On Wed 09/Nov/2022 23:07:51 +0100 internet-drafts wrote:
[...]
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-dmarcbis-24
A highlighted paragraph is the following:
A message without a single, properly formed RFC5322.From header field
does not comply with [RFC5322], and handling such a message is outside
of the scope of this specification.
Where *single* seems to refer to the number of mailboxes. However, RFC5322
says:
The from field consists of the field name "From" and a comma-
separated list of one or more mailbox specifications. If the from
field contains more than one mailbox specification in the mailbox-
list, then the sender field, containing the field name "Sender" and a
single mailbox specification, MUST appear in the message.
The change I propose is half-way between those two positions. Rather than
requiring a single mailbox, consider just the first one (irrespective of Sender:).
Rationale:
The first mailbox is the only one which is always there. In addition, it is
certainly visible, whereas further mailboxes can be hidden putting spaces or
underscores in the second display name. The same considerations hold for Sender:.
Adding a second (invisible) mailbox in order to skip DMARC processing can
become an attack vector.
The number of messages with multiple mailboxes is very low, so disregarding any
mailboxes after the first one doesn't really impact on message handling. Yet,
the simple rule proposed spares an implementation from the embarrassing
situation where it cannot handle certain messages. And the rule is
straightforward to implement.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
