On Mon, Dec 28, 2020 at 3:14 PM Alessandro Vesely <ves...@tana.it> wrote:
> On Mon 28/Dec/2020 16:48:10 +0100 Todd Herr wrote: > > > > I am not opposed to the generic warning, but the following sentence in > the > > proposed warning gives me pause: > > > > "They are meant to aid domain owners to detect why failures reported > > in aggregate form occurred." > > > > The implication, to me, in that sentence is that the failure report will > be > > sent to the party that originated the message, > > > How do you derive that? To me, the sentence seems to implicate that > failure > reports go to the same entity which receives aggregate reports. That's > not > always going to be true either. The point should be that the authority > who > decides where either kind of reports go is the same who publishes the > public > keys. "Domain owners" is meant to indicate such authority. > > Forgive me, as my words weren't clear here. "[Failure reports] are meant to aid domain owners to detect why failures reported in aggregate form occurred" says to me that the idea behind failure reports is to put them in the hands of a party that can address the failures. DMARC validation failures can be caused either due to legitimate mail (i.e., mail originated by or on behalf of the publisher of the DMARC policy, a.k.a., the domain owner) failing authentication checks due to a shortcoming in the authentication practices of the domain owner or some other hiccup that occurs in transit, OR by illegitimate mail (i.e., mail not originated by or on behalf of the domain owner, so mail intended to fraudulently impersonate the domain), specifically the kind of mail that DMARC is purported to be designed to stop. All reports will go to the domain owner, and they should all go to the domain owner, but the domain owner will have no interest in fixing the authentication practices of the illegitimate mail streams identified by failure reports, nor would it have the ability to do so even if it wanted to. I believe at one time long ago there was an idea that a second possible usage for failure reports showing illegitimate mail was to give the domain owner evidence to present to an abuse desk or takedown vendor to get the illegitimate mail cut off at its source, but I don't know that for certain. Without such a use case, failure reports regarding mail that the domain owner didn't cause to be originated are just noise, because there's no action that the domain owner can take. -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.h...@valimail.com *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
