On 1/26/21 10:56 AM, Todd Herr wrote:
> In addition, if I recover that message from the log, I might find no
> relationship with the reporting domain or the reported source IP.
> That is to say, I won't be able to deduce if the report is fake
or real.
My main point here is to point out the attack.
The attack scenario you have described relies on several possible but
perhaps implausible conditions all being true:
1. There exists a domain run by people who are savvy enough to want to
implement DMARC and can consume reports, but don't have a good grasp
on which IPs are likely to be theirs and which aren't, and don't have
an understanding of how to use common tools to figure out whether an
IP address might belong to their provider's ASN or one halfway around
the world, and
Here's a very basic question: if I do not know all of the IP addresses
that send on my behalf, are DMARC reports of any value? Enterprises farm
out email all of the time and it could be difficult to know when they
change their server addresses, etc. If the reporting is predicated on
your having in effect and up to date SPF record (ie, do all of the work
to be able to produce one), then that negates anybody who just uses DKIM
alone which should be a completely acceptable use case. And no, the
domain/selector tells you nothing when it doesn't verify.
If it is the case that you MUST know all of your sending IP addresses,
that should be in blinking bold right up front in section 7.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
