On Sun 28/Jan/2024 14:39:55 +0100 I wrote:
[...]
To handle appropriately means receivers are on their own w.r.t DMARC.) It
is a hole: >
From: [email protected] <lots of whitespace>, user@attackdomain
[...]
For Sender:, instead, we need to also require that the aligned domain be the
one of the _first_ From: mailbox.
That was an hallucination:
From: "_" <dontseeme@attackdomain>, [email protected]
So the only solution, AFAICS, is to check each From: domain. Possibly put a
limit on the maximum number of domains accepted by policy. Setting such limit
to 1 would be disagreeable as it breaks SMTP; but, from a security POV, still
better than skipping the message in such cases.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
