>> any way to tell the difference. If it mattered, I'd suggest adding >> a tag in the record saying which sort of name the record applies >> to, with multiple records if need be. > >+1, how about Discovery-Origin?
Seems a bit prolix when the other tags are r= and ru= but whatever >However, I'm skeptical about MTA rDNS. It is not the same level of >domain that one would expect in DKIM d= and the domain-part of an >address. If we include host-X.example.com as a possible discovery >domain, we should also allow helo-names. I can tell you from extensive experience that I find host rDNS useful for identifying the guilty party, and HELO useless since there is no way to tell whether the HELO has any connection to the actual sender. >Good question. Where did you get "Gmail" from? :-) Perhaps, the >following could be added, e.g. as a fourth paragraph, in section 5: > > A feedback consumer who wishes to receive feedback from a > generator, may also query the domains it targets. For example, an > MTA sending mail to [email protected] may want to query > _report.example.org in order to ascertain under what conditions it > can have generated feedback sent back to it. This scales very poorly. Having set up a variety of people on various shared commercial mail hosts, I can report that the host tells the customer what MX records to use, and the customer more or less painfully configures them into his DNS. The customers are not going to add _report records. I think that the MX is the best of a bad lot for identifying a report generator. The MX hosts are under the control of the actual mail system, and the number of MXes per system is reasonably small, at least compared to the number of mail domains they might host. >> In 5.4, I would suggest specifically limiting the kind of URIs that >> the fields can include, unless someone is prepared to explain what >> to do if you see ru=nntp:news.example.com. > >How about fax:+12024562461? Currently, URIs are meant to be used >interactively, so users can decide on their own. Some URIs are used interactively, some aren't. I know I would have very little interest in a feedback system that asked me to fax in the reports, or do anything other than mail or POST them. >> Sec 9, security, the obvious problem is that a malicious sender can >> publish "rp=o [email protected]" and indirectly mailbomb people. > >Should that be equivalent to a redirection? No, it might be real and it might not be. The point is that for this not to be a DDoS vector, there needs to be some way to validate the address before sending it reports. R's, John _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
