Re: [dmarc-ietf] Ticket #42 - Expand DMARC reporting URI functionality

Michael Thomas <> Sun, 24 January 2021 21:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 76D7E3A0B9E for <>; Sun, 24 Jan 2021 13:41:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mvDZk8Q6jI6S for <>; Sun, 24 Jan 2021 13:41:43 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4EE173A0B9B for <>; Sun, 24 Jan 2021 13:41:43 -0800 (PST)
Received: by with SMTP id a20so4166985pjs.1 for <>; Sun, 24 Jan 2021 13:41:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=srsSLjmpmaSERgqAnodXGPkO1Wp6IY9GjiyvDYE30RU=; b=CWSoAUfiiPNB9MboncGGdjnvBbS3k+/e94mSrPLUyNO/3iNIFjvkY+lO+H4jCKe7Nf pJYmT0Ke8kgnFhQ6mLnbWsmchfraSw7SkXIYPQoWDRpzTQEczGa/LGKhQT+WWvK9F/c/ 4eEcoCoLkfeGoS42VdjQlABg8rzF7OLpsvZkYv3ZBbeS7hTvs0o3UaTD84fNBnrZNdR/ 2LRyPbPgTX4StSChtIXehDLDYwR2Lcd15RdbO5AlBO1QkjfLUjiD6UetPw0lEMgm41zS poPIMidyYOPbKxSJGEza3fgPe5aIOGINkY5tmQHMM7wo5X2hF5Kw4Z3yKDnRn6pv2DSZ /y8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=srsSLjmpmaSERgqAnodXGPkO1Wp6IY9GjiyvDYE30RU=; b=RcO5dlIuzME4xvhewnkyNbRb6+9wY99zMWgSslBqQ0UBZLLZ4+2Yn8dsg4948a6txh urcouS6RX2bGRrEoFb8BYqLImMid3OU0lPVVXnjO4uT5Vn4W1bWBtqwp3C9g5Qxcqp1L QCRsuHMn9xJFUyzyEDp08gtOgeUxxyEaNyVvX8GjDOUdaqEyiaePJAdzCMBTzi8aU3yR reBXwEPCjxurF6krTKP3j2r2U75mpMrdpooCFhK1XzqUteBE+C0qanTohAwi5mQo39LZ 4vZKaGVbGWjL21m1m8x1gjldPV9mUzwLWX+vEWcawlaAKcIniH9Vq3OGe28ckbwt+n20 gv9Q==
X-Gm-Message-State: AOAM533tWFryiPa2ZnxHxOJExtRVaob//7rePuRw0rH641ILeyMaiW2O jX8FmIDJiwbLse4ehkRZSXuI6BpV4lQmTQ==
X-Google-Smtp-Source: ABdhPJzaJCmWKU62R4AqVASl473R2LnO2+WMGWa8VeNG5MaAZ/6iBqowoLo70WW0V8ZFuJGFKD5mLw==
X-Received: by 2002:a17:902:14f:b029:de:c703:3045 with SMTP id 73-20020a170902014fb02900dec7033045mr16744795plb.14.1611524502270; Sun, 24 Jan 2021 13:41:42 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id k141sm13060071pfd.9.2021. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 24 Jan 2021 13:41:41 -0800 (PST)
References: <20210124213645.CAD5E6C0889D@ary.qy>
From: Michael Thomas <>
Message-ID: <>
Date: Sun, 24 Jan 2021 13:41:40 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <20210124213645.CAD5E6C0889D@ary.qy>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #42 - Expand DMARC reporting URI functionality
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 24 Jan 2021 21:41:44 -0000

On 1/24/21 1:36 PM, John Levine wrote:
> In article <> you write:
>> any reporting needs to be authenticated. if you're going to use http,
>> you need to show how you're going to do that.
> DMARC systems have been producing and consuming reports for a decade
> without authentication, without any problems I am aware of other than
> the occasional failure report loop, so we have practical experience
> telling us this assertion is not true.
"That i'm aware of" doesn't count for anything in the security realm. If 
this document intends to be standards track the default security posture 
is that everything needs authentication. Good luck getting it through 
the IESG handwaving the problem away. At least with mail a little 
normative texts fixes the problem. That won't be the case for http.