I have trouble with this statement in section 5.7.1: "Multi-valued RFC5322.From header fields with multiple domains MUST be exempt from DMARC checking."
This language will serve as an invite for spammers to create multiple-from messages to ensure that they will evade DMARC. To avoid creating security holes, we need to bring this configuration within scope. Here is a proposal: To ensure DMARC PASS, senders MUST ensure that each RFC5322.From address evaluates to a PASS result independently. Evaluators may choose to evaluate one, some, or all of the addresses. For example, evaluators may choose to evaluate to the first Fail result, and then disposition the message based on that failure. RFC5322 does not specify a maximum number of allowed From addresses, but evaluators may choose to impose a limit to prevent abuse of evaluator resources. DMARC reporting is based on the single RFC5322.From address which is most important for the evaluator's disposition decision. Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
