On Wed, Dec 14, 2022 at 5:45 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> Quantities > -------------- > I can see that FAIL quantities could be useful for motivating law > enforcement. It has the advantage of installed code and relatively little > processing cost. > I don't share your optimism here; aggregate reports are nigh on useless as sources of actionable data to attempt to shut down fraudulent use of the domain in my opinion. The data rows describing failures in aggregate reports are a claim by the reporter that it saw some number of messages originating from a given source IP with a tuple of SPF, DKIM, and DMARC values. The domain owner can and should believe those claims to be true, and if the disposition matches the domain owner's wishes, they're even proof that the domain owner's DMARC policy is working as designed, but I have yet to meet an abuse desk that will take action on anything other than a full message, including all headers, and aggregate reports don't contain that. As for law enforcement, I don't see "Officer, that unknown guy over there did something bad, and I can't show you direct evidence of it, you're just gonna have to trust me when I say he did it X times" as a motivator, especially if the bad guy is likely to be out of the local office's jurisdiction or even country. Failure quantities in aggregate reports can be valuable in identifying legitimate mail streams that are sending on behalf of the domain owner but that do not yet have proper authentication in place, but that's all they're good for. -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* todd.h...@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
