On Mon 13/Dec/2021 18:51:48 +0100 Brandon Long wrote:
On Mon, Dec 13, 2021 at 9:46 AM Slavko via mailop <mailop@mailop.org> wrote:
Dňa Mon, 13 Dec 2021 18:19:07 +0100 Alessandro Vesely via mailop
<mailop@mailop.org> napísal:
Is it customary to reject messages with multiple addresses in From:?
Why?
AFAIK, DMARC works with only one From: address, thus sites which
are verifying DMARC tends to reject multiple addresses in it.
Basically, yes, DMARC doesn't handle multiple from addresses, otherwise one
could do From: m...@whatever.com, accou...@google.com and which domain would
this be considered from? I guess one could evaluate DMARC for both.
Evaluating both doesn't make much sense, because a DMARC receiver is actually
verifying proper sending from the author's domain. The author who added one or
more coauthors in the From: line is still sending through her usual MUA and
submission server. Thus that's the only domain which is worth verifying.
A Sender: line should point to the right domain. However, I'd propose that the
sender be the first address in the From: line, which grants visibility and
simplifies verifiers' code.
We also reject multiple From headers, which is much more common but
basically always an error or spam.
Yes, that's explicitly forbidden and a known DKIM vulnerability (DKIM signers
should specify From: twice in h=).
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
