On Fri, Nov 7, 2014 at 10:06 AM, John Levine <jo...@taugh.com> wrote:
> >1) Evaluate all the domains you find, and if any of them have published > >DMARC policies, apply the strictest one ... > > Given the anti-phishing goals of DMARC, I don't see how anything else > makes any sense. Or you could skip a step, say that DMARC doesn't > permit multi-address From headers, assume that validation failed on > all of the domains and proceed directly to the punishment phase. > Right, that's also an option, and it at least accommodates the no-address >From field that RFC6854 permits. Another option I can think of is one where we just admit the conflict with RFC6854 and observe that streams likely to be DMARC-protected don't use this format, so if you see a multi-valued From where any domain has a DMARC policy, it's invalid and the receiver should act accordingly. For From: headers with address-free groups, recall that the motivation > for this was EAI downgrades at delivery time. The un-downgraded > message had a normal From: header, so normal DMARC applies. If the > address is smashed in the downgrade I don't see any reason that the > DMARC result needs to change. > I don't know much at all about EAI, but if the address is smashed, which DMARC result could you possibly use? -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
