The authenticated identifier likely corresponds to the submitter in
the Subject: and the <org_name> in the data, but I don't recall it's
required to be that way.
The <policy_published> should correspond to the Report domain in the
Subject: and to the identifiers reported in the data for legit direct
mail.
Note that reporters are not required to disclose the domain which
received the messages, for example messages to gmail are reported by
google.
If I registered some spammer-domain and sent aggregate reports to
[email protected] with
- spammer-domain alignment
- Subject: Report Domain: dmarc.ietf.org ...
- and a policy_published domain dmarc.ietf.org in its XML payload,
would anyone, who actually looks at aggregate report data, recognize
that they are fake? Are there tools which could? For example, parsedmarc
discards reports which have no organization name, or whose covered time
span is too large. But it does not recognize a fake payload, and its
output does not include mail transport information, so one cannot even
check manually.
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
