Hi,
The domain in the RFC5322.From header field is extracted as the
domain to be evaluated by DMARC. If the domain is encoded with UTF-
8, the domain name must be converted to an A-label, as described in
Section 2.3 of [RFC5890], for further processing.
Why? That paragraph is almost identical to its 7489 version. However, since
then, RFC 8616 established that d= in DKIM signatures is a U-label. In that
case, to check alignment, the domain name must be converted to U-label. Of
course, to perform a DNS lookup names must be converted to A-label. To use the
PSL, for those who do, names must be converted to U-label. In one sentence, a
verifier must be prepared to convert domain names as needed.
I'd just strike that paragraph.
Multi-valued RFC5322.From header fields with multiple
domains MUST be exempt from DMARC checking.
Cannot we do better than that? Adding a second author to a message, in such a
way that it goes unnoticed when displayed by a MUA, can be an attack path.
Possible alternatives:
* Check the domain of the first mailbox,
* Check all the domains, all must pass.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
