On 2/28/12 3:10 AM, John C Klensin wrote:
--On Tuesday, February 28, 2012 11:31 +1100 Mark Andrews
Well with paper mail you can have mail from multiple people.
Someone has to physically post it, but it can have multiple
signatures. There should be no reason for email to not support
it. Note SMTP doesn't need to support it.
Indeed. And, yes, the SMTP backward-pointing address in the
MAIL command is really a sender address, not a from address.
I agree with Ned -- deprecating features that poor
implementations handle poorly would leave us without email. It
is far more worthwhile to spend energy telling people to fix
their garbage implementations than to start deprecating features
that are very useful on occasion, even if lots of folks don't
use them and aren't aware they are there. The use of "+" in
subaddresses is at least an equally good example: lots of folks
don't know it is possible; a number of MUAs, a larger number of
web interfaces of various flavors, and a few MTAs treat it is
invalid; but, still...
p.s. it has been a while, but I've occasionally used
multiple-address "From:" on IETF mailing lists when I wanted to
make it completely clear that a message was produced jointly,
e.g., from WG co-chairs.
The use of multiple From addresses might become popular. John Levine
proposed vouch-by-reference headers and DNS queries where (when a
reference is trusted) receiver query what might be a third-party domain
to obtain a TXT resource record confirming domain authorizations. This
scheme has a few basic problems:
1) vbr header is not seen by users.
2) vouching domains may not be authoritative.
3) reliant information may not have been signed.
Spoofing remains a security threat when basing acceptance on
signatures. Assumed domain authority is yet another security threat.
This becomes a concern when dealing with potentially unsigned header
fields containing third-party domains. DKIM verification only requires
the last From header field be signed when it is likely only the first
that is displayed. DMARC strengthened DKIM compliance by requiring one
From header field.
The Authorized Third-Party Signatures (ATPS) draft,
http://tools.ietf.org/html/rfc6541 has been published and implemented in
open source versions of DKIM. ATPS allows third-party domains to be
compliant with ADSP. ATPS provisions should also be included with DMARC
for multiple From email address entries.
From: loan-agent(_at_)big-bank(_dot_)com, big-bank(_dot_)com(_at_)member(_dot_)fdic(_dot_)gov would be a
visible method to safely assert affiliations without waiting for
adoption and enforcement of new headers or exclusion of improperly
assumed domain relationships.
Outsourcing publication of the _atps zone can use either zone delegation
or DNAME. When two different domains appear in the From header field,
ATPS within a single transaction can determine whether the domain has
been authorized without risking reliance on unsigned data or
non-authoritative sources as could be the case with Vouch-by-Reference.