ietf-smtp
[Top] [All Lists]

Re: MUA support for multiple from addresses

2012-03-13 18:10:35

On 2/28/12 3:10 AM, John C Klensin wrote:
--On Tuesday, February 28, 2012 11:31 +1100 Mark Andrews
<marka(_at_)isc(_dot_)org>  wrote:

...
Well with paper mail you can have mail from multiple people.
Someone has to physically post it, but it can have multiple
signatures. There should be no reason for email to not support
it.  Note SMTP doesn't need to support it.
Indeed.   And, yes, the SMTP backward-pointing address in the
MAIL command is really a sender address, not a from address.

I agree with Ned -- deprecating features that poor
implementations handle poorly would leave us without email.  It
is far more worthwhile to spend energy telling people to fix
their garbage implementations than to start deprecating features
that are very useful on occasion, even if lots of folks don't
use them and aren't aware they are there.    The use of "+" in
subaddresses is at least an equally good example: lots of folks
don't know it is possible; a number of MUAs, a larger number of
web interfaces of various flavors, and a few MTAs treat it is
invalid; but, still...

      john

p.s. it has been a while, but I've occasionally used
multiple-address "From:" on IETF mailing lists when I wanted to
make it completely clear that a message was produced jointly,
e.g., from WG co-chairs.
Dear John,

The use of multiple From addresses might become popular. John Levine proposed vouch-by-reference headers and DNS queries where (when a reference is trusted) receiver query what might be a third-party domain to obtain a TXT resource record confirming domain authorizations. This scheme has a few basic problems:

1) vbr header is not seen by users.
2) vouching domains may not be authoritative.
3) reliant information may not have been signed.

Spoofing remains a security threat when basing acceptance on signatures. Assumed domain authority is yet another security threat. This becomes a concern when dealing with potentially unsigned header fields containing third-party domains. DKIM verification only requires the last From header field be signed when it is likely only the first that is displayed. DMARC strengthened DKIM compliance by requiring one From header field.

See http://dmarc.org/draft-dmarc-base-00-01.html#receiver_domain

The Authorized Third-Party Signatures (ATPS) draft, http://tools.ietf.org/html/rfc6541 has been published and implemented in open source versions of DKIM. ATPS allows third-party domains to be compliant with ADSP. ATPS provisions should also be included with DMARC for multiple From email address entries.

From: loan-agent(_at_)big-bank(_dot_)com, big-bank(_dot_)com(_at_)member(_dot_)fdic(_dot_)gov would be a visible method to safely assert affiliations without waiting for adoption and enforcement of new headers or exclusion of improperly assumed domain relationships.

Outsourcing publication of the _atps zone can use either zone delegation or DNAME. When two different domains appear in the From header field, ATPS within a single transaction can determine whether the domain has been authorized without risking reliance on unsigned data or non-authoritative sources as could be the case with Vouch-by-Reference.

Regards,
Douglas Otis

<Prev in Thread] Current Thread [Next in Thread>
  • Re: MUA support for multiple from addresses, Douglas Otis <=