CVE-2019-16378 - OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is 
prone to a signature-bypass vulnerability with multiple From: addresses, 
which might affect applications that consider a domain name to be relevant 
to the origin of an e-mail message.

Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16378

Background Details: 

When it was written, the DMARC RFC (RFC 7489) assumed that emails with multiple 
addresses in the From: field would be rejected by the receiving MTA
(RFC 7489 Section 6.6.1), and moreover that emails containing such
a header field would be rare in practice.

In the case where such a message is received, the RFC recommends (in the 
same section) that all domains be tested, and the strictest policy be 
applied.

However, having even two distinct administrative domains in the same From: 
header field (for example, a@gmail.com, b@hotmail.com) leads to an issue: 

* For SPF, mail can only be delivered to a receiving system from one IP  
  address.  Unless that IP address is (coincidentally or intentionally) in both 
  domains' SPF records (or the domains "include:" each other), then the SPF 
  check will fail (forged HELO's notwithstanding).

* For DKIM, there can only be one selector/domain in a given DKIM-Signature, 
  referencing a single "From:" header field.  So in the case where either
  domain specifies a DMARC policy of either p=reject or p=quarantine, the
  result will be a failure.  The message would have to bear valid signatures
  from both domains.

In practice, citing the example above, a message cannot have been signed 
as being delivered to a receiving system immediately after originating from 
both gmail.com and hotmail.com.  While it's possible to have a message
relayed *through* one system via another, this is not what DMARC attempts
to solve, and is what ARC (RFC 8617) is for.

RFC 7489 also states (Section 3.1.1): Note that a single email can contain 
multiple DKIM signatures, and it is considered to be a DMARC "pass" if any 
DKIM signature is aligned and verifies.

The behavior in the case of multiple distinct domains does not appear to
have been considered by this section, as it seems to apply to multiple signing
agents inside a single administrative domain.

There are additional concerns.  A filter that attempts to perform a full
DMARC evaluation of every domain found in a multi-valued From could be used
to amplify a denial of service attack either against the system running
the filter or against other nameservers by intentionally listing a large
number of domains in the From field.  The specification does not
provide guidance to mitigate such abuse.

Resolution:

Doing all of the DMARC checks for every domain in the From: of a message adds 
additional complexity, and opens a vector for abuse.

In the case where a message contains two or more From: addresses from the 
same domain (for example, "From: professor@science.edu, student@science.edu"), 
both processed and signed by science.edu's mail server, these messages will 
be processed as normal, so long as there is only one unique domain.

For all other cases, OpenDMARC has added an option to outright reject messages 
containing a multi-valued From: field.  If set, messages can be rejected at 
receipt-time.  If unset, messages will be ignored by the filter.  (They will 
not pass, but they will not fail.)

The Authentication-Results header field added for the DMARC check in this case
will have a result of "dmarc=permerror".
