I regularly get reports from nore...@dmarc.yahoo.com, that are DKIM signed by yahoo.com, on behalf of all the other yahoo ccTLDs and their other domains.
The "Submitter" field in the subject identifies the domain the report is from, and the attachment filename starts with this same domain as well. (e.g. yahoo.no) But how can I know that nore...@dmarc.yahoo.com speaks on behalf of yahoo.no, aol.com, rocketmail.com, etc.? 2.5.2 Email, defines the attachment filename to start with "receiver", the domain of the Mail Receiver, And that the subject shall include "Submitter:", the domain of the report generator. It also says: Email streams carrying DMARC feedback data MUST conform to the DMARC mechanism, thereby resulting in an aligned "pass" (see Section 3.1). This practice minimizes the risk of report consumers processing fraudulent reports. Presumably the domain in the From address should also align with the identifier in the filename and the "Submitter:" part of the Subject. That seems to be the only way to guard against dmarc@attacker.example setting up DMARC and submitting fraudulent reports on behalf of any other domain, is it not? Is this mentioned someplace else, or do we have a defect? If so, does it merit fixing, and how? Maybe inject a sentence before the 'This practice ...' part of the quoted text, above: Additionally, the Authenticated Identifier MUST also align with the stated "Submitter" in the subject, and the "receiver" part of the filename. Daniel K. _______________________________________________ dmarc mailing list -- dmarc@ietf.org To unsubscribe send an email to dmarc-le...@ietf.org