On Wed 16/Mar/2016 19:13:48 +0100 Tomki wrote: > > For a concrete example, please see the attached XML record object. > There are 1834 messages reported in this object by 'count', but 312 SPF items > reported. I guess if these were all either pass or failure cases, and the > counts lined up I could disambiguate properly, but as it stands I don't think > it's comprehensible.
It looks a bug to me. It contains results for 312 <spf> domains and 2 <dkim> results for tomki.com. The <spf> domains seem to be a mixture of "helo" and "mfrom" (e.g. bounce.secureserver.net must have been "mfrom", since it passed; the hundreds of domains like "p3plcpnl[0-9]+.prod.phx3.secureserver.net" must have been "helo", unless there is some sort of helo-attack underway). I agree with Les that rows ought to be split by result type. The report doesn't disclose how 1834 messages are distributed over 312 domains. IMHO, *reporting the bug is better than tightening the specs*. BTW, isn't there any monitoring service which sends a few email from a couple of domains and verifies the aggregate feedback? A semantic check would have to send various messages with varying authentication methods from a few domains with varying dmarc policies, and then verify that the reports from the target domain are consistent with what was sent. I checked out dmarcian and dmarcanalyzer, but neither seems to do that. Ale _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
