[dmarc-ietf] Two new fields in aggregate reports

Alessandro Vesely <vesely@tana.it> Thu, 24 October 2019 17:55 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6BA4012011B for <dmarc@ietfa.amsl.com>; Thu, 24 Oct 2019 10:55:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Vx3YazfkxvcN for <dmarc@ietfa.amsl.com>; Thu, 24 Oct 2019 10:54:58 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5CBC1200F4 for <dmarc@ietf.org>; Thu, 24 Oct 2019 10:53:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1571939637; bh=jjyIbWZSG8X6wfgm/eZNfFRdDjoS0Gb041j+MbcDIWs=; l=1128; h=To:From:Date; b=BKVEIiNzKaBizPQIvGyYjOWSLAQxW6lMs0oPNIKU4QD6Xd7A52W7OmhjISRgOX7eI IfLq2xfr0JrT8wHkCALZjwrjeb/VWVUDDk42zFQQE9dwcD9qxjehobexB6t9Ux9WLv a0AYYrsZ6JeIpp5MIHiFJx/1WQV7rSnEo0dRngnZ6ZxKuWQaI2GeyShd9HTpF
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA id 00000000005DC028.000000005DB1E535.00003CEC; Thu, 24 Oct 2019 19:53:57 +0200
To: "dmarc@ietf.org" <dmarc@ietf.org>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: preference=signencrypt
Message-ID: <2c9f5a36-105f-22bd-2029-cb66867355c2@tana.it>
Date: Thu, 24 Oct 2019 19:53:57 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/tA-Ug7qVAB3HKN-YjFjsyJLP964>
Subject: [dmarc-ietf] Two new fields in aggregate reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 17:55:01 -0000

Hi all,

it is difficult to tell what is each aggregate report's record.  It is easier
if the source IP is known.  Mailing lists can be told by their (unaligned) SPF
domain.  Otherwise, it is difficult to tell abuse from legitimate users using
the wrong server.

Getting a failure report for each source IP is not easy, because few mailbox
providers send failure reports.

In order to ease the understanding of aggregate reports, I propose two
additional per-record fields:

*score*:  The average score of the messages in the row; let's say an SA-like
number (< 0 good, > 10 bad, values in between may be worth human inspection).

*list*:  An enumerated type, for example "none", "black", "white", "both",
indicating if the source IP is listed in some public or private DNSxL that the
reporting MTA uses.

They're obviously subjective stuff.  However, most MTAs deploy at least one of
them, and summing up per-IP results every day can bring useful indications.

I haven't added those fields to http://bit.ly/dmarc-rpt-schema, yet.  Let's
discuss.  I hope they will make it to rfc7489bis.