Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not

Douglas Foster <> Sat, 30 January 2021 12:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 672853A083E for <>; Sat, 30 Jan 2021 04:52:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VCjxmp1var0J for <>; Sat, 30 Jan 2021 04:52:07 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A02F73A0839 for <>; Sat, 30 Jan 2021 04:52:07 -0800 (PST)
Received: by with SMTP id g5so4163122uak.10 for <>; Sat, 30 Jan 2021 04:52:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=K7CbGIS+B6Kd3OMrTaOlsMFrEqNkmGV+QtQeULZd2xs=; b=Lyf9QaUBg3BYWxDMUR34feXsyT3v+/Ur7vq4GR5MZvIFHr6aIu1H494VEGkgkbnuDM byUXRF84U1Ams9f2FEySgRYTDzN/NvirnepssTjpeEh6QOjK1eVSJ24GXBBWlcDR70pO Qk8WSvUTmN5q2JWM5fmF5SGUU7wQTOdKafrIZkyc/zAVa2PlLeTdePq47kNzxJABw8fU f+5ygbhUf8p59eczw1CF7FGEAvAgbj6YDz3FeuHB0mAMCnyYOwSewHgAdcmOyRPxKE8L WwK1f0tuEjmLrpjHqVaxBdJ8iRvHI9QvOjdGSflPF4w/5umHa8Ry7EIMOnOeBOG/6ryQ zxTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=K7CbGIS+B6Kd3OMrTaOlsMFrEqNkmGV+QtQeULZd2xs=; b=NnCfIBIucXMZNxE8RG90/0ZWIo7+2hSnDaJSgTM3Zk6ZtjYNi1A5juxzc2fIDExiiv cT6juTSkAIdqPrGahXF3sBKDsElSx1nG/so8akJSlH+2bFqxkPJHex1JWutVeppqScEz aUCSr8Q4X8wz6Run5C4C3SCgjkgbAaBbpXyTVUO2ptRSTHko2w2LE92xWGZ1YQ/oEyzB mvzNnNKg08Sp3ozjyOqby6EbDxXJB4mcfm0oFCUW1rG4+S6H3UH2ioYFNLHcuFXl41rQ TTq0rKSxwtp6gztDCWeJlasCIE0VoFefZHQVgVASyA7ulwQJPsMRxygaTFtklcP6b4aA Bzyg==
X-Gm-Message-State: AOAM5309eIIQcs3DTguNSyqhoqDJfGr0renU9e+JorKkQBU9ThW8DaEf GbfoWix1KaNufEC2h0ndKBxlWCRx0GV/G+fcfar93UdJY40=
X-Google-Smtp-Source: ABdhPJz+/GmHoQ5U43VSl6EVQna+S24Rd4S5VhAJVU3nuJhq0rr5WpXZo7QKR3dyIwkvQtqJx5X/owTeFb0rSj8loOk=
X-Received: by 2002:ab0:5e6:: with SMTP id e93mr5092380uae.109.1612011126412; Sat, 30 Jan 2021 04:52:06 -0800 (PST)
MIME-Version: 1.0
References: <> <20210129210006.063C66CF2279@ary.qy>
In-Reply-To: <20210129210006.063C66CF2279@ary.qy>
From: Douglas Foster <>
Date: Sat, 30 Jan 2021 07:51:56 -0500
Message-ID: <>
Content-Type: multipart/alternative; boundary="000000000000905b0105ba1d9686"
Archived-At: <>
Subject: Re: [dmarc-ietf] Report bombing is a prolem, Forensic report loops are not
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 30 Jan 2021 12:52:09 -0000

Interesting point.

In your experience, how often does reporting produce any change in sender

I have made attempts both to help senders correct their own SPF or DMARC
policy, or to get them to stop violating my DMARC policy.   As best I can
recall, my success rate has been zero.

For a responsive organization, finding a problem and getting the change
approved is likely to be a time-consuming a quick process.   A week
turnaround would seem timely, unless they go into emergency mode because
lots of mail is being blocked.

The spec is confusing because it says (a) failure reports should be sent
immediately, (b) failure reports should be aggregated, and (c) failure
reports should be throttled but without specifying a limit.

Of course, if the cause is a spammer, there is nothing that the domain
owner can do at all.

I wonder if the rule should be one message per week per source, since any
large volume sender will be getting reports from multiple sources.   The
main problem with this is that law enforcement actions may want to be


On Fri, Jan 29, 2021 at 4:00 PM John Levine <> wrote:

> In article <> you write:
> >3.3.  Transport
> >
> >    Email streams carrying DMARC failure reports MUST conform to the
> >    DMARC mechanism, thereby resulting in an aligned "pass".  Special
> >    care must be taken of authentication, as failure to authenticate
> >    failure reports may provoke further reports.
>     Reporters SHOULD rate limit the number of failure reports sent
>     to any recipient to avoid overloading recipient systems.
> Why would reports due to a mail loop be more of a problem than due to
> some random spammer sending a lot of fake mail, or (real life) your
> users send mail to mailing lists with thousands of subscribers? Rate
> limit your reports, don't worry about where they came from.
> R's,
> John
> _______________________________________________
> dmarc mailing list