Assume this RFC5322 header:
From: user@attackdomain, presid...@whitehouse.gov
For messages like this:
- Verifying one identity (e.g. "user@attackdomain") does nothing to say
that the unverified identity is used with authorization.
- Technical issues mean that it will be rare, nearly impossible, for a
multiple-domain address to authenticate all addresses.
We can ensure that sender policy is not ignored If we specify recipient
chose of these behaviors:
- Test all domains for DMARC and follow the strictest resulting
disposition advice, or
- Reject the message as inherently inconsistent with being able to
authenticate all addresses, and therefore not worth the trouble to attempt
the calculation.
Ultimately, multiple-address From is an anachronism -- the early
specifications allowed it, but experience shows that nobody really needs or
uses it, and important participants have already dropped support for it.
The RFC5322 rewrite should deprecate it so that DMARCbis does not have to
dance around the subject.
Doug Foster
On Sat, Jan 27, 2024 at 8:01 AM Alessandro Vesely <ves...@tana.it> wrote:
> On Fri 19/Jan/2024 18:00:35 +0100 Hector Santos wrote:
> >> On Jan 19, 2024, at 10:19 AM, Todd Herr <todd.herr=
> 40valimail....@dmarc.ietf.org> wrote:
> >>
> >> Perhaps the way forward for DMARC is to look for a Sender header when
> there is more than one RFC5322.From domain and use that for DMARC
> processing, with the stipulation that messages that don't contain such a
> Sender header are invalid and should be rejected?
> >
> > Todd, +1
> >
> > I like this idea. The 5322.Sender is required for a 2+ address
> Mailbox-list.
>
>
> +1 as well. Let me note that, in such case, DMARC should require that the
> Sender: domain be aligned with at least one of the From: domains.
>
> Otherwise, disallow should mean reject/ quarantine when at least one of
> the
> From: domains says so. (Same complexity as previous case.)
>
> Ignoring, as Section 11.5 points out, exposes an attack vector that must
> be
> taken into consideration. That section says:
>
> [C]are must be taken by the receiving MTA to recognize such messages
> as the threats they might be and handle them appropriately.
>
> What does it mean "appropriately" in that context? It looks to me as a
> neatly
> carved hole in a security filter.
>
>
> Best
> Ale
> --
>
> PS: Thunderbird, for one, allows editing From: and add more mailboxes, in
> the
> message composition window.
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
