On Tue 08/Oct/2024 02:07:00 +0200 Steven M Jones wrote:
On 9/30/24 10:53, Alessandro Vesely wrote:
On Sun 29/Sep/2024 23:16:46 +0200 Murray S. Kucherawy wrote:
In Section 4.7, just out of curiosity, how much have we observed use of the
"fo" tag in the wild?
...
In fact, RFCs 6651/2 provide their own ra= tags to specify a reporting
address, so if fo= only uses "d" and "s" values, it would make sense to set
fo= without ruf=.
Requiring ruf= makes sense only if the only reports considered are those
described in dmarc-failure-reporting.
The following figures are for validly-formatted DMARC policies observed in DNS
before and after June 2024*, that included the "fo=" tag with a value specified
in RFC7489.
"fo=" Tag Total Records Records w/o "ruf" tag
fo=1 6,753,358 442,976
fo=0 563,852 347,126
fo=s 17,787 3,237
fo=d 5,885 691
The total (7,340,882) is a bit less than one third of all validly-formatted
DMARC policies observed in DNS before and after June 2024.
Nice one Steve, thank you.
I'd guess those records on the right column are from operators mistakenly
forgetting to put the address where records are to be sent. A way to prove it
would be to check how many of the 3,237 fo=s domains w/o ruf= have a ra= tag in
their SPF records, or how many of the 691 fo=d domains w/o ruf= do publish a
TXT record containing ra= in their _report._domainkey subdomain. I'd guess none.
Failure reports may be caused by SPF or DKIM failures. Their formats differ in
that SPF-DNS is only required for SPF failure, while DKIM-Domain,
DKIM-Identity, DKIM-Selector, DKIM-Canonicalized-Header and
DKIM-Canonicalized-Body only make sense in case of DKIM failure. Thus it makes
sense to call them "SPF failure report" and "DKIM failure report" in the DMARC
context, referring to the formats which are defined in such context.
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
