On Wed, Oct 14, 2020 at 2:17 PM Brotman, Alex <Alex_Brotman=
40comcast....@dmarc.ietf.org> wrote:
> During a session at M3AAWG50, one of the other participants proposed an
> idea where a sender could optionally send reports to a domain holder when
> they send messages on behalf of that domain.
>
> Let's consider the idea that example.com has properly created
> SPF/DKIM/DMARC reports for themselves, and are enforcing at p=reject. And
> example.com has permitted ESP-A to deliver messages on their behalf, and
> they're properly setup in the SPF, and properly sign with DKIM. ESP-B has
> no such authorization, but some entity has asked that ESP-B send messages
> on behalf of example.com, but is targeting a mailbox provider who does
> not support DMARC, nor send reports. Both entities participate in this
> "Senders DMARC", and now example.com knows that ESP-A is acting properly,
> while ESP-B may need some contact to understand more about what is going
> on. I'd suggest that the policy be separate from the receiving policy
> ("p=" and "ps=" (policy-senders) for example, though, that may also lend
> itself to "psp="), but residing in the same DNS TXT record.
>
> This would not be meant just for ESPs, but also for MBPs/ISPs as well.
>
> Does this sound like a reasonable idea? Report overload? Not a helpful
> data set for a domain holder?
>
> Thank you for your time.
>
> --
> Alex Brotman
> Sr. Engineer, Anti-Abuse & Messaging Policy
> Comcast
>
In the example you give, wouldn't ESP B be just a wee bit suspicious and
see HUGE red flags that a non-validating receiver is targeted for mail
purporting to be from a domain publishing p=reject? If they were unsure and
concerned enough to want to send reports then why wouldn't they be
concerned enough to reach out to the domain owner/administrator without
such a report scheme? or to reject the customer? (Oh, leaving money on the
table, the horror!)
Either the mailstream involved is malicious, or it is not. If it's
malicious, I would expect (and have experienced) reports coming in from end
users (recipients) to customer service, abuse@, postmaster@, etc. very
quickly. This would typically be much faster than once a day automated
reports from the ESP, etc. If it's not malicious, the juice may not be
worth the squeeze.
I believe - no, know - that domains paying attention to existing reports,
logs, inbound mail to role accounts, etc. have no pressing need for
something like this. Domains not paying attention to these things are
unlikely to pay attention to these proposed reports anyways.
Michael Hammer
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
