[dmarc-discuss] dmarc-discuss Digest, Vol 19, Issue 3

Douglas Otis doug.mtview at gmail.com
Tue Jul 16 11:49:08 PDT 2013


On Jul 16, 2013, at 9:58 AM, Franck Martin <fmartin at linkedin.com> wrote:

> Multiple From: headers is invalid per RFC. There must be one and one only From: header in all emails. Most MTAs do not care. If you deploy DMARC I strongly suggest you do that check and bounce.
> 
> What we are talking is multiple emails in the From: header, which is valid as per RFC


Dear Franck and Murray,

DMARC is to assert restrictive policies for domains above the public suffix.  DMARC is now overreaching and is attempting to assert restrictive policies for domains above the root as well.

Since DMARC can not be used generally, invalidly prefixed header field invalidation is to repair DKIM's vulnerability.  Invalidly prefixed header field checks MUST be included in Authentication-Results headers before _ANY_ DKIM pass information can be used.  There is likely little benefit  applying this type of invalidation to messages not DKIM signed.   Without RFC5863 and the compliant milters, bayesian filtering can be expected to properly provide message placement.  

ADSP punted and applied policy to only the first From header field email address expected to receive the recipients' attention.  It seems the entire industry will need to figure out how best to handle RFC6854 and RFC5863.  As such DMARC might be better served letting that sort itself out separately.

Expecting RFC5321 to uniformly and universally enforce RFC5322 compliance is nonsense.  How quickly must SMTP be revised every time there is a change to the email message structure?  Even RFC5322 is not current.  In the case with DKIM, it processes the entire header field stack twice and negligently offers valid signature results EVEN after passing over likely deceptive invalidly prefixed header fields.  Almost no domain is using the double listing of header fields as signed hack either.

At this point, the ONLY safe way forward is to include status in the Authentication-Results header field that indicates there are no invalidly prefixed header fields.  Don't make DKIM's failings SMTP's problem.  Even if it were possible, how many decades will it take before it can be assumed the worlds email infrastructure has been updated and made safe for DKIM?

Regards,
Douglas Otis


More information about the dmarc-discuss mailing list