And you didn't take into account that a malicious party can send fake
reports[*] in order to mess up whatever decision you may decide to make based
on that.
Best
Ale
--
[*] iphmx and others don't sign reports, Yahoo's and others' signatures seem to
be available to their users as well. Matching signatures is yet another match.
On Sat 12/Nov/2022 04:25:39 +0100 Douglas Foster wrote:
Recently, I have been doing a deep-dive into my DMARC feedback. Not much can
be learned.
I tried to determine which of my outbound messages are represented by the
incoming reports. The match is not easy. From my configuration and the
outbound SMTP log, I know
Source IP
RFC5321.MailFrom Domain
RFC5322.From Domain
RFC5321.To domain
MX host domain name
SMTP Result Code and Extended Status code
From the incoming report, I have
Source IP
RFC5321.Mail>From Domain
RFC5322.From Domain
Organization name, which is sometimes a domain name and sometimes free text.
Email contact domain name
Domain name from the attachment's file prefix.
Disposition counts
For the initial exercise, disposition was not a consideration because no
messages were rejected
To match the two data sets, I needed to guess a connection between the MX
hostname and the report organization data. Intelligent guesswork gets me pretty
far, but it still leaves a lot of holes.
A helpful exception is Yahoo, which supplies the RFC5321.To domain as the
prefix of the report filename. Their timestamps also appear precise, because I
have been able to match their reports without any count or time discrepancies.
At the opposite pole is iphmx.com <http://iphmx.com>, which fragments their
report data across multiple subdomains, which I may or may not have correctly
matched to MX records. Worse yet, they have reports for seemingly identical
sources with overlapping time intervals.
Several multi-tenant server organizations, including iphmx.com
<http://iphmx.com>, only report DMARC for the subset of client domains which
evaluate and enforce DMARC results. Since the sender has no knowledge of
which domains are or are not evaluating DMARC, there is no way to know which
outbound messages are included in the report and which are not.
All of this means that if some messages are being blocked by an evaluator's
local policy, I have a low expectation of knowing which recipient users are
affected, which means that I cannot contact those users to ask them for
assistance, even if I have an alternate way to reach them.
Do we have any ideas for making this match process simpler, or do we take the
position that this type of matching process is not supported and should not be
attempted?
Just asking,
Doug Foster
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
