On 06/24/2013 08:23 AM, Roman Prokhorov wrote:
Imagine there are 2 domains with DMARC records:
domain1.tld: rua=mailto:[email protected]
domain2.tld: rua=mailto:[email protected]
Domain1 receives a message with "From: [email protected]" and sends an
aggregate report to domain2. The report is a regular message from
DMARC-enabled domain so it causes domain2 to send another report to
domain1; at the end both domains will keep exchanging messages each
other endlessly.
Fair point, I could see this happening. So far the number of receivers
reporting is small enough that this hasn't been an issue, but that will
change over time so better to address it in some way now.
To John Levine's point a few of these messages a day is hardly a big
deal for even a small domain, but if this isn't addressed now I could
imagine a scenario in the future where thousands of domains are involved
in this kind of exchange... Though I do believe people would notice and
stop it before that goes on for very long. :)
However the root concern could immediately be included in deployment
guides for those parties implementing a DMARC solution that includes
reporting. And it could proceed to incorporate the next point:
On 06/24/2013 03:55 PM, Matt Simerson wrote:
Another solution would be sending DMARC reports from a subdomain that
contains a DMARC policy with no rua tag.
Which ought to act as a safeguard against these situations.
Since reports are supposed to pass DMARC checks themselves, a blocking
policy ("p=" reject or quarantine) could be published for the subdomain
reports are sent from.
Though with that in place, if somebody receives reports at their own
domain and forwards them to a third party processor, they (or the third
party) would need to make sure forwarding doesn't inadvertently fail a
DMARC check at the processor... (yes, a real-world use case)
--Steve.
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
