Re: [dmarc-ietf] Concerns for not Sending a Failure Report?

Дилян Палаузов <> Sun, 04 August 2019 10:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E56F0120026 for <>; Sun, 4 Aug 2019 03:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (4096-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G6_bH5S_UjzZ for <>; Sun, 4 Aug 2019 03:55:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3E283120025 for <>; Sun, 4 Aug 2019 03:55:14 -0700 (PDT)
Authentication-Results:; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=k4096; t=1564916111;; r=y; bh=NIx2koRgHyWFHMdDWaxTf6HCZNxuHK9bfvtOJHFYHfo=; h=Subject:From:To:Date:In-Reply-To:References; b=H+HUsqPBnyEPzKFdgYfYXHLz1DpFlJNJmgbdG0qWBuvgeJVLi3GhEfEI7Zk348I+1 FM6PRae8bQAqKEAO8gMZYdnSINcItdlG5UAvQRzDo5racn1UlcJGwf2/ojLaLxEcd2 LuxdMU5DfSQCCHtwY7elsnjsszDSBcf/cDbDAu7eflEHDc7l8JlRonUVO+GnTeLIMc 3Pn/xr5qOeDPn5sPLTQ7LGn4J3lnmO2YoMRQkPdeYpTmqjri2G0B53omCFQ2h8P2sn 5s3/3eEN5K6pWeiqzDo2gJlnEpqQEKRLmcNg0OwzMSGrECNXJnV+8k3CLBQMqajcO4 PEu+brEpKP4kiXeIy0ZUtDcC5XGtuWHnbRWbdKSRWpCvf+r4L83m5dgCFwSsjQ+DOv RJvOxjhhaNO4fzKL6kQAsYmsAiGABDGxUOP26u5hLRVKh8hogySJmYgRiBH4+0TW4h HsXZ8x5KTrpDUnBx3qpLNPPOy9dx4BCgWalSxm7NgCb1SoOzkRw9FVE6nWs68h99fe MBOkCrM0o4f5igHs8PnEb7WUVQ+M0Gw3QwOiJbygUo3saQZHQqC2X9HYS1BDvMU1BW dKSpVGIK9/c5i22c4KJp4IwT7tYrKeeVG+B+OpbOB7/7YHkIaIhIdRpJEzwQgQvuX5 cG/qwGPR8fkcp1vd1iqb2lK8=
Authentication-Results:; dkim=none
Received: from Tylan ( []) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id x74At9TZ018837 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Sun, 4 Aug 2019 10:55:10 GMT
Message-ID: <>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <>
To: Steve Atkins <>, dmarc <>
Date: Sun, 04 Aug 2019 10:55:09 +0000
In-Reply-To: <>
References: <> <> <> <> <>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.33.90
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.2 at
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [dmarc-ietf] Concerns for not Sending a Failure Report?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 04 Aug 2019 10:55:17 -0000

On Sun, 2019-08-04 at 10:10 +0000, Дилян Палаузов wrote:
> > The mailbox provider has no way of knowing that you sent the mail. If it was authenticated as coming from you this
> wouldn't be an issue.
> The receiving server knows, which IP address sent the mail and it knows, to which IP addresses set the failure report
> will go.  If there is a match in the IP addresses, then the receiving server knows that the one who will get the report
> is also the one, who has anyway access to the message.

Nope.  This does not work for redirected messages.

The assumption is that no host (sending spam) is going to forge headers in order to entitle another host to receive
failure reports.

A mail receiving host can obtain the IP addresses that receive emails for a domain (

If a message, failing DMARC validation, is either sent from an IP address that receives emails for a domain (MX,
or has such an address in its Received: headers, then the receiving site shall not have concerns that the one who would
receive the failure report would have anyway access to the message in question.

If the above validation of the IP address fails, but the DKIM-Signature contains "ruf=y", this means, that the receiving
site can assume, that the writer of the message is willing that a failure report is sent for the message and the
receiving site shall not have concern about sending reports.

As with the b= tag, when calculating or verifying the signature, the value of the "ruf=" tag (signature value) of that
DKIM-Signature header field MUST be treated as though it were an empty string.  Or NOT?