On Mon 05/Dec/2022 23:49:11 +0100 Scott Kitterman wrote:
To the extent this is worth thinking about at all, I think it can be left to
local policy. If I were implementing this and was worried about it, I'd check
DMARC for all the froms in the field and pick the most restrictive policy.
There's a lot of funny things that receivers and MUA do with multiple From:
mailboxes. Certainly this spec is not the place to dig into this nook of
RFC5322 compliance.
If we need to say anything at all (and I don't think we do), it should be
something like that, not inventing new results or anything.
Leaving to local policy is the obvious outcome after we say DMARC MUST NOT
treat those cases. However I think it's worth to mention the fact in Security
Considerations, since it can be easily overlooked and it can become an attack
vector. I copy below the example I posted on Thu, 24 Nov 2022 10:10:13 +0100[*]
11.8 Denial of DMARC processing
The requirement expressed in Section 5.7.1 to exempt from DMARC checking
the messages having a multi-valued RFC5322.From header fields with multiple
domains can be abused by an attacker by adding a second mailbox to the
RFC5322.From. That way, a message can prominently sport a reputed author
domain without authentication and without incurring in DMARC policy
restrictions.
Best
Ale
--
[*] https://mailarchive.ietf.org/arch/msg/dmarc/Nx2wAs-6sCDeTyArA2XV_oAqlEI
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
