On Fri 29/Aug/2025 20:28:08 +0200 Todd Herr wrote:
On Fri, Aug 29, 2025 at 1:51 PM Alessandro Vesely <[email protected]> wrote:
RFC 5965 provides for having "Original-Rcpt-To" fields in message/
feedback-report. Linkedin uses them. Currently, Original-Rcpt-To's are
missing from the example in Appendix A. I'll add some.>>
I would be opposed to including Original-Rcpt-To in a DMARC failure report,
due to the possibility of the scenario I described in a different thread:
- A is the domain owner that published the DMARC policy and consumes reports
- B is the entity sending email that makes unauthorized use of A's domain
- C is the recipient of said email, an entity heretofore unknown to A
- D is the report generator
Any report generated by D that is sent to A and that contains any of C's
PII creates a privacy concern for D and also by extension an exposure of
that PII to A.
I'm not clear whether you're proposing to (i) omit the addition of
Original-Rcpt-To: in the example, although it is legitimate according to the
spec, or (ii) modify the spec (Section 4) to prevent Original-Rcpt-To: from
being part of failure reports.
DMARC failure reports are different from spam complaint feedback reports.
For spam complaint feedback reports, there is a high degree of certainty
that the recipient of the feedback report was responsible for generating
the message being complained about, either because of the source IP or the
DKIM signing domain. This means that the complainant's email address was
known to the recipient of the feedback report prior to receiving the
feedback report.
When the IP or the whole server is hijacked by a spammer, the destination
addresses can well be unknown to the domain owner. However, they could help
investigating the spammer's behavior.
With DMARC failure reports, we have much less certainty, because an
authentication failure of a message authorized by the domain owner of the
RFC5322.From header domain is indistinguishable from an authentication
failure of a message that has not been authorized by the domain owner of
the of the RFC5322.From header domain. Therefore, the report generator has
no idea whether or not the intended recipient's email address was known to
the domain owner, and so the intended recipient's email address should not
be shared in the DMARC failure report.
The recipient address is not necessarily valid. Even if it is, the rest of the
message is a generic template, so that not much info can be associated with the
address (except for some spear phishing case, maybe.) In any case, the address
can appear in the "for" clause of Received:, if different from To:/Cc:/Bcc:.
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
