Re: [dmarc-ietf] Forensic report loops are a problem

Michael Thomas <> Mon, 01 February 2021 20:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 12F063A146D for <>; Mon, 1 Feb 2021 12:34:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HkbR_Wp7uZle for <>; Mon, 1 Feb 2021 12:34:56 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D30A3A146B for <>; Mon, 1 Feb 2021 12:34:55 -0800 (PST)
Received: by with SMTP id s15so10686761plr.9 for <>; Mon, 01 Feb 2021 12:34:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=+VuOb/b190q5AZ6q+cIcslqtXxUBqkdJpBL72obANz8=; b=bYnJmM8EygEFyYIBxd7U/KmE18vt4tIBs/zwtdf3i+suSLGXfLjk0VNeRcmgouMunj U/D6yeCOdWoZhmhCvb2KT7NuunwrdRGggMztgRYytfziyr05dZjy5AzDTNISTlkJ0YZj GBZBuXbPgGbU56tD6W8H5S4EV1qxLt4JY64RDDtaEiDnY/Dciuhp/yFVY1EFgp2Sf78J K1O7qEJoP156/TDAOvo/5I3B9pgl9GYpPQ17YWZCjvFe9YsqiMXjph5aGerVhcYcfGuF cGiqtLvd8xTme+IyeQMxnPvg/WHDfDrGrygn3rj19GXbtY23AA3x8tAOg6XjiE6TlNTy u4lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=+VuOb/b190q5AZ6q+cIcslqtXxUBqkdJpBL72obANz8=; b=Ga9vuxYAY3ShUCHSADa2OlmiguNdz2SCga5rEjygWBSzaFk+TbUDBPrCOxXDz6dqfA rz4sjOtb/JvZ9BChkXscpDt8cDifwYIhrmLQKZ2nXutSUsXKYMW4+mGJi2S5yYrtdkEO 5m9GSdRhzcZSrJJtVd5z9jyQqpaJDPZHInGwumPHd8ipz1OyxopUf5D23ohA2MFquPsB uCV9h+JBD94rimLyy2limqcGAUVGpd/xSDkQt7VcoIPvArQzY43g9O7vuIOIPLb+A6QU ln6LTqxqUeL3d9qTm4KNCWXIEaKGWRtFl6cbQqiuzH2J87MMkPtFhQCZqQ4emnxatsOF yl6Q==
X-Gm-Message-State: AOAM532m8gQfGyM5MVLgQQD8zqq2Xe1LsiQ99E8JduT9ytbtU2VSHGKI l15tPhM7fGNJqgfR3HHB/I8fXiasAojttg==
X-Google-Smtp-Source: ABdhPJxV6yXQ6dPzSmi4okwUuFsjQMgvbwS9VVL4vhoahHVQ6Hf0c3y5lH1fHfDLeoXNb1lOR+WAHw==
X-Received: by 2002:a17:902:f683:b029:de:18c7:41fa with SMTP id l3-20020a170902f683b02900de18c741famr18824805plg.57.1612211695094; Mon, 01 Feb 2021 12:34:55 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id b18sm19664667pfi.173.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Feb 2021 12:34:54 -0800 (PST)
To: Dave Crocker <>,
References: <> <20210127203714.007C86CDB9CA@ary.qy> <> <> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Mon, 1 Feb 2021 12:34:53 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [dmarc-ietf] Forensic report loops are a problem
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Feb 2021 20:34:57 -0000

On 2/1/21 10:52 AM, Dave Crocker wrote:
> On 2/1/2021 10:25 AM, Michael Thomas wrote:
>> On 2/1/21 10:13 AM, Dave Crocker wrote:
>>> The model that a receiving site is not allowed to report DMARC 
>>> traffic unless that site is also generating DMARC authentication is 
>>> Procrustean.  And as I noted, is likely counter-productive. 
>> There is no such thing as "DMARC authentication".
> Actually, there is.  DMARC's requirement for alignment with the 
> author's From: field domain name asserts a specific bit of 
> authenticated semantics that does not exist elsewhere.
>> The paragraph quoted is poorly written and should be rewritten to say 
>> that the report should pass either SPF or DKIM authentication as I 
>> wrote in issue #98.
> It might be written better, but its requirement is for support of 
> applying DMARC to generated reports.  That's more than just requiring 
> SPF or DKIM.
> This is separate from not asserting the requirement at all, of course.
The entire thrust of the paragraph needs to be rewritten to what the 
senders and receivers must do. It does not require invoking the policy 
lookup since it can make the determination to reject reports that do not 
authenticate with either SPF or DKIM itself. The section also needs to 
clarify whether spoofing the envelope-to domain in the report contents 
is allowed or not. I do not think it should be.