On Fri, Jul 4, 2025 at 3:01 PM Douglas Foster < [email protected]> wrote:
> Authentication problems can be put into these categories: > - Messages with malicious impersonation. > Yes, a failure report should be sent. > - Legitimate message with insufficient credentials at origination. > I'm not sure what you mean by "insufficient credentials". A message might be sent lacking SPF OR DKIM or with broken/incorrect SPF/DKIM but I don't grok "insufficient" in this context. DMARC is pass/fail. It is not graded on a curve. Yes, a failure report should be sent. > - Legitimate message whose credentials were lost in transit. > Yes, a failure report should be sent. If DKIM signing is broken/removed or the message is relayed in a way where SPF fails, the sending domain may find the information in the failure report (headers) useful in identifying/fixing problems. > - Legitimate message from an entity sending on behalf of a domain member > but outside of domain owner control. > Yes, a failure report should be sent. If the domain owner doesn't directly control the sending entity, presumably they have a contractual relationship that allows them to tell the entity to fix the problem. > > If an evaluator determines that a message is legitimate, should he send a > failure report anyway? Or should the failure be considered a false > positive that can and should be ignored? > Yes, a failure report should be sent. If the evaluator is exercising local policy, it doesn't change the fact that there was a failure and the failure report allows the sending entity the opportunity to address the issue that caused the failure. > > At the moment, I favor encouraging report senders to suppress reporting on > messages that are judged to be legitimate. > Judging the message(s) to be legitimate despite a DMARC failure doesn't change the fact that there was a failure. Something outside the scope of DMARC is being used to implement that local policy. The sending domain should receive the report to notify them of the problem and give them a chance to correct the problem. Michael Hammer
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
