On Tue 01/Jul/2025 13:18:09 +0200 Alessandro Vesely wrote:
On Mon, Jun 30, 2025 at 2:45 PM Murray S. Kucherawy <[email protected]> wrote:
[...]
Wouldn't DKIM error detection satisfy the need in this situation? Why do we
need failure reporting at both levels?
[...]
Albeit less honored than rua= requests, failure reports are still the most
successful of all the RFC 5965 derived instances, IME.
I thought I would corroborate this statement by querying dnswl.org subscribers
again. This time I also queried for DKIM, SPF and their respective error
reporting requests, as specified by RFCs 6651/2. The script is not perfectly
accurate, as it relies on an optional tag for RFC 6651, for example (body of
the loop below.) However, I think the averages are mostly correct.
Here are the results:
domain.list: 23488 records
16972 DMARC records (72.26%)
13178 rua reporting (56.11%)
8631 ruf reporting (36.75%)
17999 dkim (76.63%)
14 dkim reporting ( 0.06%)
21900 spf (93.24%)
10 spf reporting ( 0.04%)
Maybe the ability to outsource report analysis played a role. But the 51.42%
of ruas and 57.12% of rufs that only direct reports to their own domain (data
posted on June 16th[*]) suggest that is not the only reason.
Best
Ale
--
[*] https://mailarchive.ietf.org/arch/msg/dmarc/oFNGmCVp5jtNjDSubkUW6twg7bE
----- begin body of the query script loop -----
((++total))
record=$(dig +short "_dmarc.$domain" txt | grep -E 'v *= *DMARC1')
if [ -n "$record" ]; then
((++dmarc))
case "$record" in *+( |;)rua*( )=*) ((++rua));; esac
case "$record" in *+( |;)ruf*( )=*) ((++ruf));; esac
fi
record=$(dig _domainkey.$domain | sed -rn 's/^;; ->>HEADER<<- opcode: QUERY,
status: ([A-Z]*), id: [0-9]*/\1/p')
if [ "$record" = "NOERROR" ]; then
((++dkim))
fi
record=$(dig +short "_report._domainkey.$domain" txt | grep -E 'ra *=')
if [ -n "$record" ]; then
((++dkim_r))
fi
record=$(dig +short "$domain" txt | grep -E 'v *= *spf1')
if [ -n "$record" ]; then
((++spf))
case "$record" in *+( |;)ra*( )=*) ((++spf_r));; esac
fi
----- end body of the loop -----
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
