Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem

John R Levine <johnl@taugh.com> Tue, 02 February 2021 01:38 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50E6F3A165A for <dmarc@ietfa.amsl.com>; Mon, 1 Feb 2021 17:38:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=gcGrXvtS; dkim=pass (2048-bit key) header.d=taugh.com header.b=CVo8309K
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1-h3Wkd5JxFe for <dmarc@ietfa.amsl.com>; Mon, 1 Feb 2021 17:38:49 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31C083A1659 for <dmarc@ietf.org>; Mon, 1 Feb 2021 17:38:48 -0800 (PST)
Received: (qmail 18004 invoked from network); 2 Feb 2021 01:38:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=464f.6018ad27.k2102; bh=xPU3UCnWt7mu5aGWf5T7sbd/PdvCk2q2e5JgLfOIPkI=; b=gcGrXvtSdFQyFP4QX7Un6fUAIQkvJV3rCsRc9Wpxlf20/yxx0oaZ4Dywet/XI+988QyRaT0PUQCcB2bte23UNYfKQiTJ1IdxYL41PNBxvqJcLmi9lJgKNzVr1zLUTkBGlBP9AoLwEXVOzy1wNAZMDIx2fqRznkls+g+YFFOW2/MB62waCjQUKc8Lc4yxNgvfK72gmN7ksv+1/N8jRLhB5tyYXoiWlTEAk7Z7X19S7oC520iuEBD9C4cJ2l7nEmDKjsL9j/EIkGBzvgBMwc1Q9adkmLbZ+/gJSSr6/EJgciNuvm9Y1ig7GlxKLuMtH0dj8QZKCXR8PyciHDGKQSjJSA==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=464f.6018ad27.k2102; bh=xPU3UCnWt7mu5aGWf5T7sbd/PdvCk2q2e5JgLfOIPkI=; b=CVo8309K1+GfUUfpEht4HGMNUJZKby4SGGZRoLiML6MZfXcZw7WEKWYea4URql8kYNoUxN5vNLH5+nXcJsFbioN+5LnVoNi6YZPrXdNX5AZ5Dn48ZAKyZL3tyBCi4B5ILxBg2CHX6zdd2d5sS57VNaereG9oZRBOv7Kw/GOv2Y5JztAHHGq3OYtabbi4QZjcKvCg29YG6hojPtnlcs1zLm1ZLL21QJQcBeXlCLSZ4HDjxVF48yClsFxG4U2tjCTt+IsS3aIS3VzxY9lcFbB1SQO17Of9H2k+jXJmKqb4cDUkfcrSAi/c6r+HDI0+ydagKxrUEmPX/rIE8p/7UZ43og==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 02 Feb 2021 01:38:47 -0000
Received: by ary.qy (Postfix, from userid 501) id EF1C86D21BAF; Mon, 1 Feb 2021 20:38:46 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id A80FA6D21B90; Mon, 1 Feb 2021 20:38:46 -0500 (EST)
Date: 1 Feb 2021 20:38:46 -0500
Message-ID: <92b361a1-d9a5-9389-46b-3725d885c02@taugh.com>
From: "John R Levine" <johnl@taugh.com>
To: "Dave Crocker" <dcrocker@gmail.com>
Cc: dmarc@ietf.org
In-Reply-To: <41163cd5-be81-6fd7-07dd-7a474874429e@gmail.com>
References: <20210201232105.1931D6D20971@ary.qy> <41163cd5-be81-6fd7-07dd-7a474874429e@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9zXyCYeNNCoM1tGWFIur_LUOohk>
Subject: Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 01:38:51 -0000

On Mon, 1 Feb 2021, Dave Crocker wrote:

> On 2/1/2021 3:21 PM, John Levine wrote:
>> I find it hard to believe that if you are going to enough effort to
>> maintain the data to create and send reports, you can't figure out how
>> to install an SPF record for your reporting domain.
>
> Except that the tracking/reporting functions are completely separate from the 
> 'signing' side of DMARC and could easily be different parts of a company.

I took a look at my aggregate reports.  The DMARC policies of the senders 
are all over the place, some none, a few quarantine, some reject, a few 
small sites (trouble.is, gspam.co.il) have no DMARC record, one has 
neither SPF nor dmarc (itdseciron04.utep.edu). I'd say about 3/4 of the 
reports have DKIM signatures, the rest that have SPF records are aligned.

One was from MAILER-DAEMON@esa1.hc1512-92.c3s2.iphmx.com and 
esa1.hc1512-92.c3s2.iphmx.com indeed has an SPF record.

So I would say that from my small sample, a lot of people have figured out 
how to send aligned reports, either by using their regular signing engines 
or with an SPF record for the host that sends the reports.  On the other 
hand, for reasons we've discussed that are evident to anyone familiar with 
DMARC, there's little reason to worry about fake reports, and 
authentication doesn't help even if there were.

If we want to document existing practice, I guess we would say that 
reports should be authenticated and aligned if practical, but it's OK to 
send them if not.

R's,
John

PS: Does anyone have a contact at antispamcloud.com aka hosteurope.de ? 
They send a lot of impressively broken failure reports.