On Thu, Mar 20, 2025 at 9:16 AM Matt Ratliff <matt= [email protected]> wrote:
> Based on my experience, RUF (forensic failure reports) have not been as > valuable as initially intended. While some entities still provide failure > reports, their usefulness in troubleshooting is limited unless one is > willing to analyze them at a deep level, which is often impractical. > > Since most providers have opted to redact PII it has made these reports > largely ineffective. Given that the industry has already moved away from > using them in a meaningful way, it makes sense to close the loop and > deprecate failure reporting altogether formally. > > Option 3 makes the most sense in this case. > +1 I think the thing I'm hearing in this thread is that people still find some utility from being able to pull URLs out of failing messages. I get why this is interesting from a forensic threat-hunting perspective, but not how this is of any use for the stated purpose of DMARC and reporting: being able to tell what mail is not passing in an aligned manner, so authentication may be fixed if the mail is legitimately from your domain. URLs are irrelevant to this value prop. I'd suggest if URLs from failing messages are that important, one seeks other mechanisms that actually provide a decent corpus of such things, vs relying on DMARC RUF which rarely provides any reports, let alone a useful corpus to do threat hunting. Don't take my word for it-- put a reporting address in your RUF and see for yourself. Data is rare, and when it comes, is mostly legitimate email that lost authentication due forwarding that breaks DKIM like a mailing list or SEG or things that struggle with DMARC like calendar invites sent to distribution lists. I still strongly believe that (3) is the appropriate path forward that preserves the intention of DMARC and its interoperability between domain owner and mailbox provider, layering in the decade of operational experience that aggregate reports are sufficient to provide the value needed to determine and authenticate proper mail streams, while forensic reporting has categorically lost all support from major mailbox providers while also not improving on the data gleaned from aggregate reports to get the job done. Yes, there may be some utility from RUF, but not for DMARC's stated purpose of preventing spoofing of your exact domain, and therefore RUF should be explicitly deprecated. Seth, with vigor and no hat -- *Seth Blank | Chief Technology Officer* Email: [email protected] This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
