On Fri, Jan 19, 2024 at 10:20 AM Todd Herr <todd.herr= [email protected]> wrote:
> On Thu, Jan 18, 2024 at 9:28 PM Hector Santos <hsantos= > [email protected]> wrote: > >> Hi, >> >> As a long time implementer and integrator of IETF protocols, my mail >> engineering view …. >> >> The thing is RFC 822, 2822 and 5322 allows for a single 5322.From header >> to have multiple addresses: >> >> from = "From:" mailbox-list CRLF >> mailbox-list = (mailbox *("," mailbox)) / obs-mbox-list >> > > True, but in such cases, it requires that there be a Sender: header with > exactly one mailbox as a value - > https://datatracker.ietf.org/doc/html/rfc5322#section-3.6.2 > > > [snip] >> > > >> >> However, if I have been following this thread, DMARCBis was updated to >> ignore these multi-from messages for DMARC purposes because they >> (erroneously) presumed they should be rejected, i.e. never make it to a >> signer or verifier. >> >> I am not sure that is correct. >> > > Perhaps the way forward for DMARC is to look for a Sender header when > there is more than one RFC5322.From domain and use that for DMARC > processing, with the stipulation that messages that don't contain such a > Sender header are invalid and should be rejected? > The problem with relying on the Sender header is that unless a Sender header matches the right hand side (domain) of the email address in the >From field, you can't tell if there is a legitimate relationship between Sender and From. I think the correct approach is for DMARC to recognize this is a very tiny corner case that very rarely shows up in the real world and ignore it. Michael Hammer
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
