Re: [dmarc-ietf] picking nits with the ABNF

Sun, 10 Mar 2024 01:05:31 -0800 

On 10/03/2024 05:34, Tim Wicinski wrote:

On Sat, Mar 9, 2024 at 10:33 PM OLIVIER HUREAU 
<[email protected]> wrote:
[...]


I would also add comment about the dmarc-fo ABNF :

dmarc-fo  = "0" / "1" / "d" / "s" / "d:s" / "s:d"

The FO paragraph (
https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-30.html#name-general-record-format)
explicitly states that there exist 3 kinds of failure reports :
- DMARC failure report.
- DKIM failure report.
- SPF failure report.



You got me going back to 7489 and the mail archives.  First it appears we 
did have some discussion about this part of the ABNF 
https://mailarchive.ietf.org/arch/msg/dmarc/2TT-2WiNVwCXozBz0JYRI1F1qME/



However, with the current ABNF, we could only ask for "DMARC failure 
report" or ("DKIM failure report" and/or "SPF failure report")



Shouldn't we have an ANBF rule with all the possible permutations or a more 
generic one such as :


dmarc-fo = dmarc-fo-value *(":" dmarc-fo-value)
dmarc-fo-value = "0" / "1" / "d" / "s"



The wording for FO has changed to say "0", "1" OR a colon-separated list. 
Looking at the 7489 ABNF I 
am wondering if someone could say "fo=0:1:d:s"




Has anybody tried to request DKIM and/or SPF failure reports via the 
DMARC record?



Those failure reports can be requested in the apposite DNS records.  I 
wonder what sense does it make to allow them to be requested via DMARC.



Allowing fo="0:1" is an obvious nonsense.  For "d" and "s", the current 
OR syntax would be consistent if the meaning of the symbols, instead of 
the current ones, e.g. (my emphasis):


    d:  Generate a *DKIM* failure report if the message had a signature
       that failed evaluation, regardless of its alignment.  DKIM-
       specific reporting is described in [RFC6651].

were:

    d:  Generate a *DMARC* failure report if the message had a signature
       that failed evaluation, regardless of its alignment.  DKIM-
       specific reporting is described in [RFC6651].


That would restrict fo= to just express /when/ to generate a DMARC 
failure report to ruf=, where ruf= is the address for /DMARC/ failure 
reports.  The address for DKIM failure reports is specified in the ra= 
tag found at _report._domainkey.example.com.



Best
Ale
--




_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc






















					Reply via email to