On Sun, Sep 21, 2025 at 2:56 AM Hanno Böck via mailop <[email protected]> wrote:
> Hi, > > There's a detail in the DMARC spec regarding reporting that appears to > be widely misconfigured. > > For DMARC's reporting fields (rua=/ruf=), if the domain of the > reporting mail address differs from the host itself, it is necessary to > configure a verification record on the target: > https://datatracker.ietf.org/doc/html/rfc7489#section-7.1 > > It is in my opinion a shortcoming of RFC 7489 that the text does not explicitly require that the Mail Receiver or reporter look for this record to verify the external reporting destination. There is not a MUST or even a SHOULD to be found in the three paragraphs leading up to the description of the steps to take to find this record, merely just a "the following verification steps are to be taken". While reasonable humans might take that phrasing to mean that these are steps that must be done, when it comes to RFCs, I don't believe that language to be strict enough to impose such a requirement. Thankfully, the planned replacement documents, specifically the Aggregate Reporting document ( https://www.ietf.org/archive/id/draft-ietf-dmarc-aggregate-reporting-32.html#name-verifying-external-destinat) and the Failure Reporting document ( https://www.ietf.org/archive/id/draft-ietf-dmarc-failure-reporting-15.html#name-verifying-external-destinat) address this shortcoming. -- Todd Herr Some Guy in VA LLC [email protected] 703-220-4153
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
