Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help

Todd Herr <> Mon, 25 January 2021 16:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A1FE73A14F7 for <>; Mon, 25 Jan 2021 08:44:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id te9gvlFAYeaW for <>; Mon, 25 Jan 2021 08:44:21 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 85EC93A14F6 for <>; Mon, 25 Jan 2021 08:44:21 -0800 (PST)
Received: by with SMTP id l23so7633057qtq.13 for <>; Mon, 25 Jan 2021 08:44:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=+bgW2O+z7O5D8NPxqS/w2MWH+fpc0n5+McvXjTLPrC8=; b=B5DI/H3J46f2AQNYx0oivOOOodt5D4mwyAuScXZX+8m9RG1CZLZ5aBd2qyRBhCgE/x SHig2WCXtrU1TBPGV1gFAh/7SxnR/6wqCt+jcHoqg7AM87i9sE6CHO0120N4+pIOF4iN /SLWgTxT6gk+6/6trZtVODoAhi2rrSSFSFObp/CPY/arwXXB93d692hPN3rklgoPlnbj 6r6yt8SqT7dOL6xFgYcWaRR/D72/3spiXtVCRsILSnzU122fQDmwNPF7YHTOLVhJ2Bg8 f07vMVaeGtNQYL03lMai/gQnLSAy13874mCFD+xvRMvwORTTdgZCCatyOwl+z0xhRMXh MGPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=+bgW2O+z7O5D8NPxqS/w2MWH+fpc0n5+McvXjTLPrC8=; b=Cdl9mnTLOJmEvzCAp3S0hKxIOgWJC/Oj6No34KkUdMiSwLKA8WodHW9oYwp0RvpePH kZ5dwDdOfCDdzDKbp3p6qJCU/gUiXdnvSPvN68M8Isq6Y9SBZvcgcHdr03jcNOXEIYz3 zz6ZphiqDp0hZg8pYoN4T8q4r5U/ae8/KMa4xbNs/lE9uXccA2MGhpXYwJ11xmsx48Pm djkTBP3fSwG95J6wjR1i0Ov46e1Geb8lT81KnCTwAx2w7qltakrt4nJKuO7TpxzPJJ5E oUmh4Gh/17V7ZjPamm9rBLuc00P0bdmAka121m+7AWqmr+0bBV8Jj4DAp/smRrtRSsTh 0/FQ==
X-Gm-Message-State: AOAM530+vswAvCubVrtPVjL0Nfzb9fqgXTCspzI604+27fdhYU3PHmaP N5HC0+kJOXHyCTGKoNiDal0Z6Lf3NREyF9aQc/UmSwLoms0=
X-Google-Smtp-Source: ABdhPJxE4QV6vGF8kfVbnhgsbKrY+Ys7XiSoBV6BirTmZClH9BHL/YmsWp+YuoW+ECZYs+Y/C8ukYKRJJK7/hDGnVtw=
X-Received: by 2002:ac8:3a66:: with SMTP id w93mr1281152qte.220.1611593060076; Mon, 25 Jan 2021 08:44:20 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Todd Herr <>
Date: Mon, 25 Jan 2021 11:44:04 -0500
Message-ID: <>
Content-Type: multipart/alternative; boundary="000000000000de621105b9bc3f0d"
Archived-At: <>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Jan 2021 16:44:24 -0000

On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas <> wrote:

> On 1/25/21 5:25 AM, Todd Herr wrote:
> On Sun, Jan 24, 2021 at 9:53 PM Michael Thomas <> wrote:
>> On 1/24/21 6:29 PM, John R. Levine wrote:
>> > I realized why the arguments about whether to require authentication
>> > on reports are pointless.
>> >
>> A blatant assertion. The onus of proof is with people who say we should
>> accept information from unknown sources. Extraordinary claims require
>> extraordinary evidence. I have been doing security related stuff for
>> long enough to know that being humble in the face of adversaries is the
>> most prudent course. State actors can get involved when they figure they
>> can game things to their advantage. To be dismissive is complete hubris.
> I've spent several days thinking about these tickets, and for the life of
> me I can't see what the payoff might be for someone to forge a DMARC report.
> I suppose nominally there's a denial of service risk, where a bad actor
> could flood a rua or ruf mailbox with forged reports or just email in
> general, but that's going to exist whether or not the "reports" are
> DKIM-signed.
> The main thing I've learned over the years of dealing with security is to
> not underestimate what a motivated attacker can do. Your imagination is not
> the same as their imagination. Closing #98 in particular is absolutely
> ridiculous: the report should already have a DKIM signature or SPF so it's
> just a matter of making sure its valid. Why would you *not* want to insure
> that? The amount of justification for *not* having the receiver
> authenticate it is a mountain. The amount of effort to authenticate it is
> trivial for mail. Levine's dismissal of security concerns because he has
> anecdotal "evidence" from a backwater domain carries no weight at all.

That's all well and good, but you haven't answered the question I asked.

What threats do you have in mind? Put another way, how do you envision an
attacker exploiting the lack of authentication in a DMARC report to his or
her gain?

I recognize that my imagination, or yours, may not match what a motivated
attacker can do. I have presented some possible scenarios that might result
from a forged DMARC report, and in them I don't see a gain for the
attacker, unless his or her goal is to be an annoyance to the target.

Can you please describe a scenario where an attacker might use a forged
DMARC report to gain something of value from the target of his/her forgery?


*Todd Herr* | Sr. Technical Program Manager
*p:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.