Re: [dmarc-ietf] DMARC with multi-valued RFC5322.From

Sun, 28 Jan 2024 05:40:17 -0800 

On Sat 27/Jan/2024 16:13:08 +0100 Scott Kitterman wrote:

On Saturday, January 27, 2024 8:00:24 AM EST Alessandro Vesely wrote:



Ignoring, as Section 11.5 points out, exposes an attack vector that must be 
taken into consideration.  That section says:


     [C]are must be taken by the receiving MTA to recognize such messages
     as the threats they might be and handle them appropriately.


What does it mean "appropriately" in that context?  It looks to me as a 
neatly carved hole in a security filter.


I think this point about alignment of Sender is definitely correct,



Let's also recall there was a proposal to consider Sender: anyway.



but it leads me to a different conclusion:


Having to evaluate Sender for DMARC adds a pile of complexity for very minimal 
benefit.



Yes.



We should leave this where it is and move on.




No: substantially, /where it is/ is to ignore.  To handle appropriately means 
receivers are on their own w.r.t DMARC.)  It is a hole:


    From: presid...@whitehouse.gov <lots of whitespace>, user@attackdomain



Personally, I would prefer we say to do a DMARC evaluation for each From and 
leave it to the receiver to evaluate multiple policies (if there are two From 
values and the result for one is pass and the other is fail with a reject 
policy, it seems pretty straightforward to decide to reject).  It would be 
substantially less complex than adding another header field to the process




I'm not sure which one is more complex.  Evaluating each From: implies a tree 
walk for each domain, while verifying Sender: alignment can reduce that number.



However, it is probably better to choose a solution based on semantics rather 
than on complexity.  Your solution solves the example above, which is good.



For Sender:, instead, we need to also require that the aligned domain be the 
one of the _first_ From: mailbox.  Such additional requirement preserves the 
principle of end user visibility that led to choose From: in the first place, 
and definitely reduces complexity.



Best
Ale
--




_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc





























					Reply via email to