> >What sort of remedy would you suggest here? Off the top of my head, here
> >are some suggestions:
> >
> >1) Evaluate all the domains you find, and if any of them have published
> >DMARC policies, apply the strictest one ...
> Given the anti-phishing goals of DMARC, I don't see how anything else
> makes any sense. Or you could skip a step, say that DMARC doesn't
> permit multi-address From headers, assume that validation failed on
> all of the domains and proceed directly to the punishment phase.
That's fine if any of the domains have an associated DMARC record - of any
sort. My concern is the case where none of them do, or when there
are no domains present.
> For From: headers with address-free groups, recall that the motivation
> for this was EAI downgrades at delivery time. The un-downgraded
> message had a normal From: header, so normal DMARC applies. If the
> address is smashed in the downgrade I don't see any reason that the
> DMARC result needs to change.
Neither do I.
> It also happens to enable an alternative to those
> do-not-re...@bigbank.com addresses in mail from robots, something I
> haven't seen yet, but wouldn't be totally silly. I'd say that
> whatever you do with them is out of scope for DMARC.
That's exactly my position. If you want to reject them on the basis that
the mess up user agents, you have a pathological hatred of group
syntax, or whatever, fine. Local policy choices always win.
But DMARC should not be saying that valid things should be rejected when
there's no DMARC records in sight.
Ned
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
