Re: [dmarc-ietf] DMARC forensic reports (ruf=) and privacy

Alessandro Vesely <> Mon, 28 January 2019 09:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AF7EF130FBB for <>; Mon, 28 Jan 2019 01:15:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1152-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DbwJOebM8KGr for <>; Mon, 28 Jan 2019 01:15:17 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EDB6D1294FA for <>; Mon, 28 Jan 2019 01:15:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; t=1548666914; bh=xLWK6fQwDtNsFsZ6qLFO49owdU+OyNrULT3qEzlQjZQ=; l=972; h=To:References:From:Date:In-Reply-To; b=CwTtdIL+CGsRYnrOoBMgrAaVeqfUd5uO3P/aUXMYb1MsTJxJMb2NkJyjp/XYwoOKp Q+k/eqeGt4bbaLeH6xvnC8eMqVXZNNle+Q8zPir412lwrzbi0eohA5nZJMPszcpOqf 1mvcGneZ6Viq9v1PlHG97IMQs9AwkEE5n7PofLu1ClTlwomw7F4ZlDVeQLpbH
Authentication-Results:; auth=pass (details omitted)
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by with ESMTPA; Mon, 28 Jan 2019 10:15:13 +0100 id 00000000005DC013.000000005C4EC821.00005660
References: <20190126163123.AAA4B200D39816@ary.qy> <>
From: Alessandro Vesely <>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <>
Date: Mon, 28 Jan 2019 10:15:13 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [dmarc-ietf] DMARC forensic reports (ruf=) and privacy
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Jan 2019 09:15:19 -0000

On Sat 26/Jan/2019 18:21:28 +0100 Дилян Палаузов wrote:

> Imagine there is a failure report stating that after a direct communication
> between your server and another server, the receiving server sends you an
> aggregate report, stating that 1% of the messages you sent yesterday do not
> validate DKIM. How do you suggest to proceed to reduce this to 0%?

No way.  There are lots of little traps, for one example plain text messages
where a line start with "From ", like so:

>From here on, this message likely fails DKIM.

As small as this cases appear, if you program your MTA to fix them before DKIM
signing, you are going to break any OpenPGP/SMIME signatures that users had
affixed before.

You can educate users to use format=flowed, good luck.

You can push for global maildir usage, even harder.

The bottom line is that, in practice, understanding where that 1% failures come
from won't help eliminate them.