On 6/23/20 11:49 AM, Dave Crocker wrote: > So... what if DMARC's semantic were really for the Sender: field? If > a message has no separate Sender: field, then of course the domain in > the From: field is used. > > The would produce obvious possibilities: > > From: someone@goodplace.example > Sender: someone@goodplace.example > > and > > From: somone@goodplace.example > Sender: some...@mlm.example.com > > where there might be a dmarc record for mlm.example.com > > The modification to DMARC would be "look for Sender: and if it isn't > present, look for From:. > > Obviously, mlm.example.com might instead be badactor.example.com. > > but we already have to deal with cousin domains, and DMARC does > nothing about them. > > So if Sender: wouldn't be as useful as From:, why not?
This makes a lot of sense to me, assuming of course that the WG comes to rough consensus that alignment specifically with the From: domain isn't necessary. (My personal position is that it's not.) I do have a concern about Sender:. It has existing semantics defined in RFC 5322 Section 3.6.2, and this proposal might conflict with that (IETF's current MLM usage may, as well). But that possible problem could be avoided by inventing a new header field (I can't believe I'm suggesting that), it could be DMARC-Sender: or something like that. If we're going to avoid From: rewriting, we need to have something that specifies where to retrieve the DMARC record from. But as stated above, [DMARC-]Sender: could be badactor.example.com, so it should be clear that DMARC is not going to prevent bad actors from doing anything. It is still useful as a reporting mechanism to detect unintended breakage of message authentication. But I can't think of a reason that the policy mechanism is useful at all. -Jim _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
