On Thursday, February 29, 2024 9:04:03 AM EST Todd Herr wrote: > On Wed, Feb 28, 2024 at 6:27 PM Douglas Foster < > > dougfoster.emailstanda...@gmail.com> wrote: > > I interpret your data differently. These domains collected data until it > > was clear that they could safely move to enforcement. Thereafter, they > > saw no need to study reports, at least until their configuration changes. > > > > Daily reporting is perceived as a waste of system and staff resources. > > > > I suggested an errors-only reporting option, which would allow for error > > monitoring without the wasted resources, but it was discarded by the > > group. > > Not all DMARC passes are intentional passes. The SPF upgrade attacks that > we've witnessed over the past year or so and too-permissive SPF records in > general are but two examples of where DMARC passes can occur for mail that > was not authorized by the Domain Owner. A reporting model that only reports > failures would not reveal these flows to the Domain Owner. > > Please note that I am explicitly NOT arguing for a DMARC mechanism that > does not rely on SPF; in fact I oppose such a thing at this time. Rather, I > submit that it behooves Domain Owners to routinely clean and manage their > SPF records to mitigate against risk of these sorts of attacks, and DMARC > aggregate reports are a tool that can be used to do so.
I agree with this. I would add that domain owners should look for evidence of cross-domain forgery in their data and where they see it seriously reconsider using that provider. Unless there's some kind of market demand for correct implementation of SPF, there are apparently lots of providers that aren't going to bother. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
