So, 22% of participants think that daily RUA reports are a waste of time. We looked at this for DMARCbis but rejected the idea of an exceptions-only reporting option. I still do not understand why.
Assuming that RUF is only enabled when RUA is enabled, 65% of domains that request reports believe that RUF data is useful enough to merit processing, and half of those may be paying someone to produce the information. Although a lot of domain owners think RUF reporting is useful, can we presume to know their needs, when they don't seem to be participating? The domains that I expect to benefit from RUF reports are large organizations which are common targets of impersonation, and also have a complex email environment. That combination means that it can be difficult to distinguish between Shadow IT, forwarding, mailing lists, benign impersonation, and malicious impersonation. I hear only silence from those organizations and the vendors to which they have delegated their email security. Doug On Mon, Jun 16, 2025 at 4:46 AM Alessandro Vesely <[email protected]> wrote: > On Fri 13/Jun/2025 17:56:11 +0200 Dotzero wrote: > > On Fri, Jun 13, 2025 at 10:26 AM Alessandro Vesely <[email protected]> > wrote: > > > >> If ruf= indicates something, I looked at the records of DNSWL > subscribers: > >> > >> /var/lib/rbldns/domain.list: 23488 records > >> 16945 DMARC records (72.00%) > >> 13154 rua (56.00%) > >> 8622 ruf (36.00%) > > > > Ale, can you show the top 10 or 20 domains (and number of domains > pointing > > to them) receiving the RUF reports? I have a feeling it skews towards > > intermediaries such as Agari, Valimail and Dmarcian. > > > Interesting question. I re-ran those queries looking at the tag values: > > /var/lib/rbldns/domain.list: 23488 domains > 16882 DMARC records (71.88%) > 13284 rua (56.56%) > 6830 rua private only (29.08%), (51.42% of ruas) > 18 rua w/o mailto: ( 0.08%), ( 0.14% of ruas) > 8730 ruf (37.17%) > 4987 ruf private only (21.23%), (57.12% of rufs) > 18 ruf w/o mailto: ( 0.08%), ( 0.14% of rufs) > > Here the "private only" means no external third parties are used. More > than > half of the admins are that wise, but I'd have expected a significantly > higher > percentage for ruf. > > There are 1800 different third parties, top ones are as follows: > > rua | ruf > 656 emaildefense.proofpoint.com | 644 emaildefense.proofpoint.com > 620 vali.email | 279 forensics.dmarc-report.com > 476 dmarc.postmarkapp.com | 276 for.dmarcanalyzer.com > 425 dmarc-reports.cloudflare.net | 112 fr.dmarcian.com > 342 rep.dmarcanalyzer.com | 100 inbox.ondmarc.com > 293 mxtoolbox.dmarc-report.com | 98 ruf.agari.com > 204 ag.dmarcian.com | 83 fr.eu.dmarcian.com > 188 ag.eu.dmarcadvisor.com | 78 ruf.powerdmarc.com > 171 dmarc.service.gov.uk | 76 ruf.easydmarc.eu > 168 ag.eu.dmarcian.com | 73 ruf.easydmarc.us > 121 dmarc.brevo.com | 72 fr.eu.dmarcadvisor.com > 108 inbox.ondmarc.com | 68 in.mailhardener.com > 105 in.mailhardener.com | 58 dmarc.barracudanetworks.com > 100 rua.agari.com | 49 fr.glockapps.com > 87 rua.easydmarc.eu | 48 dmarcinput.com > 85 rua.powerdmarc.com | 47 mailinblue.com!10m > 80 rua.easydmarc.us | 39 ruf.dmp.cisco.com > 75 ag.us.dmarcian.com | 37 fr.us.dmarcian.com > 69 inbound.dmarcdigests.com | 36 fo.dmarcly.com > 67 dmarc.cyber.dhs.gov | 35 dmarc.everest.email > > > Best > Ale > -- > > > > > > > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
