Re: [dmarc-ietf] Reports helping spammers? (#81)

Douglas Foster <> Fri, 22 January 2021 15:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9E9283A1304 for <>; Fri, 22 Jan 2021 07:19:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GipzpO7x2fyf for <>; Fri, 22 Jan 2021 07:19:16 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 90E783A1244 for <>; Fri, 22 Jan 2021 07:19:16 -0800 (PST)
Received: by with SMTP id w187so3177446vsw.5 for <>; Fri, 22 Jan 2021 07:19:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rg+mwezUY0oegqCHyoe32kt7iXzqZ7/K7KvPwiNcjcw=; b=f0H17OeNvN3GhXih9fWtra7gDOFHDp1W2bwjW0r3Sd+VPLUiBkk9mzS+a69oFi+9qc XCs1a/FPDp5zwfFR0q7PwxtuhP4TAIL7e/vb90pjwWDMmyEIIhTp1URUkpbq7tNn7K+J 2kriJvbfkVgwePsDvgBGEFyG0ZO3Uy2I/QYiw5B2pdOCvwf8SWvrbOv2STsC/9UOpGE9 ZcG+0aAkH8eCJv5KbZBq0ufEBxsMPzMsIdnkU7p9b4do9z3cDmOT/9FQFWnWW/QtLJuo v5s5E8yuI0Cuvj2Bi818YBMZHD7jheLLuXkg3TWlv7BZTpjEkEQ88feFCRfhub1oAOxp XwBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rg+mwezUY0oegqCHyoe32kt7iXzqZ7/K7KvPwiNcjcw=; b=lDLGbDpfch90jfwASVxdSBQF5daPwpRW4p39MMJ/U7MuLfBWYr0QumCFK2K/IlKIQa ZK91qzaIQAQNf1pP9hxaY9Yr1pqf9rzfJ8GKO30ZDUKMy7s0g5ocWYWMwYE3XWDLnQOg STQhNaot10CYzXAs0rAI9FJvn/wjYzHkTIV7YXGaDdC0gx+MoxAkQ47LkqrTA7yQicru aIPAyIcQ/05H5Mi6XMOvPwaAnQE5uOT31vOa1PWb7K2bQY0MWG83s19KynnY3eUs/wes uX2A9cF5n4NXM8ONv3KqWb0+NrIkoX5B1jUiJbDX+cuvOeCC+gWa/RF87BHQEe7uJKB3 bktg==
X-Gm-Message-State: AOAM530v57pmNnSQVihcchNHuSzLIL42ZWPwpX00mnLm0bsTVpyFm6XN /Ooyd3RsLB9Y7o+m7cDWMpsfoC8OAldE57fVmAfyTYQw
X-Google-Smtp-Source: ABdhPJwStiNqaorvUJ2mdoMDRurFIansbh6tVbE8spfI2j8ieV8noyKXiyA4P6IQqqM+NYZPx38+U2CzGnT2KygDAWU=
X-Received: by 2002:a67:507:: with SMTP id 7mr187180vsf.42.1611328755604; Fri, 22 Jan 2021 07:19:15 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Fri, 22 Jan 2021 10:19:02 -0500
Message-ID: <>
To: Todd Herr <>
Content-Type: multipart/alternative; boundary="00000000000018219a05b97eb654"
Archived-At: <>
Subject: Re: [dmarc-ietf] Reports helping spammers? (#81)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2021 15:19:19 -0000

Your second point seems to address my question, asserting that the value of
information sharing exceeds the risk.   This is debatable, so I think it
should be documented in security considerations and reacting options should
be articulated.

The first point still escapes me.  If we are providing information about
all messages received, and are providing disposition information about all
those messages, then it includes information about messages that were
acceptably authorized.  Sender policy is irrelevant.  All that matters is
which messages are reported with disposition results.

On Fri, Jan 22, 2021, 9:16 AM Todd Herr <todd.herr=> wrote:

> On Fri, Jan 22, 2021 at 9:02 AM Douglas Foster <
>> wrote:
>> Not sure what is unclear about my concern.
>> The spec provides for reporting whether the actual disposition was
>> different from the sender policy request, and the reason that this was done.
> "DMARC=(Pass), Disposition = (20 delivered, 100 rejected)  -- possibly
> means that my system needs 20 messages to learn how to identify bad content"
> As I said, the above is not an example of the 'actual disposition being
> different from the sender policy request', because the sender policy
> request does not cover the scenario where DMARC passed. It only applies to
> those cases where DMARC fails. There is no facility for a domain owner to
> use DMARC to request message treatment when the DMARC validation result is
> 'pass', nor should a domain owner assume that a message that passes DMARC
> checks will be accepted solely based on that information.
>> Ale suggests that "disposition" must be narrowly defined to mean only the
>> disposition based on DMARC staus.  This still means that local policy is
>> revealed under some circumstances.
>> I do not see why local policy should be revealed at all.
> Consider the opposite case, one where a hypothetical financial institution
> publishes a policy of p=reject and receives aggregate reports showing mail
> that it did not originate failing DMARC but not being rejected. That is
> information that might prompt a conversation between the financial
> institution and the DMARC validator, in an effort to ensure that its mutual
> customers aren't exposed to possible abuse vectors.
> Yes, that would still be communicated in your scenario of highly trusted
> correspondent domains, but I don't believe that the work necessary to
> curate such a list provides enough ROI for the report generator to override
> whatever minimal risk there might be in revealing its DMARC handling
> policies to miscreants. DMARC aggregate reports are not the only source of
> such information for the miscreant; the bad guys already have accounts at
> their target mailbox providers, and they're sending mail to those accounts
> and learning what happens from those accounts and from their own bounce
> logs.
> --
> *Todd Herr* | Sr. Technical Program Manager
> *e:*
> *p:* 703.220.4153
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list