Proposed FAQ entry: I drafted the following, and I thought to get the list participating in making it better (especially, but not limited to my english) Do I want to receive Forensic Reports (ruf=)?
No, you do not want! A forensic report is sent immediately, every time a receiver rejects an email due to DMARC. The receiver may even send a report if one of the authentication mechanism does not pass the alignement test. A forensic report can be the complete copy of the rejected email in Abuse Reporting Format(ARF). You may think your sending practices are good, and there should be little emails rejected, you are forgetting that every email that spoof your domain will be rejected too and you will get a copy. This could be several times the volume of your legitimate emails. So no, you do not want to receive Forensic Reports. The right strategy, and what we are recommending is to first publish a simple record in monitor mode just to get aggregate reports. _dmarc.example.com IN TXT "v=DMARC1;p=none;pct=100;rua=mailto:[email protected]"; Study the aggregate reports, understand, your mail infrastructure, understand what would happen if you change the policy to reject, especially how many forensic reports you are likely to receive. Once you are confident, add the ruf tag pointing to a different mailbox than the rua= tag points to. if you get too many forensic reports, this will not fill up the aggregate report mailbox, so you can keep your statistics running. _dmarc.example.com IN TXT "v=DMARC1;p=reject;pct=100;rua=mailto:[email protected];ruf=mailto:[email protected]";
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
