Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)

Douglas Foster <> Tue, 04 May 2021 01:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E37393A1C1C for <>; Mon, 3 May 2021 18:02:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4bJ_ytdOcSXc for <>; Mon, 3 May 2021 18:02:41 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C9C213A1C1B for <>; Mon, 3 May 2021 18:02:41 -0700 (PDT)
Received: by with SMTP id g7-20020a9d5f870000b02902a5831ad705so6810343oti.10 for <>; Mon, 03 May 2021 18:02:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DgG1LgaBSNUo6J5+2+Q9q9GiDw4qALWdBoJiuEr69ms=; b=cLko4wYK/pIOaAy+OVM3DX4aC64upJ46+kYwgRFsn7AEkt8ZUjw+w0TwzxX5B5g2pf j4u8CKagop5W11w1Dar3ZdcladPLx683d8Q0mCkW1k+otLzVma1KXLCp8AT34+elQSsj iel6sSF1ggQrcW+C6D++5oW+WlK+We2w/vnrCiBVakdwk61/ACWfb5ZJmK7AXHv64ndX lF/q0uTCraSsSlskN9x0q+TDiwRMI2pOLcoMAMZblSm0So8iUI7Mgnm73fVwDHhbORKN WgbZ8y4YBM3qnrvIDL2qpoY8HJ0AWlJll/KsyWBU1wrkJvlAj49bQAV+oFAo5knHNFV1 kKQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DgG1LgaBSNUo6J5+2+Q9q9GiDw4qALWdBoJiuEr69ms=; b=Nj5I8klJ13Jvyj3tEsLsaw7F5ZvAptMceJvu2TDzoe/gZ95hkrVnTn75UdoHWXQaKw jgMK+HuFEN3mwg3OGkcXN/Eq0P87DwP4dDu3M4vyaPV5DjXSw+48JdwGeFiuu4F1knjM TNgljs9BkCV0MV1HvsP0jPZsP55dS6UdT0iQV5mQjpBLiarLTn111T5nKQov+ZtIGXTz mY730GPiyhDA2Z6kQ+heu7cHXXwuLMTKx4/znuiu6zJWrCzDzEiENxo86Q8ISgbtO6WY 72AXjOLQ10mqndxLkn7Bf2mBd4bco+UE5H7mvgNpswM8SIxNRwfzojDpog6U0Hdw1+qt RAzg==
X-Gm-Message-State: AOAM531gn8dY+GOJ74+i1s3dqil37cahUEDXumsi4dwOB7YRxdQ4arzj DEuU1dBsnGh2t4Z8LCnYngKPBERt7ESyz2N5dV0=
X-Google-Smtp-Source: ABdhPJz2D2EDYik1pMg4jJRahNZ9vs3cy3NRiSJ4tOHu4yMDzUZSh6vRsLvxY1r/u4bpufn3QmXMCd98z2AbJwkqENs=
X-Received: by 2002:a05:6830:16ca:: with SMTP id l10mr16147185otr.240.1620090160607; Mon, 03 May 2021 18:02:40 -0700 (PDT)
MIME-Version: 1.0
References: <20210502203007.2AE156284F0@ary.qy> <> <> <> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Mon, 3 May 2021 21:02:30 -0400
Message-ID: <>
To: "Murray S. Kucherawy" <>
Content-Type: multipart/alternative; boundary="00000000000086f4c705c176a2e1"
Archived-At: <>
Subject: Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 May 2021 01:02:45 -0000

I am open to improvements.  Laura's original point was that an RUA  should
not facilitate stalking.  My inference from that is that it should not
allow reporting on messages to an individual recipient.

One of those attacks would be to use a unique domain to send a single email
to a single recipient.   If I get an RUA report, I have found something
about the individual.   So we need a minimum number of unique recipients
before reporting begins.

As you observe, someone could send a message to the single recipient and a
bunch of messages to made-up targets that are probably invalid.   So
invalid recipients should not count toward the minimum number of unique
recipients.  (Do we want invalid recipients included ever?)

Using many DKIM selectors is the next way to force disaggregation.   If I
use a different DKIM selector for each target domain, I obtain a report
that is substantially disaggregated, in defiance of the omitted To domain.
 If I use a different DKIM selector for each individual, I obtain a report
that tells me something about the disposition and destination of each
individual message (or at least each message which is included in an RUA

Given the voracious appetite for delivery information, it seems that mass
mailers have an incentive generate DKIM keys for each target email address,
and that when done on a large scale, this will create problems for DNS
performance and email processing performance.   Report generators do not
want that level of complexity in their report generation process, and
privacy advocates do not want to facilitate this level of tracking.

Is there a case to be made that disaggregation is a non-issue?

On Mon, May 3, 2021, 8:14 PM Murray S. Kucherawy <>

> On Mon, May 3, 2021 at 5:26 AM Douglas Foster <
>> wrote:
>> I meant to say that we need N unique (and valid) smtp TO addresses, so
>> that an attacker cannot send a single email address and wait for an rua
>> report to know where it lands.
>> Valid addresses are needed to hinder usage of bogus addresses to defeat
>> the test.
> Is that enough?  If I control a domain, I can make up any number of
> apparently-valid envelope addresses I want.
> Using DKIM selectors for tracking will also put a huge load on DNS if
>> implemented at scale [...]
> How so?
> -MSK