On Sat 27/Jan/2024 16:13:08 +0100 Scott Kitterman wrote:
On Saturday, January 27, 2024 8:00:24 AM EST Alessandro Vesely wrote:
Ignoring, as Section 11.5 points out, exposes an attack vector that must be
taken into consideration. That section says:
[C]are must be taken by the receiving MTA to recognize such messages
as the threats they might be and handle them appropriately.
What does it mean "appropriately" in that context? It looks to me as a
neatly carved hole in a security filter.
I think this point about alignment of Sender is definitely correct,
Let's also recall there was a proposal to consider Sender: anyway.
but it leads me to a different conclusion:
Having to evaluate Sender for DMARC adds a pile of complexity for very minimal
benefit.
Yes.
We should leave this where it is and move on.
No: substantially, /where it is/ is to ignore. To handle appropriately means
receivers are on their own w.r.t DMARC.) It is a hole:
From: presid...@whitehouse.gov <lots of whitespace>, user@attackdomain
Personally, I would prefer we say to do a DMARC evaluation for each From and
leave it to the receiver to evaluate multiple policies (if there are two From
values and the result for one is pass and the other is fail with a reject
policy, it seems pretty straightforward to decide to reject). It would be
substantially less complex than adding another header field to the process
I'm not sure which one is more complex. Evaluating each From: implies a tree
walk for each domain, while verifying Sender: alignment can reduce that number.
However, it is probably better to choose a solution based on semantics rather
than on complexity. Your solution solves the example above, which is good.
For Sender:, instead, we need to also require that the aligned domain be the
one of the _first_ From: mailbox. Such additional requirement preserves the
principle of end user visibility that led to choose From: in the first place,
and definitely reduces complexity.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc