In the TLSRPT part of the spec, I see this about the rua= field:
rua: A URI specifying the endpoint to which aggregate information about policy validation results should be sent (see (#reporting-schema), "Reporting Schema", for more information). Two URI schemes are supported: mailto and https.
And this is the ABNF:
tlsrpt-rua = %x72 %x75 %x61 *WSP "=" *WSP tlsrpt-uri ; "rua=..."
tlsrpt-uri = URI
; "URI" is imported from [@!RFC3986]; commas (ASCII
; 0x2C) and exclamation points (ASCII 0x21)
; MUST be encoded; the numeric portion MUST fit
; within an unsigned 64-bit integer
So apparently commas and exclamation points are disallowed, without any hint of why this is the case.
rua: Addresses to which aggregate feedback is to be sent (comma-
separated plain-text list of DMARC URIs; OPTIONAL). A comma or
exclamation point that is part of such a DMARC URI MUST be encoded
per Section 2.1 of [URI] so as to distinguish it from the list
delimiter or an OPTIONAL size limit. Section 7.1 discusses
considerations that apply when the domain name of a URI differs
from that of the domain advertising the policy. See Section 12.5
for additional considerations. Any valid URI can be specified. A
Mail Receiver MUST implement support for a "mailto:" URI, i.e.,
the ability to send a DMARC report via electronic mail. If not
provided, Mail Receivers MUST NOT generate aggregate feedback
reports. URIs not supported by Mail Receivers MUST be ignored.
The aggregate feedback report format is described in Section 7.2.
Also see section 6.2 about the size limit and the number of email addresses in the list.
Is there intentionally only one address allowed in the rua field or is it just an oversight?
Maybe it's even better to just copy the behavior from the DMARC spec, this gives more features and may even lead to some code reuse.
In the TLSRPT part of the spec, I see this about the
rua=
field:And this is the ABNF:
So apparently commas and exclamation points are disallowed, without any hint of why this is the case.
Then I see how it's defined in RFC7489 (DMARC):
Also see section 6.2 about the size limit and the number of email addresses in the list.
Is there intentionally only one address allowed in the
rua
field or is it just an oversight? Maybe it's even better to just copy the behavior from the DMARC spec, this gives more features and may even lead to some code reuse.Edit: I see this issue has also been raised on the mailing list: https://mailarchive.ietf.org/arch/msg/uta/exnSA38_a72MuQJe-ICxlsfFtNU/?qid=69ce611073b98b2b106a39af0015c1e9