Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem

Alessandro Vesely <vesely@tana.it> Tue, 02 February 2021 17:39 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 909AB3A0D31 for <dmarc@ietfa.amsl.com>; Tue, 2 Feb 2021 09:39:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.12
X-Spam-Level:
X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ofp11VKSlKuP for <dmarc@ietfa.amsl.com>; Tue, 2 Feb 2021 09:39:48 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E5B13A0CB8 for <dmarc@ietf.org>; Tue, 2 Feb 2021 09:39:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1612287583; bh=EMtifhSbAvAsWWoGC3U1xNygZjiKCMPZ6h3LsOn1uaw=; l=1398; h=To:Cc:References:From:Date:In-Reply-To; b=CG0BAYHANDk+QSWbmdVwlUV77phmoCL29nwgGCjmSwBO/JCLV3HWIhrSvRR9GF6rT F0UgtR7fZ4NfRKO5ZhBwwBLjTaBYCrlIuP0nkWS1okVS86a4xtWugCWxngwgIQY21z GXgOUec+sJwX6ze/Ve6srjHt8ugsMmIgFkJjKU4S6xfLOGFy5WfI5CIMY8nD5
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Original-Cc: dmarc@ietf.org
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC026.0000000060198E5F.000043CE; Tue, 02 Feb 2021 18:39:43 +0100
To: Dave Crocker <dcrocker@gmail.com>, John R Levine <johnl@taugh.com>
Cc: dmarc@ietf.org
References: <20210201232105.1931D6D20971@ary.qy> <41163cd5-be81-6fd7-07dd-7a474874429e@gmail.com> <92b361a1-d9a5-9389-46b-3725d885c02@taugh.com> <b83c7574-3aa9-bd39-1a9b-3be6fa4f47ec@gmail.com> <1021a8e4-ca5f-5fb3-2661-b4668b4bafd5@tana.it> <0fd34931-e3c4-e5a5-3cb2-cb82697f50e6@gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <e6f7fa8e-9ea4-1e0a-1cd2-0fa040379bad@tana.it>
Date: Tue, 02 Feb 2021 18:39:43 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <0fd34931-e3c4-e5a5-3cb2-cb82697f50e6@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ek9wrzzRYDL63_j0YDL8vZXEip8>
Subject: Re: [dmarc-ietf] DMARC'ed reports, was Forensic report loops are a problem
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 17:39:54 -0000

On Tue 02/Feb/2021 18:24:32 +0100 Dave Crocker wrote:
> On 2/2/2021 9:19 AM, Alessandro Vesely wrote:
>>
>> I changed it again, for failure reports, like so:
>>
>> 3.3.  Transport
>>
>>    Email streams carrying DMARC failure reports SHOULD conform to the
>>    DMARC mechanism, thereby resulting in an aligned "pass".  This
> 
> "conform to" seems odd wording; it's not immediately obvious what it means here.
> 
> Perhaps:
> 
>   SHOULD provide DMARC-based authentication, to produce their own aligned "pass"
> 
> 
>> requirement is a MUST in case the sending host has a DMARC record
> 
> 'sending host' is ambiguous in this context.


Is this better:

3.3.  Transport

    Email streams carrying DMARC failure reports SHOULD provide DMARC-
    based authentication, so as to produce "dmarc=pass".  This
    requirement is a MUST in case the report is sent through a host
    having a DMARC record with a ruf= tag.  Indeed, special care must be
    taken of authentication in that case, as failure to authenticate
    failure reports may result in mail loops.

    Reporters SHOULD rate limit the number of failure reports sent to any
    recipient to avoid overloading recipient systems.  Again, in case the
    reports being sent are in turn at risk of being reported for DMARC
    authentication failure, reporters MUST make sure that possible mail
    loop are stopped.



Best
Ale
--