Assume this RFC5322 header: From: user@attackdomain, presid...@whitehouse.gov
For messages like this: - Verifying one identity (e.g. "user@attackdomain") does nothing to say that the unverified identity is used with authorization. - Technical issues mean that it will be rare, nearly impossible, for a multiple-domain address to authenticate all addresses. We can ensure that sender policy is not ignored If we specify recipient chose of these behaviors: - Test all domains for DMARC and follow the strictest resulting disposition advice, or - Reject the message as inherently inconsistent with being able to authenticate all addresses, and therefore not worth the trouble to attempt the calculation. Ultimately, multiple-address From is an anachronism -- the early specifications allowed it, but experience shows that nobody really needs or uses it, and important participants have already dropped support for it. The RFC5322 rewrite should deprecate it so that DMARCbis does not have to dance around the subject. Doug Foster On Sat, Jan 27, 2024 at 8:01 AM Alessandro Vesely <ves...@tana.it> wrote: > On Fri 19/Jan/2024 18:00:35 +0100 Hector Santos wrote: > >> On Jan 19, 2024, at 10:19 AM, Todd Herr <todd.herr= > 40valimail....@dmarc.ietf.org> wrote: > >> > >> Perhaps the way forward for DMARC is to look for a Sender header when > there is more than one RFC5322.From domain and use that for DMARC > processing, with the stipulation that messages that don't contain such a > Sender header are invalid and should be rejected? > > > > Todd, +1 > > > > I like this idea. The 5322.Sender is required for a 2+ address > Mailbox-list. > > > +1 as well. Let me note that, in such case, DMARC should require that the > Sender: domain be aligned with at least one of the From: domains. > > Otherwise, disallow should mean reject/ quarantine when at least one of > the > From: domains says so. (Same complexity as previous case.) > > Ignoring, as Section 11.5 points out, exposes an attack vector that must > be > taken into consideration. That section says: > > [C]are must be taken by the receiving MTA to recognize such messages > as the threats they might be and handle them appropriately. > > What does it mean "appropriately" in that context? It looks to me as a > neatly > carved hole in a security filter. > > > Best > Ale > -- > > PS: Thunderbird, for one, allows editing From: and add more mailboxes, in > the > message composition window. > > > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc