The purpose of DMARC is to demonstrate that the purported author (From) is
either the actual author or the authorized agent of the actual author.

Because of practical difficulties, this is an indirect process:   DMARC
PASS demonstrates that a specific sending domain is authorized to speak on
behalf of the purported author's domain.

We then presume that the local-part is authorized at origination.   This
occurs either
(a) because the Mail From account was authenticated by the MSA and we have
SPF alignment, or
(b) because the Mail From account was authenticated by the MSA and its
administrative controls ensure that other-domain signatures are only
applied to Mail From accounts that have been duly authorized to use it.

For forwarding, we accept aligned DKIM PASS because it implies that those
criteria were met at origination, and the signature was preserved during
transit.

All of this falls apart with multiple From domains.    SPF-alignment can
only authenticate one Mail From account to one domain.   ESPs have the
sophistication to generate different DKIM signatures for different clients,
but they only serve one client per message

Every way I look at the problem, I conclude that:
- If an MSA thinks it has reason to send a message with multiple From
domains, it will either lack the ability or lack the controls to ensure
that this is done with proper authorization.
- If an MSA has the ability to authenticate multiple authors, it is an ESP
which has no reason to send messages from multiple author domains because
it only serves one client per message.

Email is not a legal document.  If someone wants to assert multiple
authorship, they should use the Friendly Name and Body closing to assert
this information.  If someone insists on sending messages with multiple
>From domains, the message will be received as not fully authenticated and
will be at the mercy of the receiving system to decide whether that
incomplete authentication is acceptable.

Doug Foster

On Tue, Jan 16, 2024 at 5:03 AM Alessandro Vesely <ves...@tana.it> wrote:

> On Mon 15/Jan/2024 20:49:35 +0100 John Levine wrote:
> > It appears that Scott Kitterman  <skl...@kitterman.com> said:
> >>I don't think that's sensible at all.  It's not the place of a signing
> filter to modify the message.
>
>
> A signing filter, as part of an MSA _has to_ modify the message in order
> to
> enhance the possibility that it is transmitted correctly.  Besides usual
> changes belonging to the core MSA, such as setting Date:, a signing filter
> shall take care of signature breaking cases, such as lines beginning with
> "from ".
>
>
> >> I think it would be reasonable to either add a signature for each from
> >> domain or to decline to sign it at all, but since DKIM doesn't care
> about
> >> from domain at all, I think it would be up to whatever calls the
> signing
> >> filter to specify.
>
> Not signing and/or leaving a multi-valued From: as is certainly is not a
> good
> service for the users, if they meant their message to be delivered.
>
> Some receivers reject messages with multi-valued From: —after DMARC.
> OTOH,
> MUAs allow it, rightly following the RFCs.  What's the way out?
>
>
> > I agree but I'd be more inclined to say don't sign at all, since
> > multi-valued From headers are rare and as likely as not to be a
> > mistake.
>
>
> A use case is when submitting co-authored articles or notes.  Yes, it is
> rare
> to type a message four hands, but it can happen, and banning the
> possibility to
> correctly identify the authors is harsh.
>
>
> Thinking twice, saving the original multi-value to Author: is not enough
> to
> have replies reach every author.  Better also use Reply-To:.
>
>
> Best
> Ale
> --
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to