On Saturday, February 10, 2024 7:39:37 PM EST Murray S. Kucherawy wrote: > On Sat, Feb 10, 2024 at 12:34 PM Jim Fenton <fen...@bluepopcorn.net> wrote: > > > No, it's perfectly fine to declare that DMARC only applies to certain > > > classes of messages. > > > > This actually concerns me a bit. If having multiple From: addresses causes > > a message to be out of scope for DMARC and therefore bypass a p=reject > > policy, that sounds like a reason that attackers might start sending > > messages with multiple From: addresses in order to accomplish that. > > What we said in RFC 7489, and what I think we're saying here, is that > experience (at the time of that RFC, at least) suggests that such messages, > even though they're legal by RFC 5322, tend to get dropped or rejected > before they get to any DMARC engine because they're considered unusual or > dangerous or some other concerning adjective, so it was sufficient to call > them out of scope. I believe Gmail has indicated that messages that do > have a multi-valued From tend to clearly be spam or other abuse. > > What that tells me is that it would be reasonable for a receiver to discard > or reject them before they even get to DMARC, meaning we don't have to > worry about it in DMARC directly. > > If we decide we need to make DMARC bulletproof even in this case, then > perhaps the move is indeed to codify the "check them all" logic that's been > suggested. But I don't think we can say in this document that multi-valued > > >From is no longer valid; that's perhaps in EMAILCORE's scope, not in ours.
Are we waiting for anything else before WGLC? I suggest we put in some non-normative words about check them all and move on. Let's throw this thing over the finish line. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc