Hi,
As a long time implementer and integrator of IETF protocols, my mail
engineering view ….
The thing is RFC 822, 2822 and 5322 allows for a single 5322.From header to
have multiple addresses:
from = "From:" mailbox-list CRLF
mailbox-list = (mailbox *("," mailbox)) / obs-mbox-list
So it is intentional? Obviously, there was a time and mail “group-ware”
application scenario where it applied so it was engineered and written into the
822 specification.
But were there any client MUA that supports it? I (Santronics Software) never
added it in any of my MUAs, which were USER and SYSOP-based. Even if not, it
is still technically possible to create a legally formatted RFC822, 2822, 5322
message and send it via SMTP.
Now comes DKIM and its DKIM Policy Modeling add-ons…..
DKIM signing requires the hash binding of the entire content of the 5322.From
header. There is no modifications expected before signing. Note: While
Rewrite is a kludge solution to a domain redirection problem, it is not the
same but I can see where it can fit here.
ALL DKIM Policy Models (the add-ons over DKIM-BASE) starting with SSP, DSAP,
ADSP and now DMARC provided guidelines to support 1st party signature.
Unfortunately, they failed on the authorization of a 3rd party signer scenario.
So it means, at least one of the authors domain should match/align with the
signer domain per DMARC logic.
This sounds logical to me, albeit more complexity in the codes that reads and
processes the headers. We don’t have any MUAs or bots that have a need or
support for multiple authors. That need is called Mailing List. But for DKIM
Policy models, it should be allowed as long as there is an aligned/matching
signer domain in the From header mailbox-list.
However, if I have been following this thread, DMARCBis was updated to ignore
these multi-from messages for DMARC purposes because they (erroneously)
presumed they should be rejected, i.e. never make it to a signer or verifier.
I am not sure that is correct.
All the best,
Hector Santos
> On Jan 18, 2024, at 10:59 AM, Emil Gustafsson
> <emgu=40google....@dmarc.ietf.org> wrote:
>
> I have a data point.
> When we (Google) did an experiment/analysis of this a couple of years ago the
> conclusion was
> a) multi-value From are relatively rare and mostly look like abuse or
> mistakes rather than intentional.
> b) Users generally don't care about those messages if they end up in spam.
>
> So...
> Is the volume measurable? - yes but very small
> Are there legitimate emails? - yes but users don't seem to care about these
> messages
>
> Based on the data I have, I would be in favor of an update that essentially
> makes multivalued From Invalid rather than a corner case that needs to be
> handled.
>
> /E
>
> On Thu, Jan 18, 2024 at 12:41 AM Steven M Jones <s...@crash.com> wrote:
> On 1/17/24 2:56 AM, Alessandro Vesely wrote:
> > [ Discussion of what to do with multi-valued From: in messages ]
> >
> > However, since DMARC bears the blame of banning multi-valued From:, it
> > is appropriate for it to say something about the consequences and
> > possible workarounds.
>
> DMARC doesn't ban multi-valued From:, but the language of section 6.6.1
> is confusing because we were documenting the practice of implementers up
> to that time as much as being prescriptive. If anything, it highlights
> the need for the clearer language that Todd quoted earlier in this thread.
>
> Has a measurable volume of legitimate messages with multi-valued From:
> headers been reported in the wild? Is there a real-world problem that
> needs to be solved?
>
> --Steve.
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
