receiving system to decide whether that incomplete authentication is acceptable. Doug Foster On Tue, Jan 16, 2024 at 5:03 AM Alessandro Vesely <ves...@tana.it> wrote: > On Mon 15/Jan/2024 20:49:35 +0100 John Levine wrote: > > It appears that Scott Kitterman <skl...@kitterman.com> said: > >>I don't think that's sensible at all. It's not the place of a signing > filter to modify the message. > > > A signing filter, as part of an MSA _has to_ modify the message in order > to > enhance the possibility that it is transmitted correctly. Besides usual > changes belonging to the core MSA, such as setting Date:, a signing filter > shall take care of signature breaking cases, such as lines beginning with > "from ". > > > >> I think it would be reasonable to either add a signature for each from > >> domain or to decline to sign it at all, but since DKIM doesn't care > about > >> from domain at all, I think it would be up to whatever calls the > signing > >> filter to specify. > > Not signing and/or leaving a multi-valued From: as is certainly is not a > good > service for the users, if they meant their message to be delivered. > > Some receivers reject messages with multi-valued From: —after DMARC. > OTOH, > MUAs allow it, rightly following the RFCs. What's the way out? > > > > I agree but I'd be more inclined to say don't sign at all, since > > multi-valued From headers are rare and as likely as not to be a > > mistake. > > > A use case is when submitting co-authored articles or notes. Yes, it is > rare > to type a message four hands, but it can happen, and banning the > possibility to > correctly identify the authors is harsh. > > > Thinking twice, saving the original multi-value to Author: is not enough > to > have replies reach every author. Better also use Reply-To:. > > > Best > Ale > -- > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
