On 09/09/16 01:37, Alessandro Vesely via dmarc-discuss wrote: > > what is the best practice when DMARC reports bounce? I'm currently > following the lazy approach, do nothing until recipients fix it. Next > option would be to skip long time bouncers, but how long is "long", > months, years, ...?
Excellent question, Ale. I'm not sure what the best approach is. On my production installations, I've also just let them bounce - there haven't been that many. I'd be curious to hear what some of the larger receivers are doing, both regular companies/organizations and mailbox providers. There's a semi-related issue I'm seeing. A number of domains have used addresses @dmarc.org for their aggregate reports, and some report generators have not implemented cross-domain reporting authorization checks. This volume pales in comparison to the volume of spam directed at the same reporting address, but is anybody else seeing this and thinks it's a problem? > Do postmasters risk bad reputation if they continue to send DMARC reports? Another question a friendly large mailbox provider could possibly answer for us... Has anybody asked Spamhaus to see if this is on their radar? That inspires another question -- has anybody seen a real-world abuse or DoS involving DMARC reporting? There's a potential there, and I believe we identified it in the security considerations in RFC7489, but is there any indication this is a problem that needs more attention? --Steve. -- Steven M Jones DMARC.org e: [email protected], [email protected] _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
