On Fri 22/Jan/2021 13:00:30 +0100 Douglas Foster wrote:
Possible misuse of disposition information:
- DMARC=(Fail), Disposition = (120 delivered) -- probably means that my system
does not enforce DMARC at all
- DMARC=(Pass), Disposition = (20 delivered, 100 rejected) -- possibly means
that my system needs 20 messages to learn how to identify bad content
I suggest that disposition information should be redacted by default, and only
included on an exception basis for highly trusted source domains.
There is a paragraraph in RFC 7489 that I cannot find in the draft:
Aggregate reports are limited in scope to DMARC policy and
disposition results, to information pertaining to the underlying
authentication mechanisms, and to the identifiers involved in DMARC
validation.
Can that be clarified better? Se spec sometimes uses the term "final
disposition" to mean what Doug calls "disposition information" in the text
quoted above.
To wit, a DMARC filter acting between DATA and end-of-data doesn't actually
know about final disposition. It can reject, but cannot deliver to Inbox.
In fact, the <disposition> field refers to what the filter is configured to do,
except that quarantine can only be signaled to downstream processes. It
reports "quarantine" if it did that signaling. It reports "reject" if it
rejects. Otherwise reports "none". (Did we conclude we want "pass"?)
Identifying bad content, possibly based on DMARC having identified a bad actor,
or after actual content inspection, happens downstream. A DMARC filter doesn't
know and doesn't want to know the final outcome, and doesn't report it.
It is important to be very clear on this point, to avoid that receivers fail to
enable aggregate reporting for fear of helping spammers.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
