I realized why the arguments about whether to require authentication on
reports are pointless.
If you actually look at reports, for the most part the address sending the
report is not the recipient domain or anything like it.
For example, recent failure reports I got from solarwinds.com (yes, them)
are about mail to cisp.co.za which was forwarded to spamexperts.com.
Reports from seznam.cz are about mail to email.cz. Reports from
manthorp.com are about mail to streamingco.net.
Aggregate reports don't even include the recipient domains, and tell me
about sending IPs some of which are mine but most of which are not as mail
bounces around through mailing lists and forwarders, or spammers just send
spam with my domain on the From line.
As we all know, bad guys are at least as good at authentication as good
guys, probably better. So if someone for some reason wanted to send me
fake reports of either kind, they could send them with perfect DMARC
alignment and they'd still be fake. If they report spam with one of my
domains on the From line, there's no way at all to tell whether those
reports are real. I can use heuristics to recognize mail my system
actually sent that went through mailing lists I know about, but DKIM
signing the reports wouldn't help.
So I suggest that we close tickets 98 and 99. They don't identify a real
problem, and if they did. they wouldn't fix it.
Regards,
John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
