On Mon, 1 Feb 2021, Dave Crocker wrote:
On 2/1/2021 3:21 PM, John Levine wrote:
I find it hard to believe that if you are going to enough effort to
maintain the data to create and send reports, you can't figure out how
to install an SPF record for your reporting domain.
Except that the tracking/reporting functions are completely separate from the
'signing' side of DMARC and could easily be different parts of a company.
I took a look at my aggregate reports. The DMARC policies of the senders
are all over the place, some none, a few quarantine, some reject, a few
small sites (trouble.is, gspam.co.il) have no DMARC record, one has
neither SPF nor dmarc (itdseciron04.utep.edu). I'd say about 3/4 of the
reports have DKIM signatures, the rest that have SPF records are aligned.
One was from mailer-dae...@esa1.hc1512-92.c3s2.iphmx.com and
esa1.hc1512-92.c3s2.iphmx.com indeed has an SPF record.
So I would say that from my small sample, a lot of people have figured out
how to send aligned reports, either by using their regular signing engines
or with an SPF record for the host that sends the reports. On the other
hand, for reasons we've discussed that are evident to anyone familiar with
DMARC, there's little reason to worry about fake reports, and
authentication doesn't help even if there were.
If we want to document existing practice, I guess we would say that
reports should be authenticated and aligned if practical, but it's OK to
send them if not.
R's,
John
PS: Does anyone have a contact at antispamcloud.com aka hosteurope.de ?
They send a lot of impressively broken failure reports.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
