On Tue 15/Nov/2022 11:59:42 +0100 John Levine wrote:
It appears that Alessandro Vesely <[email protected]> said:
They still do:
550-5.7.1 [62.94.243.226] Messages with multiple addresses in From: header
are
550 5.7.1 not accepted.
ht21-20020a170907609500b0078e1e77f443si1407469ejc.418 - gsmtp
The question is whether they do so because of what we say or if we say so
because of what they do.
Whatever the reason, this reminds us that multi-address From headers are a
tiny tiny nit, not worth the time we've spent on them and certainly not
worth any more. The existing language isn't broken and there is no need to
change it.
So that is the WG consensus.
However, however tiny, this point may still deserve a mention. I propose to
add it in the Security Considerations section. For example, like so:
11.8 Denial of DMARC processing
The requirement expressed in Section 5.7.1 to exempt from DMARC checking
the messages having a multi-valued RFC5322.From header fields with multiple
domains can be abused by an attacker by adding a second mailbox to the
RFC5322.From. That way, a message can prominently sport a reputed author
domain without authentication and without incurring in DMARC policy
restrictions.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
