Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem

Michael Thomas <> Tue, 02 February 2021 02:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 49B103A167D for <>; Mon, 1 Feb 2021 18:13:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KPS81vlBFJld for <>; Mon, 1 Feb 2021 18:13:18 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 284363A169A for <>; Mon, 1 Feb 2021 18:13:11 -0800 (PST)
Received: by with SMTP id j11so8975122plt.11 for <>; Mon, 01 Feb 2021 18:13:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=DL3SR1Vg2+NmXfJEAyRkECBQinXWn+4jQBxV5scW4uk=; b=ZhRXypH8JvF1ObY42Zm1DwG/6oRu7X3wWyM+Y905aOZP3pwC8r7lGLX71sXP/XIRsy xYa7KmQoOpPAeEyjDgHStBB5EX62j+c4f1YJ5+KK0dYjnRWyyYTaQG2zaAyg87Sl0j5B YvW17ncSrzjt4l1xs794c8YFqL+BPgi8GIuHoDAMuqyc4DSub1Z9O7sILLeWK8CtQmU5 7CRI9THfX/6ukZqt0NsZK76TJAuttEeo9LRPOT0FBodCisonlI8293abpnXulimMMZQR kgjYAqLWfEHaKBgIuIDWLyeEEUAMFeS9AQ6vO+y9hotneM4qxp8EZHqs0974c4ZR++ez 4+xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=DL3SR1Vg2+NmXfJEAyRkECBQinXWn+4jQBxV5scW4uk=; b=KycxJ/cixCy+DLvBX54nltJkF+kv8gYeEiWSAXEbY7RjjsPUcEYNH8KKjEs8d9I5gV biq5x8WqcBCJO5sw5MeEfgHb80821VAokZEvMo9qw5psJ2DOZBfBDDTnX0cizBRv5Vnv UuNAhlDWo9Old7beZZFRpqZU72ORS93SaDld8v58f4XPwIzP0C0/fW1akVAi7QL57epU zUihwsfOjYD8buqLeaCZyNchzWkU/Jz3B7bMj5LBX8TinRI6PlabwLUXDUqd3xAbQQNG JzG++dthdBg6UOMqwutIWT6z/7XhyHzKA447J5DQPzoGDh6fzXjsQ2ddWSHe2H2UBamV 9e0w==
X-Gm-Message-State: AOAM531osNBdS7caIzS4GRMMZv+oM3Ofz4D9eOOH1Qg5fabsyBVSqdf/ u7ylh0aNaCjCV0H8IdcCilTvVnyLASeIpg==
X-Google-Smtp-Source: ABdhPJyn3eNZi8u4KURSffISs6R+S6d7fzsRsvfCTN98dNI7T8+ldwpgpIIugRy/ItReor9elsE6XA==
X-Received: by 2002:a17:90a:cc03:: with SMTP id b3mr1857430pju.2.1612231990277; Mon, 01 Feb 2021 18:13:10 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id lw4sm90049pjb.16.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Feb 2021 18:13:09 -0800 (PST)
To: Dave Crocker <>,
References: <20210201232105.1931D6D20971@ary.qy> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Mon, 1 Feb 2021 18:13:08 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------C37EAD52443BDAABC2B2A940"
Content-Language: en-US
Archived-At: <>
Subject: Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Feb 2021 02:13:20 -0000

On 2/1/21 6:05 PM, Dave Crocker wrote:
> On 2/1/2021 5:58 PM, Michael Thomas wrote:
>> This, on the other hand, should be measurable. Saying that we should 
>> ignore authentication requirements should require extraordinary proof 
>> that it is needed for practical as well as security reasons. The 
>> burden of proof is on the nay-sayers, especially since it is so 
>> trivial to implement these days. 
> Or perhaps:
>     1. Barrier to adoption, for something that supposedly needs a lot
>     more adoption
>     2. Doesn't seem to make much difference.
> I'd class those as suggesting rather strongly that the burden is on 
> those that want to impose the barrier, rather than those who don't.
> The problem with arbitrarily claiming a requirement, without justify 
> it carefully and in a balanced matter is that it is, well, arbitrary.
Because we all know how well unauthenticated data worked out for email. 
I fail to see why anybody would be in favor of digesting unauthenticated 
data when the method of authenticating it is trivial and well known. 
It's an extraordinary claim that needs to be backed up. But you don't 
need to convince me; you need to convince the security AD's and cross 
area reviewers.