<?xml version="1.0" encoding="utf-8"?><?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd"[]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="no"?>
<?rfc toc="yes"?>
<?rfc tocdepth="2"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc inline="yes"?>
<?rfc topblock="yes" ?>
<?rfc autobreaks="yes" ?> "rfc2629-xhtml.ent">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="exp" docName="draft-crocker-email-author-04" ipr="trust200902"
submissionType="IETF"> submissionType="independent" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDepth="2" symRefs="true" sortRefs="true" version="3" number="9057">
<!-- xml2rfc v2v3 conversion 3.7.0 -->
<front>
<title abbrev="Author">Email abbrev="Email Author Header Field">Email Author Header Field</title>
<seriesInfo name="RFC" value="9057"/>
<author fullname="Dave Crocker" initials="D." surname="Crocker">
<organization>Brandenburg InternetWorking</organization>
<address>
<email>dcrocker@bbiw.net</email>
</address>
</author>
<date month="June" year="2021"/>
<area>Applications and Real-Time</area>
<keyword>domain</keyword>
<keyword>email</keyword>
<keyword>security</keyword>
<keyword>messaging</keyword>
<keyword>dkim</keyword>
<keyword>spf</keyword>
<keyword>authentication</keyword>
<keyword>reporting</keyword>
<keyword>conformance</keyword>
<keyword>author</keyword>
<keyword>origination</keyword>
<keyword>original</keyword>
<keyword>from</keyword>
<keyword>sender</keyword>
<abstract>
<t>Internet mail defines the From: header field to indicate the
author of the message's content and the Sender: field to
indicate who initially handled the message, message on the author's
behalf. The Sender: field is optional, optional if it has the same
information as the From: field. This was not a problem, problem until
development of stringent protections on use of the From: field.
It has prompted Mediators, such as mailing lists, to modify the
From: field, field to circumvent mail rejection caused by those
protections. In effect, the From: field has become dominated by
its role as a handling identifier.</t>
<t> The current specification augments the altered use of the From:
field,
field by specifying the Author: field, which ensures
identification of the original author of the message and is not
subject to modification by Mediators. This version document is published
as an Experiment, Experimental RFC to assess community interest, functional
efficacy, and technical adequacy.</t>
</abstract>
</front>
<middle>
<section title="Introduction" toc="default"> toc="default" numbered="true">
<name>Introduction</name>
<t>Internet mail conducts asynchronous communication from an author
to one or more recipients, recipients and is used for ongoing dialogue dialog
amongst them. Email has a long history of serving a wide range
of human uses and styles, within that simple framework, and the
mechanisms for making email robust and safe serve that sole
purpose.</t>
<t> Internet mail defines the content header's From: field to
indicate the author of the message and the Sender: field to
indicate who initially handled the message, message on the author's
behalf.
behalf <xref target="Mail-Fmt"/> target="RFC5322" format="default"/>. The Sender: field is optional, optional
if it has the same information as the From: field. That is, when
the Sender: field is absent, the From: field has conflated
semantics,
semantics as both a handling identifier and a content creator
identifier. These fields were initially defined in <xref
target="RFC733"/> target="RFC0733" format="default"/>, and making the redundant Sender: field
optional was a small, obvious optimization, optimization in the days of
slower communications, expensive storage storage, and less powerful
computers.</t>
<t>The dual semantics was were not a problem, problem until development of
stringent protections on use of the From: field. It has prompted
Mediators, such as mailing lists, to modify the From: field, field to
circumvent receiver mail rejection, rejection caused by those protections.
This affects end-to-end usability of email, email between the author
and the final recipients, because mail received from the same
author is treated differently by the recipient's software,
depending on what path the message followed. </t>
<t>By way of example, mail originating with: <figure>
<artwork>From: </t>
<artwork name="" type="" align="left" alt=""><![CDATA[
From: Example User <user@example.com></artwork>
</figure> <user@example.com>
]]></artwork>
<t> which is sent directly to a recipient, will show the
author's display name correctly and can correctly analyze,
filter
filter, and aggregate mail from the author, author based on their email
address. However However, if the author sends through a mailing list, list and
the mailing list conducts a common form of From: modification, modification
needed to bypass enforcement of stringent authentication
policies, then the received message might instead have a From:
field showing: <figure>
<artwork>From: </t>
<artwork name="" type="" align="left" alt=""><![CDATA[
From: Example User via Example List <listname@list.example.org></artwork>
</figure> <listname@list.example.org>
]]></artwork>
<t> The change inserts an operational address, for the
Mediator, into the From: field, field and distorts the field's
display-name,
display name as a means of recording the modification.</t>
<t>In terms of email identification semantics, this is a profound
change:<list style="symbols">
<t>The
change:</t>
<ul spacing="normal">
<li>The result is that the recipient's software will see the
message as being from an entirely different author and
will handle it separately, such as for sorting or
filtering.
In effect, the recipient's software will see
the same person's email as being from a different
address, for
address; this includes the person's actual address and each of the
mailing lists that person's mail transits.</t>
<t>Mediators transits.</li>
<li>Mediators might create a Reply-To: field, field with the
original From: field email address. This facilitates
getting replies back to the original author, but it does
nothing to aid other processing or presentation, presentation done by
the recipient's Mail User Agent (MUA), (MUA) based on what it
believes is the author's address or original
display-name.
display name.
This Reply-To action represents another
knock-on,
knock-on effect (e.g., collateral damage, damage) by
distorting the meaning
of that header field, as well as creating an issue if
the field already exists.</t>
</list></t> exists.</li>
</ul>
<t>In effect, the From: field has become dominated by its role as a
handling identifier. The current specification augments this
altered use of the From: field, field by specifying the Author: field,
which identifies the original author of the message and is not
subject to modification by Mediators.</t>
<t>While it might be cleanest to move towards more reliable use of
the Sender: field and then to target it as the focus of
authentication concerns, enhancement of existing standards works
best with incremental additions, rather than with efforts at
replacement. To that end, this specification provides a means of
supplying author information that is not subject to modification
by processes seeking to enforce stringent authentication.</t>
<t>This version is published as an Experiment, Experimental RFC to assess community
interest, functional efficacy, and technical adequacy. See <xref
target="experiment"/>.</t> target="experiment" format="default"/>.</t>
</section>
<section title="Terminology"> numbered="true" toc="default">
<name>Terminology</name>
<t>Terminology and architectural details in this document are
incorporated from <xref target="Mail-Arch"/>.</t>
<t>Normative target="RFC5598" format="default"/>.</t>
<t>
Normative language, per <xref target="RFC8174"/>: <list>
<t>The target="RFC8174" format="default"/>:
</t>
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT
RECOMMENDED", "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 [RFC2119]
[RFC8174] BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>
</list></t>
<t>RFC EDITOR: Please remove for publication:<list>
<t>Discussion of this draft is directed to the
ietf-822@ietf.org mailing list.</t>
</list></t> here.
</t>
</section>
<section title="Author numbered="true" toc="default">
<name>Author Header Field">
<t>A Field</name>
<t>Author: is a new message header field is defined: Author:. being defined. It has the same
syntax as the From: header field <xref target="Mail-Fmt"/>. target="RFC5322" format="default"/>. As
with the original and primary intent for the From: field, the
Author: field is intended to contain the email address of the author of
the message content. It also can contain the displayable human
name of the author.</t>
<t>The <xref target="ABNF"/> target="RFC5234" format="default"/> for the field's syntax is: <figure>
<artwork type="ABNF">author </t>
<sourcecode type="abnf"><![CDATA[
author = "Author:" mailbox-list CRLF</artwork>
</figure>which CRLF
]]></sourcecode>
<t>which echos the syntax for the From: header field. </t>
<t> This header field can be added as part of the original message
creation process, or it can be added later, by a Mediator, to
preserve the original author information from the From:
field.</t>
<t> The goal of the Author: field is to reflect information about
the original author. However However, it is possible that the author's
MUA or Mail Submission Agent (MSA) will not create it, it but that
a Mediator might know it will be modifying the From: field and
wish to preserve the author information. Hence Hence, it needs to be
allowed to create the Author: field for this, this if the field does
not already exist.</t>
<t>Processing of the Author: field follows these rules:<list
style="symbols">
<t>If rules:</t>
<ul spacing="normal">
<li>If an Author: field already exists, a new one MUST NOT <bcp14>MUST NOT</bcp14> be
created
created, and the existing one MUST NOT <bcp14>MUST NOT</bcp14> be modified</t>
<t>An modified.</li>
<li>An author's MUA or MSA MAY <bcp14>MAY</bcp14> create an Author: field, and
its value MUST <bcp14>MUST</bcp14> be identical to the value in the From:
field</t>
<t>A
field.</li>
<li>A Mediator MAY <bcp14>MAY</bcp14> create an Author: field, field if one does not
already exist, and this new field's value MUST <bcp14>MUST</bcp14> be
identical to the value of the From: field, field at the time
the Mediator received the message (and before the
Mediator causes any changes to the From: field)</t>
</list>
</t> field).</li>
</ul>
</section>
<section title="Discussion"> numbered="true" toc="default">
<name>Discussion</name>
<t>The Author: header field, here, is intended for creation during
message generation or during mediation. It is intended for use
by recipient MUAs, as they typically use the From: field. In
that regard, it would be reasonable for an MUA that would
normally organize, filter, or display information based on the
From: field to give the Author: header field preference.</t>
<t>Original-From: is a similar header field, field referenced in <xref
target="RFC5703"/>. target="RFC5703" format="default"/>. It is registered with IANA, which cites
RFC5703
<xref target="RFC5703" format="default"/> as the controlling source for the entry. However However, that
document only has a minimal definition for the field. Also, the
field is solely intended for use by Mediators, Mediators to preserve
information from a modified From:. From: field. The current specification can
be used either during either origination or during mediation.</t>
<t>While the basic model of email header fields is highly
extensible, there well might be implementation and usability
considerations for carrying this field through to end-users, end users,
such as via <xref target="IMAP"/>. target="RFC3501" format="default"/>. </t>
<t>Obviously
<t>Obviously, any security-related processing of a message needs to
distinguish the From: field from the Author: field and treat their information
accordingly.</t>
</section>
<section title="Security Considerations"> numbered="true" toc="default">
<name>Security Considerations</name>
<t>Any header field containing identification information is a
source of security and privacy concerns, especially when the
information pertains to content authorship. Generally, the
handling of the Author: header field needs to receive scrutiny
and care, comparable to that given to the From: header field,
but preferably not in a way that defeats its utility.</t>
<t>Given the semantics of this the Author: header field, it is easy to believe that use
of this field will create a new attack vector for tricking
end-users.
end users. However (and perhaps surprisingly) surprisingly), for all of the
real and serious demonstration demonstrations of users' users being tricked by
deceptive or false content in a message, there is no evidence
that problematic content in a header field, which is providing
information about message's author, directly contributes to
differential and problematic behavior by the end user. (The
presents an obvious exercise for the reader, reader to find credible,
documented evidence.)</t>
</section>
<section anchor="iana_considerations" title="IANA Considerations"
toc="default">
<t>The IANA is request to register toc="default" numbered="true">
<name>IANA Considerations</name>
<t>IANA has registered the Author Author: header field, per
<xref target="RFC3864"/>, into target="RFC3864" format="default"/>, in the Provisional "Provisional Message
Header Field Names Registry: <list>
<t>Header field name: Author</t>
<t>Applicable protocol: mail</t>
<t>Status: Provisional</t>
<t>Author/Change controller: Dave Crocker
⟨dcrocker@bbiw.net⟩</t>
<t>Specification document(s): *** This document ***</t>
</list> Names" registry: </t>
<dl newline="false" spacing="compact">
<dt>Header field name:</dt>
<dd>Author</dd>
<dt>Applicable protocol:</dt>
<dd>mail</dd>
<dt>Status:</dt>
<dd>Provisional</dd>
<dt>Author/Change controller:</dt>
<dd>Dave Crocker
<dcrocker@bbiw.net></dd>
<dt>Specification document(s):</dt>
<dd>RFC 9057</dd>
</dl>
</section>
<section title="Experimental Goals" anchor="experiment"> anchor="experiment" numbered="true" toc="default">
<name>Experimental Goals</name>
<t>Given that the semantics of this field echo the long-standing
From: header field, the basic mechanics of the field's creation
and use are well understood. Points of concern, therefore, are
with possible interactions with the existing From: field, with
anti-abuse systems, and with MUA behavior, along with basic
market acceptance. So the questions to answer, answer while the header
field has experimental status are:<list style="symbols">
<t>Is are:</t>
<ul spacing="normal">
<li>Is there demonstrated interest by MUA developers?</t>
<t>If developers?</li>
<li>If MUA developers add this capability, is it used by
authors?</t>
<t>Does
authors?</li>
<li>Does the presence of the Author Author: field, in combination
with the From From: field, create any operational problems,
especially for recipients?</t>
<t>Does recipients?</li>
<li>Does the presence of the Author Author: field demonstrate
additional security issues?</t>
<t>Does issues?</li>
<li>Does the presence of the Author Author: field engender
problematic behavior by anti-abuse software, such as
defeating its utility?</t>
</list></t> utility?</li>
</ul>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor="RFC3864"
target="https://www.rfc-editor.org/info/rfc3864">
<front>
<title>Registration Procedures for Message Header
Fields</title>
<author initials="G." surname="Klyne" fullname="G. Klyne">
<organization/>
</author>
<author initials="M." surname="Nottingham"
fullname="M. Nottingham">
<organization/>
</author>
<author initials="J." surname="Mogul" fullname="J. Mogul">
<organization/>
</author>
<date year="2004" month="September"/>
<abstract>
<t> This specification defines registration procedures
for the message header fields used by Internet mail,
HTTP, Netnews and other applications. This document
specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and
suggestions for improvements. </t>
</abstract>
</front>
<seriesInfo name="BCP" value="90"/>
<seriesInfo name="RFC" value="3864"/>
<seriesInfo name="DOI" value="10.17487/RFC3864"/>
</reference>
<reference anchor="Mail-Fmt">
<front>
<title>Internet Message Format</title>
<author fullname="Peter W. Resnick" initials="P."
role="editor" surname="Resnick">
<organization> Qualcomm Incorporated</organization>
</author>
<date month="October" year="2008"/>
</front>
<seriesInfo name="RFC" value="5322"/>
</reference>
<reference anchor="Mail-Arch">
<front>
<title>Internet Mail Architecture</title>
<author fullname="D. Crocker" initials="D."
surname="Crocker">
<organization>Brandenburg InternetWorking</organization>
</author>
<date year="2009" month="July"/>
</front>
<seriesInfo name="RFC" value="5598"/>
</reference>
<reference anchor="ABNF">
<front>
<title>Augmented BNF for Syntax Specifications: ABNF</title>
<author fullname="D. Crocker" initials="D." role="editor"
surname="Dave">
<organization>Brandenburg InternetWorking</organization>
</author>
<author fullname="Overell" initials="P." surname="Paul">
<organization>THUS plc.</organization>
</author>
<date month="January" year="2008"/>
</front>
<seriesInfo name="RFC" value="5234"/>
</reference>
<reference anchor="RFC8174"
target="https://www.rfc-editor.org/info/rfc8174">
<front>
<title> Ambiguity of Uppercase vs Lowercase in RFC 2119 Key
Words </title>
<author initials="B." surname="Leiba" fullname="B. Leiba">
<organization/>
</author>
<date year="2017" month="May"/>
<abstract>
<t> RFC 2119 specifies common key words that may be used
in protocol specifications. This document aims to
reduce the ambiguity by clarifying that only
UPPERCASE usage of the key words have the defined
special meanings. </t>
</abstract>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="8174"/>
<seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<!--<reference anchor="IANA">
<front>
<title>Guidelines for Writing an IANA Considerations Section
in RFCs</title>
<author fullname="M. Cotton" initials="" surname="M. Cotton"/>
<author fullname="B. Leiba" initials="" surname="B. Leiba"/>
<author fullname="T. Narten" initials="" surname="T. Narten"/>
<date year="2017"/>
</front>
<seriesInfo name="I-D"
value="draft-leiba-cotton-iana-5226bis-11"/>
</reference>-->
<displayreference target="RFC3501" to="IMAP"/>
<displayreference target="RFC5322" to="Mail-Fmt"/>
<displayreference target="RFC5598" to="Mail-Arch"/>
<displayreference target="RFC5234" to="ABNF"/>
<displayreference target="RFC0733" to="RFC733"/>
<references>
<name>References</name>
<references>
<name>Normative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3864.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5322.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5598.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
</references>
<references>
<name>Informative References</name>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.0733.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3501.xml"/>
<xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5703.xml"/>
</references>
<references title="Informative References">
<reference anchor="RFC733">
<front>
<title>Standard for the Format of ARPA Network Text
Messages</title>
<author fullname="D. Crocker" initials="D."
surname="Crocker">
<organization>The Rand Corporation</organization>
</author>
<author fullname="J. J. Vittal" initials="J.J."
surname="Vittal">
<organization>Bolt Beranek and Newman
Inc.</organization>
</author>
<author fullname="Kenneth T. Pogran" initials="K.T."
surname="Pogran">
<organization>Massachusets Institute of
Technology</organization>
</author>
<author fullname="D. Austin Henderson, Jr." initials="D.A."
surname="Henderson">
<organization>Bolt Beranek and Newman
Inc.</organization>
</author>
<date day="21" month="November" year="1977"/>
</front>
<seriesInfo name="RFC" value="733"/>
</reference>
<reference anchor="IMAP"
target="https://www.rfc-editor.org/info/rfc3501">
<front>
<title>INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1</title>
<author initials="M." surname="Crispin"
fullname="M. Crispin">
<organization/>
</author>
<date year="2003" month="March"/>
<abstract>
<t> The Internet Message Access Protocol, Version 4rev1
(IMAP4rev1) allows a client to access and manipulate
electronic mail messages on a server. IMAP4rev1
permits manipulation of mailboxes (remote message
folders) in a way that is functionally equivalent to
local folders. IMAP4rev1 also provides the
capability for an offline client to resynchronize
with the server. IMAP4rev1 includes operations for
creating, deleting, and renaming mailboxes, checking
for new messages, permanently removing messages,
setting and clearing flags, RFC 2822 and RFC 2045
parsing, searching, and selective fetching of
message attributes, texts, and portions thereof.
Messages in IMAP4rev1 are accessed by the use of
numbers. These numbers are either message sequence
numbers or unique identifiers. IMAP4rev1 supports a
single server. A mechanism for accessing
configuration information to support multiple
IMAP4rev1 servers is discussed in RFC 2244.
IMAP4rev1 does not specify a means of posting mail;
this function is handled by a mail transfer protocol
such as RFC 2821. [STANDARDS-TRACK] </t>
</abstract>
</front>
<seriesInfo name="RFC" value="3501"/>
<seriesInfo name="DOI" value="10.17487/RFC3501"/>
</reference>
<reference anchor="RFC5703">
<front>
<title>Sieve Email Filtering: MIME Part Tests, Iteration,
Extraction, Replacement, and Enclosure</title>
<author fullname="T. Hansen" initials="T." surname="Hansen">
<organization>AT&T Laboratories</organization>
</author>
<author surname="Daboo" initials="C." fullname="C. Daboo">
<organization>Apple Inc.</organization>
</author>
<date month="October" year="2009"/>
</front>
<seriesInfo name="RFC" value="5703"/>
</reference>
</references>
<section title="Acknowledgements"> numbered="false" toc="default">
<name>Acknowledgements</name>
<t>The idea for this field was prompted by discussions in the IETF's
DMARC working group, Working Group, with participation including: Benny from: <contact
fullname="Benny Lyne
Amorsen, Kurt Anderson, Laura Atkins, Adrian Farrel, Murray Amorsen"/>, <contact fullname="Kurt Anderson"/>,
<contact fullname="Laura Atkins"/>, <contact fullname="Adrian Farrel"/>,
<contact fullname="Murray S.
Kucherawy, Mike Hammer, John Levine, Alexey Melnikov, Jesse
Thompson, Alessandro Vesely. </t> Kucherawy"/>, <contact fullname="Mike Hammer"/>,
<contact fullname="John Levine"/>, <contact fullname="Alexey Melnikov"/>,
<contact fullname="Jesse Thompson"/>, and <contact fullname="Alessandro
Vesely"/>.</t>
</section>
</back>
</rfc>