On Sat, Nov 11, 2023 at 9:17 AM Neil Anuskiewicz <neil= 40marmot-tech....@dmarc.ietf.org> wrote:
> > > On Oct 25, 2023, at 3:57 AM, Olivier Hureau < > olivier.hur...@univ-grenoble-alpes.fr> wrote: > > > On 25/10/2023 08:10, Steven M Jones wrote: > > It's not so much changing the handling as changing the reporting. > > * The policy to apply is "none," because the p/sp/np value was faulty. > Done. > * Next step, if there's no "rua" target you can't report - which is now > equivalent to bailing out of DMARC processing for this message. > > I am not fan of this exceptions, it breaks the ABNF ... 'A DMARC policy > record MUST comply with the formal specification found in Section 5.4 > <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-28.html#formal-definition> > ' > The record 'v=DMARC1; p=foobar; rua=mailto:r...@example.com > <r...@example.com>' does not comply with the formal specification (ABNF > rule dmarc-request) > Furthemore, 'mailto://example.com <//example.com>' is a valid URI > according to RFC3986. If we take into consideration the record 'v=DMARC1; > p=foobar; rua=mailto://example.com <//example.com>' : a 'rua' tag is > present and contains at least one syntactically valid reporting URI (no > need to have a mailto). Who are we going to send the reports specifying the > errors? > > What about using the error report of RFC 7489 for this purpose instead of > aggregate report? ( > https://datatracker.ietf.org/doc/html/rfc7489#section-7.2.2 ) > > I have never seen any error report but I think that error reports were a > great ideas because they can advertise the domain owner (through the valid > URI) for any failing external destination verification > We could also use the error reports for to reports any syntactic errors > in the record could be also useful, in my opinion. > > Email is not dead! Now the bad news: error reports (commonly called > failure or forensic reports are not long for this world. The only major MBP > that I see failure reports from is Yahoo. I’m not advocating eliminating > failure reports altogether as when one of these mythical creatures appears > they can be very useful. But I wonder if Yahoo discusses stopping failure > reports then failure reports would be far less useful. I do understand the > PII concerns. > > My point is that the concept of failure reports sounds good in theory but > I’d say we are in irons now with a decent chance of running aground. It > might be an opportune time to rethink the failure report. I don’t know. > The fact that you aren't seeing failure reports doesn't mean they aren't being generated. My experience has been that they are being made available through 3rd parties where there is a contractual relationship. Michael Hammer
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc