Re: [dmarc-ietf] Two new fields in aggregate reports

Brandon Long <> Fri, 25 October 2019 00:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD95912001A for <>; Thu, 24 Oct 2019 17:53:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C_5DTCbvDIiS for <>; Thu, 24 Oct 2019 17:53:46 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CDB9C120019 for <>; Thu, 24 Oct 2019 17:53:45 -0700 (PDT)
Received: by with SMTP id p13so353599vso.0 for <>; Thu, 24 Oct 2019 17:53:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TY8ombJovOk5g5dLwUXMxewC4BVIFuXj7phSAE89rKg=; b=Pea4RG29dqW0Vj7v34TO8YZowuFOVZXRjuBZ7tkb2elv63eka0wpU/klSkryJTeD1K lebiL5DtYEDL731QeT4f2MDap1zzCmSc3pLRpKmjHL0kbxhl/z70PVvtaG7o6b9NlCZj ycZQfsiY3nfas0M6PXlFnTGE4kTDQT6l0osFThTJRZmdyByCNJai84K0n1FY0CWSBZQ4 FfvIwNezLuocgg8p1pPGpi8dq3i5CGLmlhw4Wo8mGQX0Nz4+vde0ke0NRXpdixFwqZ35 4P3noKRk5NmagETa3DrIaKGuJ8lALX7MtHBps6nTOu/bMjXMlGHRpo4afYtY+vFzwvNi p13A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TY8ombJovOk5g5dLwUXMxewC4BVIFuXj7phSAE89rKg=; b=itoEmxzQN8wEFYhf4pPkLOQLMJbxQwzZjMHqjl5bIzLaDlat591fKXgnRsjzVU+Y0e 6DJfuMwElpyXKl+7icUHLQviPxzsOym9YmFu89Hs9tezX2MqVyy/UvAPYFroQKP3VySb NukpX9/QtiRGTAcM68bw6yMqE6OwaEV2cvXWuFR4d2/VGHvgaDIqvWU2YGRjfP131ev1 hJkKdJI7ht8WglwX9RX0R1yS5opUYKXxnWvdkWMrR44Lak+qV7vD/O/tuTz/AIC9a8Aj yW9Z2uRcS9NKNCOG7qjQ+670dzAR1Nvqq4yi/iVe6sEn0Qn5UcvpMlhQ1hvk0DYExvfd rhIw==
X-Gm-Message-State: APjAAAUzjzrumNXs3NXsQ2W7zkX7K95t6LR/vQl4KVwS2Hk5mqCFC+ba liEVAj3F+v/52TP2Oo+XiZKncwTFU02Wmh9Rw0KhauY=
X-Google-Smtp-Source: APXvYqyuUVYhekibhTE3rJ71S4tG3KHleT2F+2xhzJjDhdtbG3Nwpw6NdgDNMSQF2CBlfoQjBEE3mFvuebM/nQa2NE4=
X-Received: by 2002:a67:edc9:: with SMTP id e9mr589384vsp.76.1571964823977; Thu, 24 Oct 2019 17:53:43 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Brandon Long <>
Date: Thu, 24 Oct 2019 17:53:32 -0700
Message-ID: <>
To: Alessandro Vesely <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="000000000000ef668f0595b1949a"
Archived-At: <>
Subject: Re: [dmarc-ietf] Two new fields in aggregate reports
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 Oct 2019 00:53:48 -0000

On Thu, Oct 24, 2019 at 10:55 AM Alessandro Vesely <> wrote:

> Hi all,
> it is difficult to tell what is each aggregate report's record.  It is
> easier
> if the source IP is known.  Mailing lists can be told by their (unaligned)
> domain.  Otherwise, it is difficult to tell abuse from legitimate users
> using
> the wrong server.
> Getting a failure report for each source IP is not easy, because few
> mailbox
> providers send failure reports.
> In order to ease the understanding of aggregate reports, I propose two
> additional per-record fields:
> *score*:  The average score of the messages in the row; let's say an
> SA-like
> number (< 0 good, > 10 bad, values in between may be worth human
> inspection).

This assumes that your spam system is able to make a spamminess score that
a continuum, I'm not sure that's true.  Also, it's a lot of spamminess
feedback, not sure if that
can be abused or not.

Also, as rejected at smtp time, especially for DMARC, we're unlikely to
have run a full spam
assessment on the message.

> *list*:  An enumerated type, for example "none", "black", "white", "both",
> indicating if the source IP is listed in some public or private DNSxL that
> the
> reporting MTA uses.

At first I was wondering if you were going to have the values of the
list-id header.

That said, though I've never used any DMARC aggregator services, I would
think that
one of the values they're likely to provide is IP address identification,
useful so you can
hunt down what things aren't sending DMARC compliant email yet (ie, looks
like you're sending
mail from ESP A and ESP B, fix those)... they can just as easily use the
various public IP reputation

Anyways, I doubt we'd expose anything internally... also, this is kind of
the opposite of the
spamminess score, in that it expects that things are black & white, and we
virtually never
classify things as such.