Re: [dmarc-ietf] Reports helping spammers? (#81)

Alessandro Vesely <> Fri, 22 January 2021 13:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7161D3A1201 for <>; Fri, 22 Jan 2021 05:15:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.382
X-Spam-Status: No, score=-2.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1152-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id U7AnR4q-RWFT for <>; Fri, 22 Jan 2021 05:15:53 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 83DB13A11F9 for <>; Fri, 22 Jan 2021 05:15:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=delta; t=1611321349; bh=HhnzYIKR+eEIwOW+D0r1jnParHXv2zIeZOceKxuMgfM=; l=1831; h=To:References:From:Date:In-Reply-To; b=BMKTXJubIoU5rLa7ao2THuaWuPZmumOLCVXb3+JZwUmchxTHMlmD8p2V5wsmAozTQ PLq6Ec5OVpJr36h6PrYS2O0VcFRbyaam5F0pyhmVbbb6hQ7cEixVo7dlWBQ6IgnUZb UjNl7+Fi1NNQhkfu/dzVLNwvlfMBC/KMzcuWA+Bg4Ur0SewTYbjH0DgkUsboU
Authentication-Results:; auth=pass (details omitted)
Original-From: Alessandro Vesely <>
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by with ESMTPSA id 00000000005DC0CE.00000000600AD005.00006709; Fri, 22 Jan 2021 14:15:49 +0100
To: Douglas Foster <>, "Brotman, Alex" <>, "" <>
References: <> <>
From: Alessandro Vesely <>
Message-ID: <>
Date: Fri, 22 Jan 2021 14:15:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [dmarc-ietf] Reports helping spammers? (#81)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Jan 2021 13:15:56 -0000

On Fri 22/Jan/2021 13:00:30 +0100 Douglas Foster wrote:
> Possible misuse of disposition information:
> - DMARC=(Fail), Disposition = (120 delivered) -- probably means that my system 
> does not enforce DMARC at all
> - DMARC=(Pass), Disposition = (20 delivered, 100 rejected)  -- possibly means 
> that my system needs 20 messages to learn how to identify bad content
> I suggest that disposition information should be redacted by default, and only 
> included on an exception basis for highly trusted source domains.

There is a paragraraph in RFC 7489 that I cannot find in the draft:

    Aggregate reports are limited in scope to DMARC policy and
    disposition results, to information pertaining to the underlying
    authentication mechanisms, and to the identifiers involved in DMARC

Can that be clarified better?  Se spec sometimes uses the term "final 
disposition" to mean what Doug calls "disposition information" in the text 
quoted above.

To wit, a DMARC filter acting between DATA and end-of-data doesn't actually 
know about final disposition.  It can reject, but cannot deliver to Inbox.

In fact, the <disposition> field refers to what the filter is configured to do, 
except that quarantine can only be signaled to downstream processes.  It 
reports "quarantine" if it did that signaling.  It reports "reject" if it 
rejects.  Otherwise reports "none".  (Did we conclude we want "pass"?)

Identifying bad content, possibly based on DMARC having identified a bad actor, 
or after actual content inspection, happens downstream.  A DMARC filter doesn't 
know and doesn't want to know the final outcome, and doesn't report it.

It is important to be very clear on this point, to avoid that receivers fail to 
enable aggregate reporting for fear of helping spammers.