Re: [dmarc-ietf] dmarcbis-04, 5.7.1. Extract Author Domain
It appears that Alessandro Vesely said: >Hi, > >The domain in the RFC5322.From header field is extracted as the >domain to be evaluated by DMARC. If the domain is encoded with UTF- >8, the domain name must be converted to an A-label, as described in >Section 2.3 of [RFC5890], for further processing. > >Why? That paragraph is almost identical to its 7489 version. However, since >then, RFC 8616 established that d= in DKIM signatures is a U-label. In that >case, to check alignment, the domain name must be converted to U-label. Of >course, to perform a DNS lookup names must be converted to A-label. To use >the >PSL, for those who do, names must be converted to U-label. In one sentence, a >verifier must be prepared to convert domain names as needed. > >I'd just strike that paragraph. If you have EAI mail, which you do if you have a UTF-8 domain in a From header, the U-label form is preferred. It'd be better to say that in an EAI environment, A-labels and U-labels are equivalent, and per RFC 8616 you should use the U-label in A-R headers. Don't have a strong opinion about what goes into the reports but in aggregate reports, A-labels would likely surprise fewer people. R's, John ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
[dmarc-ietf] dmarcbis-04, 5.7.1. Extract Author Domain
Hi, The domain in the RFC5322.From header field is extracted as the domain to be evaluated by DMARC. If the domain is encoded with UTF- 8, the domain name must be converted to an A-label, as described in Section 2.3 of [RFC5890], for further processing. Why? That paragraph is almost identical to its 7489 version. However, since then, RFC 8616 established that d= in DKIM signatures is a U-label. In that case, to check alignment, the domain name must be converted to U-label. Of course, to perform a DNS lookup names must be converted to A-label. To use the PSL, for those who do, names must be converted to U-label. In one sentence, a verifier must be prepared to convert domain names as needed. I'd just strike that paragraph. Multi-valued RFC5322.From header fields with multiple domains MUST be exempt from DMARC checking. Cannot we do better than that? Adding a second author to a message, in such a way that it goes unnoticed when displayed by a MUA, can be an attack path. Possible alternatives: * Check the domain of the first mailbox, * Check all the domains, all must pass. Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc