One document matched: draft-leiba-5322upd-from-group-02.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc,
which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY RFC5234 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5234.xml'>
<!ENTITY RFC5322 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5322.xml'>
<!ENTITY RFC5617 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5617.xml'>
]>
<?xml-stylesheet type='text/xsl' href='http://xml.resource.org/authoring/rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc tocompact="no" ?>
<?rfc tocindent="no" ?>
<?rfc comments="yes" ?>
<?rfc inline="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes"?>
<?rfc subcompact="yes"?>
<rfc
category="std"
ipr="trust200902"
updates="5322"
docName="draft-leiba-5322upd-from-group-02">
<front>
<title abbrev="Group Syntax in Email 'From:'">
Update to Internet Message Format to Allow Group Syntax in the 'From:' Header Field
</title>
<author initials='B.' surname='Leiba' fullname='Barry Leiba'>
<organization>Huawei Technologies</organization>
<address>
<phone>+1 646 827 0648</phone>
<email>barryleiba@computer.org</email>
<uri>http://internetmessagingtechnology.org/</uri>
</address>
</author>
<date/>
<area>Applications</area>
<workgroup>EAI Working Group</workgroup>
<abstract>
<t>
The Internet Message Format (RFC 5322) allows "group" syntax in
some email header fields, such as "To:" and "CC:", but not in "From:".
This document updates RFC 5322 to relax that restriction,
allowing group syntax in "From:".
</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>
The Internet Message Format <xref target="RFC5322"/> allows "group" syntax in
some email header fields, such as "To:" and "CC:", but not in "From:".
As use cases for group syntax evolve, particularly with respect to email
address internationalization issues, it is becoming clear that there is
little value in forbidding that usage, and significant value in allowing it.
This document updates RFC 5322 to relax that restriction,
allowing group syntax in "From:".
</t>
<section title="Notational Conventions">
<t>
The notational conventions here are the same as those in RFC 5322, and the following
two subsections are copied directly from that document.
</t>
<section title="Requirements Notation">
<t>
This document occasionally uses terms that appear in capital letters.
When the terms "MUST", "SHOULD", "RECOMMENDED", "MUST NOT", "SHOULD
NOT", and "MAY" appear capitalized, they are being used to indicate
particular requirements of this specification. A discussion of the
meanings of these terms appears in <xref target="RFC2119"/>.
</t>
</section>
<section title="Syntactic Notation">
<t>
This specification uses the Augmented Backus-Naur Form (ABNF)
<xref target="RFC5234"/> notation for the formal definitions of the syntax of
messages. Characters will be specified either by a decimal value
(e.g., the value %d65 for uppercase A and %d97 for lowercase A) or by
a case-insensitive literal value enclosed in quotation marks (e.g.,
"A" for either uppercase or lowercase A).
</t>
</section>
</section>
</section>
<section title="Allowing Group Syntax in 'From'">
<t>
Section 3.6.2 of RFC 5322 defines the "From:" header field as containing a
"mailbox-list" syntax element. This changes that definition to use the
"address-list" syntax element, as is used in other fields, such as "To:", "CC:",
and "Reply-To:".
</t>
<t>
The following normative section replaces Section 3.6.2 of RFC 5322.
</t>
<section anchor="update" title="Replacement of RFC 5322, Section 3.6.2. Originator Fields">
<t>
In version -00, this section is unchanged from RFC 5322, to make it easier to use
DIFF to see the actual changes that this version contains.
Compare this version with version -00.
</t>
<t>
The originator fields of a message consist of the from field, the
sender field (when applicable), and optionally the reply-to field.
The from field consists of the field name "From" and a comma-
separated list of one or more addresses (either mailbox or group syntax).
If the from field contains more than one address (mailbox or group) in the
address-list, then the sender field, containing the field name "Sender" and a
single mailbox specification, MUST appear in the message.
In either case, an optional reply-to field MAY also be included, which contains
the field name "Reply-To" and a comma-separated list of one or more
addresses (either mailbox or group syntax).
</t>
<t>
from = "From:" address-list CRLF
<vspace blankLines="1"/>
sender = "Sender:" mailbox CRLF
<vspace blankLines="1"/>
reply-to = "Reply-To:" address-list CRLF
</t>
<t>
The originator fields indicate the address(es) of the source of the
message. The "From:" field specifies the author(s) of the message,
that is, the address(es) of the person(s) or system(s) responsible
for the writing of the message. The "Sender:" field specifies the
mailbox of the agent responsible for the actual transmission of the
message. For example, if a secretary were to send a message for
another person, the mailbox of the secretary would appear in the
"Sender:" field and the address of the actual author would appear in
the "From:" field. If the originator of the message can be indicated
by a single mailbox in the "From:" field and the author and transmitter
are identical, the "Sender:" field SHOULD NOT be used.
Otherwise, both fields SHOULD appear.
</t>
<t>
<list>
<t>
Note: The transmitter information is always present. The absence
of the "Sender:" field is sometimes mistakenly taken to mean that
the agent responsible for transmission of the message has not been
specified. This absence merely means that the transmitter is
identical to the author and is therefore not redundantly placed
into the "Sender:" field.
</t>
</list>
</t>
<t>
The originator fields also provide the information required when
replying to a message. When the "Reply-To:" field is present, it
indicates the address(es) to which the author of the message suggests
that replies be sent. In the absence of the "Reply-To:" field,
replies SHOULD by default be sent to the address(es) specified in the
"From:" field unless otherwise specified by the person composing the
reply.
</t>
<t>
In all cases, the "From:" field SHOULD NOT contain any address that
does not belong to the author(s) of the message. See also
<xref target="RFC5322"/> Section 3.6.3
for more information on forming the destination addresses for a
reply.
</t>
</section>
</section>
<section anchor="security" title="Security Considerations">
<t>
See the Internet Message Format specification <xref target="RFC5322"/> for general
discussion of security considerations related to the formatting of email messages.
</t>
<t>
The "From" address is special, in that most user agents display that address, or
the "friendly" text associated with it, to the end user, and label that so as to
identify it as the origin of the message (as implied in Section 3.6.2 of RFC 5322).
Group syntax in the "From" header field can be used to hide the identity of the
message originator. It is as easy to use a fabricated "From" address
to accomplish the same thing, so allowing group syntax does not exacerbate the problem.
</t>
<t>
Some protocols attempt to validate that originator address by matching the "From"
address to a particular verified domain (see Author Domain Signing Practices (ADSP)
<xref target="RFC5617"/> for one such protocol).
Such protocols will not be applicable to messages that lack
an actual email address (whether real or fake) in the "From" field,
and local policy will determine how such messages are handled.
Senders, therefore, need to be aware that using group syntax in the "From" might
adversely affect deliverability of the message.
</t>
<t>
Because group syntax in the "From" header field has previously not been allowed, it is
possible that some implementations that conform to RFC 5322 might not be prepared to
handle the syntax, and, indeed, might not even recognize that group syntax is being used.
Of those implementations, some subset might, when presented with "From" group syntax,
behave in a way that is exploitable by an attacker.
It is deemed unlikely that this will be a serious problem in practice: address field
parsing is generally an integral component of implementations, and address field
parsers are required to understand group syntax.
In addition, if any implementations should be exploitable through this mechanism,
it is already possible for attackers to do it by violating RFC 5322, and other RFC 5322
violations are commonly used by malefactors.
</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>
No IANA actions are requested by this document, and the RFC Editor is asked to remove
this section before publication.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC2119;
&RFC5234;
&RFC5322;
</references>
<references title="Informative References">
&RFC5617;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 07:15:59 |