Re: [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC)

Franck Martin <franck@xxxxxxxxxxxxxxx> · Mon, 7 Nov 2016 17:23:33 -0600 (CST)

----- Original Message -----
> From: "Dave Crocker" <dcrocker@xxxxxxxxx>
> To: "Franck Martin" <franck@xxxxxxxxxxxxxxx>, "Terry Zink" <tzink@xxxxxxxxxxxxxxxxxxxxxx>
> Cc: dmarc@xxxxxxxx, "Ted Lemon" <mellon@xxxxxxxxx>, "IETF" <ietf@xxxxxxxx>
> Sent: Monday, November 7, 2016 2:46:54 PM
> Subject: Re: [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC)

> On 11/7/2016 11:41 AM, Franck Martin wrote:
>> The EAI WG found it was fine to remove the obligation to have an email
>> address part in the mandatory RFC5322.From header, leaving only the
>> display part to assert the original author.
> 
> We had that relaxed permission for From:, in the original
> From/Sender/Reply-to specification of rfc733, with the requirement that
> there be a Sender: email address.  It looks like we removed it for rfc822.
> 
> And while I recall something of the EAI discussion, I'm not recalling
> this permission's being returned.  Nor am I finding it in rfc6854:
> 
>      https://tools.ietf.org/html/rfc6854#section-2
> 
> So, please point to the formal specification that permits a From: field
> to have no email address.
> 

I'm not great at ABNF, so please bear with me. 

My understanding is that RFC proposes the following change:

from =  "From:" mailbox-list CRLF

TO

from = "From:" (mailbox-list / address-list) CRLF

They are defined by:
mailbox-list    =   (mailbox *("," mailbox)) / obs-mbox-list
address-list    =   (address *("," address)) / obs-addr-list

furthermore: 

address         =   mailbox / group
mailbox         =   name-addr / addr-spec
name-addr       =   [display-name] angle-addr
angle-addr      =   [CFWS] "<" addr-spec ">" [CFWS] /
                       obs-angle-addr
group           =   display-name ":" [group-list] ";" [CFWS]
display-name    =   phrase
mailbox-list    =   (mailbox *("," mailbox)) / obs-mbox-list
address-list    =   (address *("," address)) / obs-addr-list
group-list      =   mailbox-list / CFWS / obs-group-list

So if you follow the fact that the new from can contain an address list, and that an address can be either a mailbox or a group and that a group can be 'undisclosed sender:;'

So you could find an email with the following header

From: undisclosed sender:;

and that would be ok as per rfc6854

Note the security consideration in same RFC that "discourages" the use of the group syntax, but as a receiver, I would claim, this increases the level of secret sauce to apply to evaluate an email...