On Tue 02/Feb/2021 02:42:25 +0100 Dave Crocker wrote:
On 2/1/2021 5:38 PM, John R Levine wrote:
If we want to document existing practice, I guess we would say that reports
should be authenticated and aligned if practical, but it's OK to send them if
not.
exactly.
I changed it again, for failure reports, like so:
3.3. Transport
Email streams carrying DMARC failure reports SHOULD conform to the
DMARC mechanism, thereby resulting in an aligned "pass". This
requirement is a MUST in case the sending host has a DMARC record
featuring a ruf= tag. Indeed, special care must be taken of
authentication in that case, as failure to authenticate failure
reports may result in mail loops.
Reporters SHOULD rate limit the number of failure reports sent to any
recipient to avoid overloading recipient systems. Again, in case the
reports being sent are in turn at risk of being reported for DMARC
authentication failure, reporters MUST make sure that possible mail
loop are stopped.
Some comments upthread allude to the reporter's policy. To be clear, the DMARC
mechanism which results in an aligned pass is meant to say that the report is
SPF or DKIM authenticated , the authenticated identifier is aligned with From:,
and a DMARC record has been discovered. The value of p= is irrelevant.
Indeed, from a security perspective, a faked failure report is not much
different from an abusive message. To wit, a bad actor could send one or the
other, directly to the victim or, respectively, to a server that will report to
the victim.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
