Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)

[Douglas Foster]

I understand that additional detail might make the reporting effort
unacceptable to the big organizations that are creating them, and this
reason alone may prevent alternatives.

It seems that the potential uses for reports are:
- Identifying and fixing my own infrastructure problems
- Celebrating when the reports show that I have no new infrastructure
problems.
- Celebrating when malicious impersonators are blocked.
- Learning about non-malicious impersonators that must be tolerated.
- Identifying delivery problems that warrant a conversation with the
recipient organization.

I cannot successfully call a recipient help desk and ask them why they are
blocking my messages.   Instead, I need a message recipient to call his
help desk and ask why he is not getting my messages, and that subscriber
might be happy to be asked for assistanceNavigating from a server IP
address to a known subscriber might be no easy feat, while navigating from
a server IP and target domain to that subscriber would be easier.

In short, what are the expected uses of the RUA reports?   Are there any
intended purposes other than fixing my own infrastructure configuration?

On Wed, Apr 28, 2021 at 8:34 AM Todd Herr  wrote:

> Apologies to Matt; I sent this originally only to him when I meant to send
> it to the list...
>
> On Wed, Apr 28, 2021 at 4:27 AM Matthäus Wander  40wander.scie...@dmarc.ietf.org> wrote:
>
>> Hello everyone,
>>
>> I'm new to the party. I'd like to bring in some practical experience of
>> working with DMARC rua reports.
>>
>> #23 introduces "receiving_domains" in the report metadata, justified by
>> large infrastructures that host a large number of domains (e.g. Google).
>>
>> I think, this information would be more useful per-record rather than in
>> the global metadata. As large infrastructures tend to include many
>> different records in the report, the analyst needs a correlation between
>> record and recipient domain.
>>
>> The  section has an optional "envelope_to" already:
>> >
>> >> >minOccurs="0"/>
>>
>> Is there a benefit in the global "receiving_domains" over the per-record
>> "envelope_to"?
>>
>> Most reporters don't include "envelope_to" (e.g. Google). This field
>> could be made more prominent in the draft. The main body mentions
>> "header_from" only, but neither "envelope_to" nor "envelope_from".
>>
>
> There is a hole in my understanding of this topic that I'm hoping someone
> can fill here, and that hole is this: I don't understand the value of
> reporting out receiving domains.
>
> The reason I don't understand it is because my expectation as a sender
> receiving a report about my sending domain would be that my DMARC
> validation results from a given receiving infrastructure would generally
> not vary across the different receiving domains, regardless of if there was
> one domain, ten domains, or ten thousand domains hosted by the reporting
> infrastructure. To extend my expectations further, unless I'm dedicating
> part of my infrastructure to sending solely to one and only one receiving
> site, I would expect my DMARC validation results to generally not vary
> across different reporting infrastructures. I'm declaring here that "DMARC
> validation results" are separate from "applied receiver handling policy"
> because as a sender I can only control the former; "DMARC validation
> results" means "whether or not SPF and/or DKIM passed and was aligned and
> consequently resulted in a DMARC pass or fail".
>
> If I'm reading draft-ietf-dmarc-aggregate-reporting-02 correctly,
> receiving_domains, defined as the "List of domains which received messages
> for the domain in this report" I guess it could perhaps help me as a report
> consumer in the case where I receive a report from an previously unknown or
> unfamiliar to me reporter that hosts many domains, and if that's the use
> case, then perhaps the field ought to be amended to "List of the top
> $SMALL_NUMBER domains which received messages for the domain in this
> report" because as a report consumer I don't need to see 837 domains listed
> when realistically one or two will suffice.
>
> What is the value that I'm not seeing in reporting out receiving domains?
> --
>
> *Todd Herr* | Sr. Technical Program Manager
> *e:* todd.h...@valimail.com
> *m:* 703.220.4153
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)

[Brotman, Alex]

Matt,

While, yes, there is the existing envelope_to, there was a request to add this 
to the report format (which I believe I did as the submitter desired).  I would 
assume we’d hash it out on the list and remove one of them.

However, from an operator side of things, I tend to align with Todd on this.  
Could someone provide a real-world example of where reporting the destination 
domain assisted them in resolving an issue?

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: dmarc  On Behalf Of Todd Herr
Sent: Wednesday, April 28, 2021 8:34 AM
To: IETF DMARC WG 
Subject: Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)

Apologies to Matt; I sent this originally only to him when I meant to send it 
to the list...

On Wed, Apr 28, 2021 at 4:27 AM Matthäus Wander 
mailto:40wander.scie...@dmarc.ietf.org>> 
wrote:
Hello everyone,

I'm new to the party. I'd like to bring in some practical experience of
working with DMARC rua reports.

#23 introduces "receiving_domains" in the report metadata, justified by
large infrastructures that host a large number of domains (e.g. Google).

I think, this information would be more useful per-record rather than in
the global metadata. As large infrastructures tend to include many
different records in the report, the analyst needs a correlation between
record and recipient domain.

The  section has an optional "envelope_to" already:
>
>minOccurs="0"/>

Is there a benefit in the global "receiving_domains" over the per-record
"envelope_to"?

Most reporters don't include "envelope_to" (e.g. Google). This field
could be made more prominent in the draft. The main body mentions
"header_from" only, but neither "envelope_to" nor "envelope_from".

There is a hole in my understanding of this topic that I'm hoping someone can 
fill here, and that hole is this: I don't understand the value of reporting out 
receiving domains.

The reason I don't understand it is because my expectation as a sender 
receiving a report about my sending domain would be that my DMARC validation 
results from a given receiving infrastructure would generally not vary across 
the different receiving domains, regardless of if there was one domain, ten 
domains, or ten thousand domains hosted by the reporting infrastructure. To 
extend my expectations further, unless I'm dedicating part of my infrastructure 
to sending solely to one and only one receiving site, I would expect my DMARC 
validation results to generally not vary across different reporting 
infrastructures. I'm declaring here that "DMARC validation results" are 
separate from "applied receiver handling policy" because as a sender I can only 
control the former; "DMARC validation results" means "whether or not SPF and/or 
DKIM passed and was aligned and consequently resulted in a DMARC pass or fail".

If I'm reading draft-ietf-dmarc-aggregate-reporting-02 correctly, 
receiving_domains, defined as the "List of domains which received messages for 
the domain in this report" I guess it could perhaps help me as a report 
consumer in the case where I receive a report from an previously unknown or 
unfamiliar to me reporter that hosts many domains, and if that's the use case, 
then perhaps the field ought to be amended to "List of the top $SMALL_NUMBER 
domains which received messages for the domain in this report" because as a 
report consumer I don't need to see 837 domains listed when realistically one 
or two will suffice.

What is the value that I'm not seeing in reporting out receiving domains?
--
Todd Herr | Sr. Technical Program Manager
e: todd.h...@valimail.com
m: 703.220.4153


This email and all data transmitted with it contains confidential and/or 
proprietary information intended solely for the use of individual(s) authorized 
to receive it. If you are not an intended and authorized recipient you are 
hereby notified of any use, disclosure, copying or distribution of the 
information included in this transmission is prohibited and may be unlawful. 
Please immediately notify the sender by replying to this email and then delete 
it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)

[Todd Herr]

Apologies to Matt; I sent this originally only to him when I meant to send
it to the list...

On Wed, Apr 28, 2021 at 4:27 AM Matthäus Wander  wrote:

> Hello everyone,
>
> I'm new to the party. I'd like to bring in some practical experience of
> working with DMARC rua reports.
>
> #23 introduces "receiving_domains" in the report metadata, justified by
> large infrastructures that host a large number of domains (e.g. Google).
>
> I think, this information would be more useful per-record rather than in
> the global metadata. As large infrastructures tend to include many
> different records in the report, the analyst needs a correlation between
> record and recipient domain.
>
> The  section has an optional "envelope_to" already:
> >
> > >minOccurs="0"/>
>
> Is there a benefit in the global "receiving_domains" over the per-record
> "envelope_to"?
>
> Most reporters don't include "envelope_to" (e.g. Google). This field
> could be made more prominent in the draft. The main body mentions
> "header_from" only, but neither "envelope_to" nor "envelope_from".
>

There is a hole in my understanding of this topic that I'm hoping someone
can fill here, and that hole is this: I don't understand the value of
reporting out receiving domains.

The reason I don't understand it is because my expectation as a sender
receiving a report about my sending domain would be that my DMARC
validation results from a given receiving infrastructure would generally
not vary across the different receiving domains, regardless of if there was
one domain, ten domains, or ten thousand domains hosted by the reporting
infrastructure. To extend my expectations further, unless I'm dedicating
part of my infrastructure to sending solely to one and only one receiving
site, I would expect my DMARC validation results to generally not vary
across different reporting infrastructures. I'm declaring here that "DMARC
validation results" are separate from "applied receiver handling policy"
because as a sender I can only control the former; "DMARC validation
results" means "whether or not SPF and/or DKIM passed and was aligned and
consequently resulted in a DMARC pass or fail".

If I'm reading draft-ietf-dmarc-aggregate-reporting-02 correctly,
receiving_domains, defined as the "List of domains which received messages
for the domain in this report" I guess it could perhaps help me as a report
consumer in the case where I receive a report from an previously unknown or
unfamiliar to me reporter that hosts many domains, and if that's the use
case, then perhaps the field ought to be amended to "List of the top
$SMALL_NUMBER domains which received messages for the domain in this
report" because as a report consumer I don't need to see 837 domains listed
when realistically one or two will suffice.

What is the value that I'm not seeing in reporting out receiving domains?
-- 

*Todd Herr* | Sr. Technical Program Manager
*e:* todd.h...@valimail.com
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

[dmarc-ietf] Recipient domain in aggregate reports (#23)

[Matthäus Wander]

Hello everyone,

I'm new to the party. I'd like to bring in some practical experience of
working with DMARC rua reports.

#23 introduces "receiving_domains" in the report metadata, justified by
large infrastructures that host a large number of domains (e.g. Google).

I think, this information would be more useful per-record rather than in
the global metadata. As large infrastructures tend to include many
different records in the report, the analyst needs a correlation between
record and recipient domain.

The  section has an optional "envelope_to" already:
>
>minOccurs="0"/>

Is there a benefit in the global "receiving_domains" over the per-record
"envelope_to"?

Most reporters don't include "envelope_to" (e.g. Google). This field
could be made more prominent in the draft. The main body mentions
"header_from" only, but neither "envelope_to" nor "envelope_from".

Regards,
Matt

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc