Hi, There's a detail in the DMARC spec regarding reporting that appears to be widely misconfigured.
For DMARC's reporting fields (rua=/ruf=), if the domain of the reporting mail address differs from the host itself, it is necessary to configure a verification record on the target: https://datatracker.ietf.org/doc/html/rfc7489#section-7.1 For example, if we have _dmarc.example.com with: v=DMARC1; p=none; rua=mailto:[email protected] there needs to be a DMARC record at example.com._report._dmarc.example.org That can simply contain "v=DMARC1" without any further fields. By defining this record, example.org allows example.com to redirect ruf/rua reports to it. Some notable example hosts that have this misconfigured include: facebook.com bing.com It also appears that there's a misconfiguration on the other side where senders of DMARC reports ignore this and send reports even if the verification record is missing. Notably, Microsoft and Google do this. If you wonder why you are getting fewer than expected DMARC reports, you may want to check whether you configured your verification records. I have a quick+dirty test script for some DNS configuration issues which contains a check for this: https://github.com/hannob/alwaysdns You can check your own config with: alwaysdns -t dmarc [host] -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
