IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Laura Atkins <laura@wordtothewise.com> Tue, 04 October 2022 09:23 UTC

Return-Path: <laura@wordtothewise.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E63B1C14CF1B for <dmarc@ietfa.amsl.com>; Tue, 4 Oct 2022 02:23:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wordtothewise.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VmfUFs3ObL58 for <dmarc@ietfa.amsl.com>; Tue, 4 Oct 2022 02:22:57 -0700 (PDT)
Received: from mail.wordtothewise.com (mail.wordtothewise.com [104.225.223.158]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0AFAC14F744 for <dmarc@ietf.org>; Tue, 4 Oct 2022 02:22:57 -0700 (PDT)
Received: from smtpclient.apple (unknown [37.228.236.130]) by mail.wordtothewise.com (Postfix) with ESMTPSA id 4FCDB9F21A for <dmarc@ietf.org>; Tue, 4 Oct 2022 02:22:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wordtothewise.com; s=aardvark; t=1664875375; bh=NYGg6CZ5Z41IS6BPTeJeTFFwuJlqggpndRHQLgruymo=; h=From:Subject:Date:References:To:In-Reply-To:From; b=VqS87YNPBHLX7Krah57RftgPk95mnm+zFW56w0yEh/ek7WiHsTvJacOt2UBdOTuIg 4IW3nRf8YPWxihmfE++aqWVygE3YmBThW8tWib1e/dOX+34oYdvJGIwiL6FoE1HUAy cuekfryR8n78pS2/1rQfE8N0qn4G1Vqjg7NawjwM=
From: Laura Atkins <laura@wordtothewise.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_FF3718C7-CC69-494F-8C7B-DCFC85D3AEFF"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Tue, 04 Oct 2022 10:22:52 +0100
References: <165046214335.10055.16398898629460366752@ietfa.amsl.com> <CAH48ZfxZOq68=P-Qxjvjk1c8PxWAWDvaBPPQcb4DWmd6cL=u4Q@mail.gmail.com> <CAJ4XoYen6n06L1UBqzu9nr2jCC7v_-GOAdJXMzCks6d-AaKqUA@mail.gmail.com> <CAH48ZfzVt=+yoj280VxL_SV+YM4C7eqMWhL=41YpVybaPmLcLg@mail.gmail.com> <CAHej_8mgKjpo6DDbOS9bBdTarThKOa9F55QBtrM6G-oq1YfX+w@mail.gmail.com> <CAL0qLwYjYY4OvShqACWPz0vdJcAubdU1csFFVSkqzsReZSZxuw@mail.gmail.com> <MN2PR11MB43514940B87730CC9D476AACF75B9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAL0qLwb=1CZN6s2QzWJGFeO3=iPWZ-eS=7hvi4B6jhuh+hLJ0w@mail.gmail.com> <8ab0943b-9805-1a0e-528d-9cf45f2eaf9c@tana.it> <CAH48ZfzM2J0_RizqESbFSm3ASfc2x6nsdxUXWEWO+4g2vXsz+g@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
In-Reply-To: <CAH48ZfzM2J0_RizqESbFSm3ASfc2x6nsdxUXWEWO+4g2vXsz+g@mail.gmail.com>
Message-Id: <38BC22D3-3A29-47E0-9E51-DD862FDD4947@wordtothewise.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/NLIblg-ZobLhciVJxE1ZhrebSyE>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Oct 2022 09:23:02 -0000


> On 3 Oct 2022, at 23:31, Douglas Foster <dougfoster.emailstandards@gmail.com> wrote:
> 
> The primary key for aggregation is the SMTP domain (up to 255 characters), plus each DKIM domain (up to 255 characters) and its DKIM scope (up to 64 characters).    For 100 DKIM domains to be included, the primary key becomes up to 201 fields with up to 25,919 characters.  This is unmanageable with readily available tools like a SQL database.
> 
> I suggest that we start simplifying the scope, by limiting the items of interest to:
> (a) SPF whether pass or fail, 
> (b) aligned DKIM domains, whether pass or fail, and 
> (c) non-aligned DKIM domains that pass.   
> 
> I don't see any value in knowing about failed DKIM signatures for non-aligned domains.   Perhaps someone with a sophisticated report parsing capability will be kind enough to correct me and explain.

Knowing what domain is signing is important if you think things should be signed but they’re not aligning. Knowing what they’re being signed with helps treat the problem. 

A very simple case is: if you have 2 domains you’re using at Google Workspace sometimes Google will pick the wrong one to sign. So your mail fails DKIM alignment. Without knowing the domain, it’s impossible to troubleshoot what’s going on here. 

> Then I suggest that the DKIM upper limit by 10, not 100.   At some point, an excess of domains becomes a DDoS attack on the evaluator, and to a much lesser extent, the report recipient.

This is the type of suggestion that has broken SPF. I do not support it. 

laura 

> 
> Doug Foster
>  
> 
> On Mon, Oct 3, 2022 at 2:17 PM Alessandro Vesely <vesely@tana.it <mailto:vesely@tana.it>> wrote:
> On Mon 03/Oct/2022 18:01:06 +0200 Murray S. Kucherawy wrote:
> > On Mon, Oct 3, 2022 at 10:26 AM Brotman, Alex <Alex_Brotman@comcast.com <mailto:Alex_Brotman@comcast.com>> wrote:
> > 
> >> So we would likely need a section in the core document with a SHOULD for
> >> evaluation (if it’s not already there), and then a section in the aggregate
> >> reporting for a MUST for reporting on evaluated information (if they choose
> >> to send reports at all), correct?
> > 
> > [...]
> > 
> > From the actual protocol standpoint, the filtering part of DMARC operates
> > just fine if you make the shortcut Doug is proposing, so the first SHOULD
> > is probably apt but the MUST is moot because it doesn't change
> > interoperability.
> 
> 
> Let me add that reporting /all/ identifiers can be unfeasible.  (I, for 
> example, collect identifiers to be reported using SQL left join of various 
> copies of the table, which delivers results as just that many columns, although 
> more might have been evaluated at reception time.)
> 
> Reporting just the "most important" identifiers could be an option.
> 
> 
> Best
> Ale
> -- 
> 
> 
> 
> 
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org <mailto:dmarc@ietf.org>
> https://www.ietf.org/mailman/listinfo/dmarc <https://www.ietf.org/mailman/listinfo/dmarc>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

-- 
The Delivery Experts

Laura Atkins
Word to the Wise
laura@wordtothewise.com		

Email Delivery Blog: http://wordtothewise.com/blog

v2.23.0 | Report a Bug | By Email