Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)

[Todd Herr <todd.herr@valimail.com>]

On Wed, Apr 28, 2021 at 9:22 PM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> I understand that additional detail might make the reporting effort
> unacceptable to the big organizations that are creating them, and this
> reason alone may prevent alternatives.
>
> It seems that the potential uses for reports are:
> - Identifying and fixing my own infrastructure problems
> - Celebrating when the reports show that I have no new infrastructure
> problems.
> - Celebrating when malicious impersonators are blocked.
> - Learning about non-malicious impersonators that must be tolerated.
> - Identifying delivery problems that warrant a conversation with the
> recipient organization.
>

I believe all of those things are already possible with the aggregate
report as it is now, with no need to list the recipient domains. For any
set of X domains hosted at provider Y, I would expect DMARC validation
results (i.e., pass or fail) to be consistent across all X domains at that
provider.

>
> I cannot successfully call a recipient help desk and ask them why they are
> blocking my messages.   Instead, I need a message recipient to call his
> help desk and ask why he is not getting my messages, and that subscriber
> might be happy to be asked for assistance    Navigating from a server IP
> address to a known subscriber might be no easy feat, while navigating from
> a server IP and target domain to that subscriber would be easier.
>

I read this and I perceive that you are assuming that DMARC failures will
be the only reason for mail to be rejected, and that all mail that passes
DMARC checks will be accepted. Neither of those assumptions are necessarily
true, and many if not most delivery problems will be independent of DMARC.
DMARC allows for reliable association of an identity and its accumulated
reputation with a mail message, and it's that accumulated reputation that
will drive whether or not the message is delivered.

>
>
> In short, what are the expected uses of the RUA reports?   Are there any
> intended purposes other than fixing my own infrastructure configuration?
>

Regardless of what the original intent of the aggregate reports might've
been, for all practical purposes they're only valuable for auditing one's
own authentication practices and configuration, in my opinion. It's
actually a perhaps underappreciated feature of DMARC, in that one can use
DMARC at p=none to conduct a full and complete audit simply by consuming
aggregate reports over time and addressing problems with one's own mail
streams that the reports might show. Once enough time has passed and the
report consumer is sure that all of its mail streams have been reported
upon and are properly authenticating, the domain owner can publish a more
strict policy (p=quarantine or p=reject) if it so chooses. For
authentication failures shown in the reports that are the result of mail
the domain owner did not send, I haven't yet met an abuse desk that will
act on anything other than headers (assuming that they'll act at all), so
it's not actionable data. The value in this subset of the data really lies
in seeing that such mail ends up failing to reach its destination once the
domain owner changes its policy to something stronger than p=none and
report generators start to honor that policy.


-- 

*Todd Herr* | Sr. Technical Program Manager
*e:* todd.herr@valimail.com
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.