On 25/10/2023 08:10, Steven M Jones wrote:
I am not fan of this exceptions, it breaks the ABNF ... 'A DMARC policy recordMUSTcomply with the formal specification found inSection 5.4 <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-28.html#formal-definition>' The record 'v=DMARC1; p=foobar; rua=mailto:r...@example.com' does not comply with the formal specification (ABNF rule dmarc-request) Furthemore, 'mailto://example.com' is a valid URI according to RFC3986. If we take into consideration the record 'v=DMARC1; p=foobar; rua=mailto://example.com' : a 'rua' tag is present and contains at least one syntactically valid reporting URI (no need to have a mailto). Who are we going to send the reports specifying the errors?It's not so much changing the handling as changing the reporting.* The policy to apply is "none," because the p/sp/np value was faulty. Done. * Next step, if there's no "rua" target you can't report - which is now equivalent to bailing out of DMARC processing for this message.
What about using the error report of RFC 7489 for this purpose instead of aggregate report? ( https://datatracker.ietf.org/doc/html/rfc7489#section-7.2.2 )
I have never seen any error report but I think that error reports were a great ideas because they can advertise the domain owner (through the valid URI) for any failing external destination verification We could also use the error reports for to reports any syntactic errors in the record could be also useful, in my opinion.
However, it needs to be well defined to avoid sending to much unsolicited message (Usenix 2023 : You've Got Report: Measurement and Security Implications of DMARC Reporting <https://www.usenix.org/conference/usenixsecurity23/presentation/ashiq>.) Sending error reports only to domains under authority of the Domain Owner would solve the issue.
Regards, Olivier
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
