Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help

Michael Thomas <> Mon, 25 January 2021 02:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8CDF63A0D2F for <>; Sun, 24 Jan 2021 18:53:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.149
X-Spam-Status: No, score=0.149 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r4veegyPuB-f for <>; Sun, 24 Jan 2021 18:53:27 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 818773A0D2E for <>; Sun, 24 Jan 2021 18:53:27 -0800 (PST)
Received: by with SMTP id s15so6687367plr.9 for <>; Sun, 24 Jan 2021 18:53:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=k8RbCrfCL6mEF3SoYLSu2bC0lqvYu4UelBtzUYGZAkY=; b=XzNVs2eqxk3wtM9Ifk+aP3etZCk7S1pfDQq7HBZC6Kvjh0Ifav/iFIC6tpwsRm0e+z G371/hW/PuhEr5FeVahi/KFsjqptDY4g747gUOLQ1hcPuwPSnPYPGGV4utVUDTAZpLta wXNd5/hiijDcJyUD7ijwGfEKg2t0QLEU+VgVYcwB4curdU00X2Rv/Pg1bI4+Evryv2bi tLU0OGl50sVRq6KJxqzsefu1mUMR6A0aS51PN4IGza37ux7Uq0fLopfRJk2umY1PI0JD /ARvg64qSbT8rxjeuNh4/QuFC35wX5aKJuKIlhiwNi1/1dgBtaJ5uvqlgr0zKJdNQISL CBXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=k8RbCrfCL6mEF3SoYLSu2bC0lqvYu4UelBtzUYGZAkY=; b=kFfaHjg27kyrDeHXbr5YwxB2krZyilJ3JonV+fDtBAXq2Z/RJAM4/HCoeqw8vw243Q fcRZ4ZXbv6A00xc+pXQAHsOSoniLRLi8ebhtlgY8iaW7JVHKVS13S65xpWt8+XEIsOd9 sJklpyiuVJvCpd41URQy3sRkUF6eJIlmSiGVqlbZCTPciV3GVQboWtiWacV3zN2M1ccT ALBcu7C9stDAaW2VBpfV+8FYMVKYjJ8ZA690BFMzxuB74acGGfRHM0MN+nKvRn7BbjV0 /42VFlJCsmMJe9QMVSOKquowNHP7ZHTRJRwWwbkjN4gfD9IncbT1wlM6dFXIovbFMy+E tA7A==
X-Gm-Message-State: AOAM533vIyfyKf3qgriOnfO9uxJEn/3D38gkAdghGld25aJOcUa7DGeq gP3XSqF8DNDBnAMerqnECYtO5hatxZvj/Q==
X-Google-Smtp-Source: ABdhPJxY5Zejd8P8CYoHn4HI/XPvxlMKx6QH1RFZUo3iw4QEAU/hl6uG3N3j7wXxQ8ra/Cr5e3WlYg==
X-Received: by 2002:a17:90a:1109:: with SMTP id d9mr5294729pja.94.1611543206642; Sun, 24 Jan 2021 18:53:26 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id gt21sm15990328pjb.56.2021. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 24 Jan 2021 18:53:26 -0800 (PST)
References: <>
From: Michael Thomas <>
Message-ID: <>
Date: Sun, 24 Jan 2021 18:53:24 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Jan 2021 02:53:29 -0000

On 1/24/21 6:29 PM, John R. Levine wrote:
> I realized why the arguments about whether to require authentication 
> on reports are pointless.
A blatant assertion. The onus of proof is with people who say we should 
accept information from unknown sources. Extraordinary claims require 
extraordinary evidence. I have been doing security related stuff for 
long enough to know that being humble in the face of adversaries is the 
most prudent course. State actors can get involved when they figure they 
can game things to their advantage. To be dismissive is complete hubris.