Hello folks, Thought I'd see if we could come to a conclusion on this ticket. The gist is that the reporter believes that (aggregate?) reports can help spammers to determine some effectiveness of their message attempts.
Full Text: ------------- Spammers could use DMARC reports to monitor the effectiveness of their campaigns, and we do not want to help them. Do existing implementations send reports to any domain that requests them, or only to those domains that are considered "acceptable"? If reports are only sent to acceptable domains, what sort of criteria have been useful? System administrators will appreciate such advice. Product developers will need guidance about the features they should provide so that a system administrator can control which domains do not receive reports. ------------- >From an operator side, I don't agree with this assessment. The reports do not >show if/why a MBP may place a message in the Junk folder. Could it be DMARC >quarantine? Sure. It could also be any number of things from a large matrix >of decisions, none of which are shown in a DMARC report. Also, the reports >are typically sent once per day (seems like most ignore the 'ri'), quite >likely some time after the end of the reporting period. Additionally, they >probably have more efficient/immediate methods of evaluating their success >rate. If you believe something has been overlooked, please feel free to share. -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
