Re: [dmarc-discuss] RUA vs RUF reports

2018-05-27 Thread Roland Turner via dmarc-discuss 

Al,

Note that the terminology changed a while back from forensic reports to 
failure reports, presumably to remove the confusion that the use of the 
term forensic invites[1].


You've not stated what action you intend to take in response to the 
receipt of a failure report, so it's a little difficult to answer your 
question, but I'd point out two things:


 * Very few receiver-side authentication failures will cause you
   receive a failure report merely in response to your setting a ruf
   parameter. Receivers are in general unwilling to send them blindly,
   most will want background checks of the requester and a formal NDA,
   both of which generally happen as part of the contract with a
   specialist organisation providing email-authentication-related
   services. The spec provides for an interoperable failure reporting
   mechanism, but [obviously] can't mandate its use. If you are
   interested in knowing about failures in order to take some action
   (e.g. to change how you use particular lists, or to identify a list
   operator to encourage to change their DMARC handling), then >90% of
   the information that you're looking for is exclusively available to
   you in the aggregate reports.
 * For domains where you've not yet switched on p=reject, e.g. to
   minimise disruption of email flow, knowing about third parties
   impersonating you may be relevant whether or not they're sending to
   the few receivers who will send failure reports on request. This was
   certainly the case for me; when it became clear through aggregate
   reports that my personal domain was being impersonated - despite my
   not receiving a single failure report - I elected to switch on
   p=reject, then set about encouraging the few list operators who
   weren't yet honouring it to do so.

This does mean having to put in place some means to monitor aggregate 
reports for interesting failures, yes. Processing the XML to discover 
this is pretty straightforward, so long as you avoid the usual risks in 
processing XML from untrusted sources.


- Roland

1: working out what happened before vs. suitability for presentation in 
a public forum, particularly a court of law




On 28/05/18 01:17, Al Iverson via dmarc-discuss wrote:

Well, I think that would depend on the use case, would it not?. I've got
one server and Google Apps, everything signs with DKIM, and SPF is
configured correctly. I don't really have any edge cases to look out for --
no other outsource service providers in the mix. The rare (for me) failed
message forensic reports provide feedback about other peoples' broken
mailing lists (and maybe someday examples of forgery, if somebody forges my
domain). In that scenario, I'm getting a daily "everything is OK" aggregate
report from Google and a few others that is of low value to me. I could
either set a filter to delete those reports, or I modify my DMARC record to
stop requesting them. Either way, this is reversible in the future.

For an ISP or corporate entity, I would be more inclined to agree with you.
Somebody in another department could set up with some other service
provider that handles some form of email messaging without enabling proper
authentication and you'd want to be able to catch that, and summary
(aggregate) information from the big guys would help immensely.

So I do get your point, but it doesn't see to fit my use case.

Cheers,
Al Iverson

On Sun, May 27, 2018 at 11:18 AM Vladimir Dubrovin 
wrote:



Aggregated report contain all information, including SPF/DKIM/DMARC
failures, but it doesn't contain forensic information (e.g. failed
message Subject). Aggregated reports are supported by almost all large
ESPs, so, if you have some troubles you will probably see it in
aggregated report.
Forensic report contains information about individual message failing
SPF/DKIM/DMARC with some details (forensic information) regarding this
message, e.g. message headers. The problem is there are very few peers
sending forensic reports, so you may receive some reports, but should
not expect to receive forensic reports in the case of failure.
If you do not receive aggregated reports there is a very high chance to
have configuration problem without noticing it.
27.05.2018 17:43, Al Iverson via dmarc-discuss пишет:

In a DMARC record, I see that rua= specifies the address to which

aggregate

feedback is to be sent, and ruf= specifies the address to which
message-specific forensic information is to be reported.

I'm just a tiny bit confused about terminology-- could somebody confirm

for

me that I'm thinking of this correctly? I prefer only to receive failure
reports at this time. I don't want to receive summary reports telling me
that everything is AOK. That suggests to me that I should remove the rua
field but leave the ruf field.

Have I got that right?

Thanks,
Al Iverson


--
Vladimir Dubrovin
@Mail.Ru

Re: [dmarc-discuss] RUA vs RUF reports

2018-05-27 Thread Al Iverson via dmarc-discuss 
Well, I think that would depend on the use case, would it not?. I've got
one server and Google Apps, everything signs with DKIM, and SPF is
configured correctly. I don't really have any edge cases to look out for --
no other outsource service providers in the mix. The rare (for me) failed
message forensic reports provide feedback about other peoples' broken
mailing lists (and maybe someday examples of forgery, if somebody forges my
domain). In that scenario, I'm getting a daily "everything is OK" aggregate
report from Google and a few others that is of low value to me. I could
either set a filter to delete those reports, or I modify my DMARC record to
stop requesting them. Either way, this is reversible in the future.

For an ISP or corporate entity, I would be more inclined to agree with you.
Somebody in another department could set up with some other service
provider that handles some form of email messaging without enabling proper
authentication and you'd want to be able to catch that, and summary
(aggregate) information from the big guys would help immensely.

So I do get your point, but it doesn't see to fit my use case.

Cheers,
Al Iverson

On Sun, May 27, 2018 at 11:18 AM Vladimir Dubrovin 
wrote:


> Aggregated report contain all information, including SPF/DKIM/DMARC
> failures, but it doesn't contain forensic information (e.g. failed
> message Subject). Aggregated reports are supported by almost all large
> ESPs, so, if you have some troubles you will probably see it in
> aggregated report.

> Forensic report contains information about individual message failing
> SPF/DKIM/DMARC with some details (forensic information) regarding this
> message, e.g. message headers. The problem is there are very few peers
> sending forensic reports, so you may receive some reports, but should
> not expect to receive forensic reports in the case of failure.

> If you do not receive aggregated reports there is a very high chance to
> have configuration problem without noticing it.

> 27.05.2018 17:43, Al Iverson via dmarc-discuss пишет:
> > In a DMARC record, I see that rua= specifies the address to which
aggregate
> > feedback is to be sent, and ruf= specifies the address to which
> > message-specific forensic information is to be reported.
> >
> > I'm just a tiny bit confused about terminology-- could somebody confirm
for
> > me that I'm thinking of this correctly? I prefer only to receive failure
> > reports at this time. I don't want to receive summary reports telling me
> > that everything is AOK. That suggests to me that I should remove the rua
> > field but leave the ruf field.
> >
> > Have I got that right?
> >
> > Thanks,
> > Al Iverson
> >

> --
> Vladimir Dubrovin
> @Mail.Ru



-- 
al iverson // wombatmail // miami
http://www.aliverson.com
http://www.spamresource.com

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Re: [dmarc-discuss] RUA vs RUF reports

2018-05-27 Thread Vladimir Dubrovin via dmarc-discuss 

Aggregated report contain all information, including SPF/DKIM/DMARC
failures, but it doesn't contain forensic information (e.g. failed
message Subject). Aggregated reports are supported by almost all large
ESPs, so, if you have some troubles you will probably see it in
aggregated report.

Forensic report contains information about individual message failing
SPF/DKIM/DMARC with some details (forensic information) regarding this
message, e.g. message headers. The problem is there are very few peers
sending forensic reports, so you may receive some reports, but should
not expect to receive forensic reports in the case of failure.

If you do not receive aggregated reports there is a very high chance to
have configuration problem without noticing it.

27.05.2018 17:43, Al Iverson via dmarc-discuss пишет:
> In a DMARC record, I see that rua= specifies the address to which aggregate
> feedback is to be sent, and ruf= specifies the address to which
> message-specific forensic information is to be reported.
>
> I'm just a tiny bit confused about terminology-- could somebody confirm for
> me that I'm thinking of this correctly? I prefer only to receive failure
> reports at this time. I don't want to receive summary reports telling me
> that everything is AOK. That suggests to me that I should remove the rua
> field but leave the ruf field.
>
> Have I got that right?
>
> Thanks,
> Al Iverson
>

-- 
Vladimir Dubrovin
@Mail.Ru

___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

[dmarc-discuss] RUA vs RUF reports

2018-05-27 Thread Al Iverson via dmarc-discuss 
In a DMARC record, I see that rua= specifies the address to which aggregate
feedback is to be sent, and ruf= specifies the address to which
message-specific forensic information is to be reported.

I'm just a tiny bit confused about terminology-- could somebody confirm for
me that I'm thinking of this correctly? I prefer only to receive failure
reports at this time. I don't want to receive summary reports telling me
that everything is AOK. That suggests to me that I should remove the rua
field but leave the ruf field.

Have I got that right?

Thanks,
Al Iverson

-- 
al iverson // wombatmail // miami
http://www.aliverson.com
http://www.spamresource.com
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)