Even in the unlikely event that all From addresses can be authenticated with DKIM, the result still cannot be trusted. It would be easy for an attacker to anticipate signatures that will be added in transit, and use those signatures to create false authentication.
RFC 7489 treats a multiple-domain FROM address as if all listed domains returned NO POLICY. This is clearly a security hole. I have no trouble imagining a successful phishing attack that uses two high-visibility p=reject brands to trigger users to open a link or an attachment, but I will omit elaboration since these discussion archives are publicly available. The assertion that such attacks are not yet known is not a reason to conclude that they will never happen in the future. Below is some proposed language for the document. Doug Foster Multiple From ------------- A basic characteristic of email systems is that messages are generated in the context of a single authentication event, validating either a user account within a mail store domain, or a single client account within a service provider domain. As such, DMARC can validate at most one From address, because at most one authenticated account was used to initiate the message. Malicious actors may anticipate DKIM signatures that will be added during routine message processing, in an attempt to make a multiple-domain From header appear to have multiple authorizations, but this only hides the fact that every message begins with a single authentication event. Consequently, the DMARC result for any multiple-address From header is always FAIL. DMARC policies for each listed domain may be consulted to determine recommended failure handling, and to determine reporting destinations. On Sat, Feb 3, 2024 at 8:08 AM Alessandro Vesely <ves...@tana.it> wrote: > On Sun 28/Jan/2024 14:39:55 +0100 I wrote: > > [...] > > To handle appropriately means receivers are on their own w.r.t DMARC.) > It > > is a hole: > > > From: presid...@whitehouse.gov <lots of whitespace>, > user@attackdomain > > > > [...] > > For Sender:, instead, we need to also require that the aligned domain be > the > > one of the _first_ From: mailbox. > > > That was an hallucination: > > From: "_" <dontseeme@attackdomain>, presid...@whitehouse.gov > > So the only solution, AFAICS, is to check each From: domain. Possibly put > a > limit on the maximum number of domains accepted by policy. Setting such > limit > to 1 would be disagreeable as it breaks SMTP; but, from a security POV, > still > better than skipping the message in such cases. > > > Best > Ale > -- > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
