On Mon, Jan 25, 2021 at 3:18 PM Michael Thomas <m...@mtcc.com> wrote:
> > On 1/25/21 12:08 PM, Todd Herr wrote: > > On Mon, Jan 25, 2021 at 2:56 PM Michael Thomas <m...@mtcc.com> wrote: > >> >> On 1/25/21 11:52 AM, John Levine wrote: >> > In article < >> cah48zfwejx1pho7x1bjjtyyehxzwmuq3jrhfjzahwfy1jq+...@mail.gmail.com> you >> write: >> >> -=-=-=-=-=- >> >> >> >> DMARC alignment on the report seems of limited value unless it is >> aligned >> >> to the domain being reported. ... >> > I'm getting the impression that some of us have not looked at any DMARC >> reports. >> > >> > Aggregate reports contain the domain of the reporter, and the domain >> > of the sender to whom they are sending the report. They do NOT have >> > the domains to which the messages were sent or where they were >> > received, which are often different for forwarded or mailing list mail. >> > >> > For at least the third time, there is no "domain being reported". When >> > I get reports from Google or any other multi-tenant mail provider, >> > they do not say to which of their gazillion hosted domains the mail >> > was sent. That is not a bug, and it's been like that for a decade. >> > >> Sounds like a bug to me and an issue should be opened. Just because it's >> a 10 year old bug doesn't mean it's not a bug. >> >> > I disagree. > > Authentication results should not differ at a given provider based solely > on the destination domain, so there is no reason to report results > separately for each destination domain. Further, there's no value to the > report generators, especially at large sites like Google, to expend the > resources necessary to generate and send X reports when one will do. > > So you're saying I should be free to spoof any domain I want because > Google might be inconvenienced? > > > I'm not at all following your point here. Let me explain what I'm trying to say, then perhaps you can explain what you're trying to say in a way that might make a dent in my seemingly-addled brain, and then we can move forward. As a domain owner who publishes a DMARC policy record, a DMARC aggregate report tells me the results of authentication checks done by a given reporter for mail claiming to be from my domain during a specified period of time. These aggregate reports group the information by source IP, telling me how many messages were seen from a given IP by that reporter, what the policy evaluation results were, what the header from was, and what the results of the "pure" authentication checks were. If I were an owner of a domain of any reasonable size generating non-trivial amounts of traffic on a daily basis, I would expect that some of the traffic in a given aggregate report was stuff I'd sent, and some would be stuff others had sent. When it comes to a hosting provider, such as Google or any provider hosting more than one domain, I do not expect that the authentication results reported by the hosting provider about my domain will differ based on the domain hosted by that provider to which the traffic was sent. If Google reported mail from foo.com (my domain), I would expect that all mail I sent from a given IP would show the same authentication results regardless of whether it was sent to bar.org, baz.net, someotherdomain.com, whatever domains Google might be hosting. I would further expect that any mail that I didn't send would show in the report as failing authentication checks (assuming I've got my authentication stuff set up correctly) regardless of what domain it was sent to at Google. The reasons for these expectations are several: 1. SPF checks are based on the domain in the RFC5321.MailFrom header, or sometimes on the domain in the RFC5321.HELO; the destination domain has nothing to do with the success or failure of SPF 2. DKIM checks are based on the DKIM-Signature header(s) in the message; the destination domain for the message has no role in the DKIM validation effort, as the public key is published by the signer 3. DMARC checks are based on the From domain (which publishes the DMARC policy) and the results of the SPF and DKIM checks (did either pass, and does the domain that passed align with the From domain?). Again, destination domain doesn't play a role in the DMARC check So, based on my understanding of how DMARC works and the information that an aggregate report contains, I do not see how the lack of the destination domain in an aggregate report gives one freedom to spoof any domain. Can you please explain your position that the lack of destination domains in aggregate reports gives one freedom to spoof any domain, and further can you please specify which domain(s) in this scenario might be free to be spoofed? -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.h...@valimail.com *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
