On Fri, Jun 27, 2025 at 2:09 PM John Levine <[email protected]> wrote:
> It appears that Dotzero <[email protected]> said: > >As far as deciding whether to move forward vs removing references in the > >base document, we only have one set of meaningful data provided by Ale. > >That data indicates sufficient interest (~64% of domains requesting AUF > >reports requesting RUF reports) on the part of > >senders/owners/administrators to justify completing the document. > > I don't think that means much. It's a checklist item. > > > We also > >know that failure reports are being provided by some large receivers even > >if only through back channels based on contractual relationships. It would > >be a shame if this working group deprecated the RUF document and ensured > >that failure information will only ever be available in a private > club//pay > >to play model. > > > >AUF reports are very useful in combating abuse.. > > This is the more important question. While I can believe that failure > reports > are useful for some kinds of abuse management, they are useless for their > intended > purpose of debugging your DMARC setup. I know that the RUF reports I get > do not > tell me anything interesting. > > If you want to set up groups to exchange failure reports to do anti-abuse > stuff, > that is fine, but that is not DMARC. > ] would suggest that you are a bit presumptuous in claiming to know what was or wasn't the original intended purpose of DMARC and reporting seeing as you weren't part of the group of people that came up with DMARC. We knew early on, well before it was submitted to IETF, that RUF reports are extremely useful for addressing abuse. RUF may not be useful to you but it is useful to others. For mail originating in complex environments RUF can be very useful. For example, I've seen mail DKIM signed by a mail server and then the signature is broken by another server at the edge. Another example is a mail server DKIM signing with broken signatures but it is one of a number of servers (the others signing correctly) in an outbound VIP on a load balancer. In summary, RUF reporting can be useful for both troubleshooting problems with ones mail flows AND for fighting abuse. The fact that you personally don't receive many and don't find the little you receive useful .cannot be extrapolated to the universe of use cases. Other than the short discussion of PII and privacy issues in the security considerations section, I believe that a BCP document on how to address privacy and potential issues with GDPR, etc. would provide a path for more receivers/validators to have a greater comfort level with providing such reporting. On a separate note, I recently had someone from one large receiver tell me that for them the issue was more the amount of effort to rewrite their code and that it's possible they would consider making the effort if they are updating their code base for other issues. No timeframe given. Michael Hammer
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
