Re: [dmarc-ietf] spec nit - subdomains reporting clarity

Дилян Палаузов <dilyan.palauzov@aegee.org> Tue, 02 July 2019 10:26 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C754A120044 for <dmarc@ietfa.amsl.com>; Tue, 2 Jul 2019 03:26:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z344sVSrOGz7 for <dmarc@ietfa.amsl.com>; Tue, 2 Jul 2019 03:26:05 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 657C912006B for <dmarc@ietf.org>; Tue, 2 Jul 2019 03:26:05 -0700 (PDT)
Authentication-Results: mail.aegee.org/x62APqR8001098; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1562063156; i=dkim+MSA-tls@aegee.org; r=y; bh=T3dApzY0vcQYClUjLoB4rooZOYCdWkSu6r4Rn6j9l7Q=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=VKFSqTV7DXTFJhUuWjOXbmprIMuTpQUIToNcrhXF+amPe41wQYodYqjjmm7u1q/mE EPL1x91ekrx/QdD+Z+D+OcO1UZfWIdf7a5p7xBrQc1Fhg4q4DCa9sF6KWsH/ni3a4b 4vWept9gDZq7pptxJq4LEkSBzlrNfO5ElCdOEtWjoJV2sCehGtcxxICl3+XYEp9HQ4 HKqQ3+B+80GJQ6NDyhhmFHYNV+rVcUyJHlLhn8xjTd+HkPZhNJ8lFl/GFxwLZuU6+W I/MPAcngNJfVm7CBCuJoPLnkmD/5AQjqZRf0KdJo4zQDOgI4XlxVgUeoutHBsUsAaz X+pu0PgAwmoBbNVtyDeZET4IbcCVB9UnH+7QANaPMpHMRoGSMBhiLT4ulImD8KgvQC U4KDwyu3Zz3mG1mo0hEH9zaS+ghIW4Bql0tqfLA5+Ap1J7eQ88vebBOfO0XAmiZlSR ukCQWNAXJh85STWTJ8yeFEBdOtNRkYmnC62+/upo6yObM2dBirRf5o/3JkjaU/NDBD +4QyWzI569HlsBEEQWbhJAtrmGbQWyy5hh1rSqnc7VWBg67fZaYiyNghFnzWrPHZgW x1xkOko/raFaiFaq3NrHOO5NTNHlkBInXyJ+/jK/6O2wRczrki+nbGaarGPba7zGkm nto/gcXswFggWoToRr8c+hr8=
Authentication-Results: mail.aegee.org/x62APqR8001098; dkim=none
Received: from Tylan (87-118-146-153.ip.btc-net.bg [87.118.146.153]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id x62APqR8001098 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 2 Jul 2019 10:25:52 GMT
Message-ID: <b35beaa901f18949b817466ec022771ea40ecb6a.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <dilyan.palauzov@aegee.org>
To: Tomki <tki=40tomki.com@dmarc.ietf.org>, dmarc@ietf.org
Cc: seth@sethblank.com
Date: Tue, 02 Jul 2019 10:25:51 +0000
In-Reply-To: <c8e932fc-5048-7779-4d8f-31198c205b2a@tomki.com>
References: <c8e932fc-5048-7779-4d8f-31198c205b2a@tomki.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.33.4
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.2 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/EvkYRG_mV6g_0tz7v5o3YfUVO7E>
Subject: Re: [dmarc-ietf] spec nit - subdomains reporting clarity
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 10:26:07 -0000

Hello Tomki,

The schema for reports is:

first element is <feedback/>, it includes <policy_published/> . <policy_published/> contains <domain/>.  

Do you propose to include in the <domain/> the base domain, that declared implicitly or explicitly the sp= tag, and then
cummulate all data for that domain and subdomains in the same xml.gz report, or do you propose to include several xml.gz
files for each domain in a single email?

Alternative approaches to reduce the amount of emails are:
- include one or more xml reports in a single email, e.g. based on derived policy via the sp= mechanism

- group reports for a single domain owner into one email with many xml files, provided that the recipient address of the
reports is the same.  Here sp= is irrelevant.  This is tricky, when the recitient addresses for two domains overlap, but
are not identical.

- group xml.gz reports for many domain owners (or many distinct second level domains) into a single email, provided that
the recipients of the different reports would be the same.

Regards
  Дилян



On Fri, 2019-06-21 at 18:04 -0700, Tomki wrote:
> The spec appears to be unclear on how subdomains are to be reported - ie 
> most but not all implementations have performed this as intended, in the 
> same XML as the top level domain (when the subdomain does not have its 
> own DMARC TXT record)
> 
> Cisco interpreted the current definition to mean that every subdomain 
> seen should get its own XML file. (not just the ones with their own 
> DMARC record)  This results in every individual IronPort system [which 
> has DMARC reporting enabled] generating hundreds to thousands of extra 
> reports every day.
> This can result in corporate reporters like Paypal or Rolls Royce 
> (IronPort users) sending as many reports in a given day as Google.
> 
> The section which should be referred to in implementing a reporting 
> engine is 7.2 https://tools.ietf.org/html/rfc7489#section-7.2
> The only relevant bullet that I find here is
> " The report SHOULD include the following data:"
> ....
>    "Data for each Domain Owner's subdomain separately from mail from
>        the sender's Organizational Domain, even if there is no explicit
>        subdomain policy"
> 
> In trying to find out why Cisco implemented their reporting in the way 
> that they did, I've actually had a hard time understanding how others 
> understood that bullet point well enough - I can only imagine that 
> everybody just implemented by following examples of existing 
> implementations.
> 
> A suggested rewording for that bullet point:
> " Data for each Domain Owner's subdomains as separate records in a 
> report titled for the Organizational Domain, unless there is an explicit 
> subdomain policy - in which case a standalone report is generated for 
> that subdomain"
> 
> --Tomki
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc