Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem

Douglas Foster <> Tue, 02 February 2021 02:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B6CA3A16B2 for <>; Mon, 1 Feb 2021 18:32:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ww0YvOke3dFZ for <>; Mon, 1 Feb 2021 18:32:00 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DBFE93A16BC for <>; Mon, 1 Feb 2021 18:31:59 -0800 (PST)
Received: by with SMTP id q23so3842527vsg.4 for <>; Mon, 01 Feb 2021 18:31:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Kgm6Rxewtr85wGcOYt9+DXyFJ+N1u1f9ZUtjfErl9Cg=; b=L+GqIIZ63Efe98nbeY68P5EnHAVvxnLkOi+zXv/TuPPoIaSlYpls0utf9ZZL5X+fZY KzParKMdYNcp06Fa9QTEDP0b6+nYqLX8Hs4lpmk3cV1hHAGXbbRT89ev3CNIY4gDoiGx 1Fg9ZJ2E8Vsd3QewrEEPqRMUNoKHV7aHbHQQnEauT1wGalP61KTMgmDyMZFtJAA6dYvk gYFHHkLB8wf6ICSRGFIs/cXKv/a+cbEWGI/H7jK/W1ZnDvppoFM8ar1a75qU2MXHh5kl BYdvgTlmmzaLlx75G/dAMQhEoHXfgD8jG/UgdlX7YjP3dwDixxpsmDXWs/ndkdWZpnrn J99Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Kgm6Rxewtr85wGcOYt9+DXyFJ+N1u1f9ZUtjfErl9Cg=; b=eIqyroczqO7qmLrwel8D5K+qgGsex0lTaxw87vAJkfr85hYk+QooFaOe2A2orCF5tS 4hK7SPQmVdJUQXeNXr57c8vVpE8NGCs2krbC9vhp21xuqd/11lCXn0Y/hffCr5L6v5zG CwKhxgdir5+/did3gdD5ztqYdQtdZRjwFCML42IeEWc3JeHNQ1Ix9N1FsL1pf9TN3qmr 6lyxqsrZS0P3KxvrYdd7SWeWB7UjJa2g4SCKRL3tTwR/OwBtoy+9Q1/S+7+9iBxOtycF JXMikS3jX/J7vUKcFkbqxFVak66OXE/m+5ikNAxnJ9DF+BtbXwP7QEM8K0+0M+KDulp/ aJVw==
X-Gm-Message-State: AOAM5329vgtlvQJx/ViDRDsPA9R58tAXU5Ls/0z7HWiWiMsQi44bn5mv JF1IJY3wnUUit8LuYw6rCgswGdIMSAptBRnZrp+i+OsKSo4=
X-Google-Smtp-Source: ABdhPJx3MFCIcZk5t/yKrVYjnRdjih9AZvyYWbXMQfjG9LyJzzQJ1Aqp9mXYa4mEvfXA1PfhCFuBl6iIA1FRyex7hs4=
X-Received: by 2002:a67:87c2:: with SMTP id j185mr10854004vsd.25.1612233118619; Mon, 01 Feb 2021 18:31:58 -0800 (PST)
MIME-Version: 1.0
References: <20210201232105.1931D6D20971@ary.qy> <> <> <> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Mon, 1 Feb 2021 21:31:48 -0500
Message-ID: <>
Content-Type: multipart/alternative; boundary="000000000000549a5905ba51466c"
Archived-At: <>
Subject: Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Feb 2021 02:32:05 -0000

Michael, let it go.

If someone stops you to say "your zipper is down", you will not ask them
for proof of identity, you will excuse yourself and investigate the
problem.   By my reckoning, DMARC reports are a lot like that.

Source Alpha says, "Server X is sending unauthenticated mail for Domain
Y."   Several possbilities exist:
- You already distrust information coming from Source Alpha, so you reject
or discard the information.
- You already have enough data to investigate, so you ignore this report.
- You decide to investigate this report, which produces one of three
     - Server X has a problem, and you fix it.
     - Server X is not your server, so you confirm that it is not your
     - Source Alpha is wrong, so you add a rule to reject or discard future
reports from that source.

I do not see any reason for a DMARC report to flow indirectly, so I would
be suspicious of any reports that appeared to come that way.   This means
all I really need is an SPF PASS.

But I do not need positive identification of the source.

On Mon, Feb 1, 2021 at 9:13 PM Michael Thomas <> wrote:

> On 2/1/21 6:05 PM, Dave Crocker wrote:
> On 2/1/2021 5:58 PM, Michael Thomas wrote:
> This, on the other hand, should be measurable. Saying that we should
> ignore authentication requirements should require extraordinary proof that
> it is needed for practical as well as security reasons. The burden of proof
> is on the nay-sayers, especially since it is so trivial to implement these
> days.
> Or perhaps:
> 1. Barrier to adoption, for something that supposedly needs a lot more
> adoption
> 2. Doesn't seem to make much difference.
> I'd class those as suggesting rather strongly that the burden is on those
> that want to impose the barrier, rather than those who don't.
> The problem with arbitrarily claiming a requirement, without justify it
> carefully and in a balanced matter is that it is, well, arbitrary.
> Because we all know how well unauthenticated data worked out for email. I
> fail to see why anybody would be in favor of digesting unauthenticated data
> when the method of authenticating it is trivial and well known. It's an
> extraordinary claim that needs to be backed up. But you don't need to
> convince me; you need to convince the security AD's and cross area
> reviewers.
> Mike
> _______________________________________________
> dmarc mailing list