Re: [dmarc-ietf] Aggregate Reporting

I understood Neil's concern, and have no objection, which is why I
counterproposed "must not".

On Wed, Oct 19, 2022, 8:42 PM Neil Anuskiewicz <neil@marmot-tech.com> wrote:

>
>
> > On Oct 19, 2022, at 6:59 AM, Scott Kitterman <sklist@kitterman.com>
> wrote:
> >
> > 
> >
> >> On October 19, 2022 12:44:16 PM UTC, Dotzero <dotzero@gmail.com> wrote:
> >> On Tue, Oct 18, 2022 at 11:18 PM Scott Kitterman <sklist@kitterman.com>
> >> wrote:
> >>
> >>>
> >>>
> >>> On October 18, 2022 10:16:44 PM UTC, Neil Anuskiewicz <
> >>> neil@marmot-tech.com> wrote:
> >>>>
> >>>>
> >>>>> On Oct 2, 2022, at 11:01 AM, Douglas Foster <
> >>> dougfoster.emailstandards@gmail.com> wrote:
> >>>>>
> >>>>> 
> >>>>> In many cases, an evaluator can determine a DMARC PASS result without
> >>> evaluating every available identifier.
> >>>>> If a message has SPF PASS with acceptable alignment, the evaluator
> has
> >>> no need to evaluate any DKIM signatures to know that the message
> produces
> >>> DMARC PASS.
> >>>> I think it’s critical to DMARC that receivers do things like evaluate
> and
> >>> report on DKIM whether or not SPF passes and is alignment. Without
> this, it
> >>> would make it harder for senders to notice and remediate gaps in their
> >>> authentication. Since there’s not a downside (that I know of), I’d say
> this
> >>> should be a MUST if at all possible.
> >>>
> >>>
> >>> What is the interoperability problem that happens if evaluators don't
> do
> >>> that?
> >>>
> >>> Scott K
> >>>
> >>
> >> Scott, What is the interoperability problem is evaluators didn't provide
> >> reports at all? Reporting isn't a "must" for interoperability but it
> >> certainly helps improve outcomes instead of senders flying blind.
> >
> > I read the email as suggesting a MUST for reporting both SPF and DKIM
> results if you report results at all, which would, I think lead to exactly
> the situation you're concerned about.  I'm skeptical of any kind of MUST
> around reporting since that's generally reserved for things that impact
> interoperability.  I do agree it should be encouraged.
> >
> > Mostly, at the moment, I'm trying to understand the proposed change and
> the rationale.
>
> I think the reactions were to the tone that that seemed to suggest that
> the importance of reporting was being downplayed. MUST is too strong and
> strongly encouraged is sufficient. The standards system relies on people
> making a good faith effort. To me, Doug’s comments came off as wanting to
> weaken the language which concerned me.
>
> Reporting is key for DMARC to work as a system so any hint of weakening
> that language or even could be interpreted as such caught my attention. I
> think Doug clarified his position as addressing specific cases not a
> weakening of the reporting language.
>
> DMARC is about the interests of the system but following the standard
> strengthens the system within which the sender or receiver operates. Even
> if one wasn’t interested in the health of system in and of itself,
> reporting benefits the admin as it increases security and reduces broken
> authentication. A *LOT* of Senders use reporting data as part of the
> process of fixing their own and third party senders they wish to allow or
> spoof, discovering errant shadow IT, etc.
>
> Reporting is or core importance for everyone if for no other reason than
> to avoid headaches. Thanks.
>
> Neil
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result