In article <682972a4-38e4-f5b2-3180-c5a03a3a0...@tana.it> you write: >Looking at aggregate reports, you cannot tell whether an authentication failure >is a sacrosanct signaling of your domain being abused rather than a legitimate >user going through external forwarders.
Sure you can, you look at the IP address and see who it is. In my reports I see bursts of authentication failures from hosts that are obviously mailing list servers, and lots of failures in China which are random spambots. >In theory, reports can be something more than a debugging aid. It has the >potential to assemble a community where bad actors are identified and >dismissed. No, that's not what they're for and they don't have the necessary info. There are systems that compile data for IP reputation but that's not what DMARC is. The point of DMARC is to try to tell "is this message really from X", not "is this message spam." R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
