On Sun 11/Feb/2024 01:47:12 +0100 Scott Kitterman wrote:
On Saturday, February 10, 2024 7:39:37 PM EST Murray S. Kucherawy wrote:
On Sat, Feb 10, 2024 at 12:34 PM Jim Fenton <[email protected]> wrote:
This actually concerns me a bit. If having multiple From: addresses causes
a message to be out of scope for DMARC and therefore bypass a p=reject
policy, that sounds like a reason that attackers might start sending
messages with multiple From: addresses in order to accomplish that.
[...]
If we decide we need to make DMARC bulletproof even in this case, then
perhaps the move is indeed to codify the "check them all" logic that's been
suggested. But I don't think we can say in this document that multi-valued
From is no longer valid; that's perhaps in EMAILCORE's scope, not in ours.
[...]
I suggest we put in some non-normative words about check them all and move on.
Let's throw this thing over the finish line.
The text in RFC 7489 is clear and terse. I suggest we copy that paragraph
verbatim.
Additionally, we could add a note about the max number of domains, for example:
To limit potential denial-of-service attacks, Verifiers MAY limit
the total number of domains they will attempt to verify.
(That is similar to what DKIM says about signatures,
https://datatracker.ietf.org/doc/html/rfc6376#section-4.2)
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
