On 6/2/2020 9:44 AM, Jesse Thompson wrote:
I'm relaying these DMARC questions/concerns on behalf of an email admin at
another university. I quickly searched this list's archives for the Sender
header vs DMARC alignment issue and don't see much aside from a conversation in
May 2015. Is it worth further discussion and/or an issue in Trac? I think I
know the answer to the second concern, but I'll defer to people more adept at
explaining the nuance.
See below...
Thanks,
Jesse Thompson
UW-Madison
"
I don't see on the list of issues the most fundamental problem of DMARC, namely
that it conflicts with RFC 5322 on the use of the From and Sender header fields
[1] and possibly with RFC 6326 as to the significance of DKIM fail [2]. The
former is the more serious problem. Making DMARC alignment part of a standard
for Internet messages requires a revision of RFC 5322. I'd love to see this
resolved.
As one of the folk who created the Sender: construct in RFC 733, I'll
suggest that the concern raised here has merit, though dealing with the
fact isn't straightforward. It's an issue I've been wrestling with for
a couple of years.
In reality, all of the current email anti-abuse authentication methods
concern the email operator, not the author.
The problem is that, in the message, the only identifier that is
reliably present is the rfc5322.From field email address.
The underlying design choice in RFC733 -- 45 years ago -- was in making
Sender: optional when it's content is the same as the From: field. It
never occurred to us that one of them might need changing along the
handling path. The lesson to future designers is to strongly resist
conflating otherwise-independent semantics for "efficiency".
DMARC enforcement requires that the DKIM/SPF domain be the same as the
author From:. That is, the folk doing email operations have to be able
to sign the DMARC aligned domain.
Hence the From: field is now really the Sender: field. The From: field
fixup hacks that are needed by intermediaries, to avoid DMARC-based
rejections, makes this fact painfully clear, even as they serve to
undermine recipient use of the From field for author-related message
management.
Given the depth and momentum of DMARC's effects, I don't think it's
realistic to try to fix this via changes to the From: field.
The only suggestion I've been able to formulate is: create a new field,
such as Author:.
(Give it a simple, clean, appropriate name, rather than something like
Original-From.)
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
