On Tue, Jan 26, 2021 at 4:19 PM Michael Thomas <[email protected]> wrote:
> I don't see how time helps anything if I can't differentiate between our > legitimate traffic and attacker traffic. All an attacker would need to do > is send a mail cannon to mimic Marsha in Marketing every once in a while > and the entire thing resets. If it is a requirement to know all of the > legitimate IP addresses in order to make use of the reports as an > indicator, the draft should be very explicit about that. > > > Forgive me; I have failed to get my point across in a way that conveyed my meaning. Let me try again. My use of the word "Time" was intended to mean, effectively, "experience, wisdom, and knowledge" all of which would be gained through regular (for me it was daily) analysis of the latest DMARC aggregate reports. Through the time spent analyzing those reports, one would obtain a fuller picture of one's organization's mail flows, gaining a knowledge that can really only come from immersion in the data. Once one gets past the first few weeks of the exercise, picking off any low-hanging fruit, then one settles into a posture of monitoring for anomalies, expecting to see no failures, and quickly addressing those that need to be addressed. At some point, one that is wholly dependent on the complexity of the infrastructure and the personality of the observer, one becomes comfortable enough with the data to confidently say, "Now is the time to move to p=reject" and one makes the move. After that, there's continued monitoring to make sure that no ill effects have occurred due to the move, of course, and if there's need to roll back, one rolls back. If you're looking for an objective standard by which one can say "If X, then it is safe to move to p=reject", there really isn't one, save for "If the domain is newly registered and has never sent mail, then it is safe to move to p=reject." For any domain that has sent mail prior to the publishing of a DMARC record, then it's publish, monitor, iterate until one is ready, and the only standard for that is "When you know, you know." -- *Todd Herr* | Sr. Technical Program Manager *e:* [email protected] *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
