Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help

Douglas Foster <> Mon, 25 January 2021 17:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8F9273A1566 for <>; Mon, 25 Jan 2021 09:10:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KNFKA7vdFWm9 for <>; Mon, 25 Jan 2021 09:10:46 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A97793A0E7E for <>; Mon, 25 Jan 2021 09:10:46 -0800 (PST)
Received: by with SMTP id u27so4656781uaa.13 for <>; Mon, 25 Jan 2021 09:10:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=idPqu0iOSxZBU+InP0ksal+CQHMO/rQgXroVtmKKp1A=; b=fiXWQ86vjtZNEBYfbYyh9WQ0ORd4MmSRvplGRONicQPX5lwMC9ACcyRZ4hawLeEW8b v1UXInMFLfzWXDXMyqt1dn8eB/NnSjnsq2I1r8Xd0Sa6+OLW2+2ZVLNlcObUa6rODGmE LaoNY+dwzSNGtESWl6gr+Me1qm5d9wyazKi+cQ+/xh+ejRXAITTj3baVdRFzSYPlblqO uz70z+mBM8mYFFUF4Nqo3FYHYDY5DX+OlWb5DbhQNpgFPevuF/KhTbbbm76dZ2N165Ce xELRhQpCWajM4iYhZTCLCsMxY9pZI6ulceQKk9nZStQu1SlD8RQXDhv81dQAf6Z/9iOu bmAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=idPqu0iOSxZBU+InP0ksal+CQHMO/rQgXroVtmKKp1A=; b=PmDoxajz6BiZmgJwmd24pwJQgLqRiVK5echrxMxWA5xC4nMxZzQad2QV1PanPr5j2i 0FUWp0HYw3i/S8WaB/gqosrzP8G+nMZClZD99Wp/yc/fCxBUf6Xjb5rRYT4b16ZSmFnm /1lbEtRKH69gbIDZgLssC5hMxnMccBwzGWbszF20euT+/57JSFp9VZIBQXAd62mwDGPh oHq4YezFeggXb+7JbmdEreD9al0xlJ2m2bZyG4D/dfAKE45624d64Twk0zBCR/3K/tmy FkZvZXcrCL1VMvoH5s77QWnv5nyFQnecTwcSjGRgligZbRFM1+HRy9STdqZ4bWPGGcm8 90bQ==
X-Gm-Message-State: AOAM532VOVDf9HoY3Em5nON/uKzViTjLasdo2Oj4juO8wYQbKwS5Fk6/ 4ASsEr0OMBtOLIvt+r/F7R0vLvOJ1rIhd//qtWyqh/N2
X-Google-Smtp-Source: ABdhPJx2GTy0W/82nHGXQ2EJ5aLGRq03fdWrNWDMhaNaxPPaIEyFM5IWCc8MyJnHOjnTcXAnv/Z0BHgkjLfdnTQEZZA=
X-Received: by 2002:ab0:7547:: with SMTP id k7mr1347387uaq.95.1611594645050; Mon, 25 Jan 2021 09:10:45 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Mon, 25 Jan 2021 12:10:30 -0500
Message-ID: <>
Content-Type: multipart/alternative; boundary="0000000000005719e005b9bc9e2e"
Archived-At: <>
Subject: Re: [dmarc-ietf] Tickets 98 and 99 -- fake reports are not a problem and if they were authentication would not help
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Jan 2021 17:10:49 -0000

Since the status quo is unauthenticated, I wonder if adding a signing
requirement will help.
Will recipients discad unsigned messages, or accept whatever is available
to maximize their information capture?  I suspect they will conrinye to
accept everything.

I think we would need an identified threat before recipients would be
motivated to discard.

But what about John's problems with receiving reports that should not have
gone to him?   I did not understand the root cause, but I would hope there
is something that can be done.  Would signing help receiving sites, those
with less sophistication than he has, be able to sort out noise more

On Mon, Jan 25, 2021, 11:51 AM Michael Thomas <> wrote:

> On 1/25/21 8:44 AM, Todd Herr wrote:
> On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas <> wrote:
>> The main thing I've learned over the years of dealing with security is to
>> not underestimate what a motivated attacker can do. Your imagination is not
>> the same as their imagination. Closing #98 in particular is absolutely
>> ridiculous: the report should already have a DKIM signature or SPF so it's
>> just a matter of making sure its valid. Why would you *not* want to insure
>> that? The amount of justification for *not* having the receiver
>> authenticate it is a mountain. The amount of effort to authenticate it is
>> trivial for mail. Levine's dismissal of security concerns because he has
>> anecdotal "evidence" from a backwater domain carries no weight at all.
> That's all well and good, but you haven't answered the question I asked.
> What threats do you have in mind? Put another way, how do you envision an
> attacker exploiting the lack of authentication in a DMARC report to his or
> her gain?
> No, sorry, the onus is on the people who don't think it can be gamed. A
> bald assertion that it can't be gamed is very unconvincing. You need to lay
> out a miles long case for why it cannot be gamed. And to what end? #98 has
> a simple piece of text that should be added to DMARC to eliminate the
> possibility of forgery. You'd need a 10 page threat I-D to explain why it's
> not necessary. What is the point of that? For email, it's trivial to
> prevent forgeries. Why would anybody argue against that?
> Mike
> _______________________________________________
> dmarc mailing list