On Sat, Feb 10, 2024 at 12:34 PM Jim Fenton <[email protected]> wrote:
> > No, it's perfectly fine to declare that DMARC only applies to certain > > classes of messages. > > This actually concerns me a bit. If having multiple From: addresses causes > a message to be out of scope for DMARC and therefore bypass a p=reject > policy, that sounds like a reason that attackers might start sending > messages with multiple From: addresses in order to accomplish that. > What we said in RFC 7489, and what I think we're saying here, is that experience (at the time of that RFC, at least) suggests that such messages, even though they're legal by RFC 5322, tend to get dropped or rejected before they get to any DMARC engine because they're considered unusual or dangerous or some other concerning adjective, so it was sufficient to call them out of scope. I believe Gmail has indicated that messages that do have a multi-valued From tend to clearly be spam or other abuse. What that tells me is that it would be reasonable for a receiver to discard or reject them before they even get to DMARC, meaning we don't have to worry about it in DMARC directly. If we decide we need to make DMARC bulletproof even in this case, then perhaps the move is indeed to codify the "check them all" logic that's been suggested. But I don't think we can say in this document that multi-valued >From is no longer valid; that's perhaps in EMAILCORE's scope, not in ours. -MSK, participating
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
