Multiple From: fields using first instance for signing instead of the last.

[XexDevop]

It is a common practice to append an additional "From:" header to change the sending domain from a mailer application (such as linux mail command using the -a option) This results in two From: headers, the additional (appended) one overriding the first. OpenDKIM's milter appears to use the FIRST header to determine what signature to use resulting in a DKIM check fail for non-verification of the signature. It should be parsing all the headers first, so that the additional header overrides the first and thus uses the correct sig.

[ghen2]

Common practice? Messages with multiple From headers are not RFC 5322 compliant (the spec requires exactly one From header, see the table under section 3.6), so there should be no discussion about using the first or last From header...

If you take decide to consider the last From header and declare a message compliant, but the MUA then displays the first From header to the end user, you may still allow for spoofs.

OpenDMARC has an option (RequiredHeaders) to reject incompliant messages like this, which I think is the only sensible way to deal with such messages.

[ghen2]

In particular, see https://www.rfc-editor.org/rfc/rfc6376.html#section-8.15 describing this situation.

It also provides a best practice solution for senders/signers: they can "oversign" the From header, ie. sign the existing From header plus a second null-valued one, to prevent downstream addition of extra From headers. See "OversignHeaders" in opendkim.conf(5).

[thegushi]

I tend to agree with @ghen2 here. Still, let me discuss things internally and see what the opinions are.