On Tue 26/Jan/2021 15:12:57 +0100 Douglas Foster wrote:
At some point, an investigator will ask, "which of our systems sent these messages?"
Possibly none. In that case this is either an abuse or a forward. Or maybe the report generator lies.
I know how to search my logs for messages to domain example.com I do not know how to search my logs for messages to domains hosted by hostingservice.tld. That is why I would expect SMTP To domain to be useful.
A smart relay can put together in the same message several RCPT commands with different domains having the same MX.
An rua report is not supposed to be substitute for a forensic report. All possible details are not supposed to be presented. Source IP, SMTP MailFrom domain, and SPF status should be sufficient to identify the organization responsible for the last hop. Why is additional mailflow data necessary?
In case of forwarding, the last hop is likely not to be aligned. Previously in this thread you said reporting aligned identifiers only would suffice. Aligned and last hop don't necessarily match.
The best mail flow data would be to report the entire Received chain, but it would cause too much disaggregation.
If every receiver generated aggregate reports, senders would get the whole chain, in different reports.
Best Ale -- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
