Checking each domain poses some restrictions on adding more authors on the
From: line. As you say, even if a message is being written four hands, current
MSA standards only allow one author to authenticate. Depending on outgoing
filters capabilities, the message will likely get a dmarc=pass in the following
cases:
* all author domains have p=none,
* all authors belong to the same domain and a DKIM signatures validates it,
* the MSA has the keys of each author domain, and adds each signature,
* some author domains are covered by DKIM signatures, the rest have p=none.
If those conditions sound too harsh, they're still more permissive than banning
multiple From: altogether.
Receivers checking each author domain means that they apply the worse policy
found in the set of non-authenticated domains. That way there's no way you can
impersonate a strict policy domain.
Best
Ale
On Sun 04/Feb/2024 10:50:25 +0100 Douglas Foster wrote:
Even in the unlikely event that all From addresses can be authenticated
with DKIM, the result still cannot be trusted. It would be easy for an
attacker to anticipate signatures that will be added in transit, and use
those signatures to create false authentication.
RFC 7489 treats a multiple-domain FROM address as if all listed domains
returned NO POLICY. This is clearly a security hole. I have no trouble
imagining a successful phishing attack that uses two high-visibility
p=reject brands to trigger users to open a link or an attachment, but I
will omit elaboration since these discussion archives are
publicly available. The assertion that such attacks are not yet known is
not a reason to conclude that they will never happen in the future.
Below is some proposed language for the document.
Doug Foster
Multiple From
-------------
A basic characteristic of email systems is that messages are generated in
the context of a single authentication event, validating either a user
account within a mail store domain, or a single client account within a
service provider domain. As such, DMARC can validate at most one From
address, because at most one authenticated account was used to initiate the
message.
Malicious actors may anticipate DKIM signatures that will be added during
routine message processing, in an attempt to make a multiple-domain From
header appear to have multiple authorizations, but this only hides the fact
that every message begins with a single authentication event.
Consequently, the DMARC result for any multiple-address From header is
always FAIL. DMARC policies for each listed domain may be consulted to
determine recommended failure handling, and to determine reporting
destinations.
On Sat, Feb 3, 2024 at 8:08 AM Alessandro Vesely <ves...@tana.it> wrote:
On Sun 28/Jan/2024 14:39:55 +0100 I wrote:
[...]
To handle appropriately means receivers are on their own w.r.t DMARC.)
It
is a hole: >
From: presid...@whitehouse.gov <lots of whitespace>,
user@attackdomain
[...]
For Sender:, instead, we need to also require that the aligned domain be
the
one of the _first_ From: mailbox.
That was an hallucination:
From: "_" <dontseeme@attackdomain>, presid...@whitehouse.gov
So the only solution, AFAICS, is to check each From: domain. Possibly put
a
limit on the maximum number of domains accepted by policy. Setting such
limit
to 1 would be disagreeable as it breaks SMTP; but, from a security POV,
still
better than skipping the message in such cases.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
