Hi all, it is difficult to tell what is each aggregate report's record. It is easier if the source IP is known. Mailing lists can be told by their (unaligned) SPF domain. Otherwise, it is difficult to tell abuse from legitimate users using the wrong server.
Getting a failure report for each source IP is not easy, because few mailbox providers send failure reports. In order to ease the understanding of aggregate reports, I propose two additional per-record fields: *score*: The average score of the messages in the row; let's say an SA-like number (< 0 good, > 10 bad, values in between may be worth human inspection). *list*: An enumerated type, for example "none", "black", "white", "both", indicating if the source IP is listed in some public or private DNSxL that the reporting MTA uses. They're obviously subjective stuff. However, most MTAs deploy at least one of them, and summing up per-IP results every day can bring useful indications. I haven't added those fields to http://bit.ly/dmarc-rpt-schema, yet. Let's discuss. I hope they will make it to rfc7489bis. Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
