#101 closed defect (wontfix)

DMARC reporting requires explilct knowledge of all valid sending IP addresses

Reported by: mike@… Owned by:
Priority: major Milestone:
Component: dmarc-aggregate-reporting Version:
Severity: - Keywords:


In order differentiate between an attacker sending from an unapproved IP address and an approved but not yet validated source, the receiver of reports needs to have explicit knowledge of all valid IP addresses in use, including those of outsourced email for example. This is not spelled out in the current draft and should be. Given the current DMARC reporting architecture not knowing all valid IP addresses could lead to an attacker spoofing messages to large providers to make it seem as if approved but unsigned traffic is still at large. It should be made plain that this is part of the task of getting to a p=reject policy.

there is a security aspect to this as well as a deployment aspect.

Change History (3)

comment:1 Changed 16 months ago by todd.herr@…

  • Component changed from dmarc-bis to dmarc-aggregate-reporting


I disagree with the premise of this ticket, and assert that not only does DMARC reporting not require explicit knowledge of all valid sending IP addresses, DMARC reporting instead provides a facility by which it reveals to the domain owner previously-unknown valid IP addresses, leading to a full understanding of the IP addresses in use to send mail for the domain.

comment:2 Changed 16 months ago by vesely@…

Attacker in the above description is used with two meanings:

  • A spammer abusing of the domain name, which results in aggregate reports containing records with failed authentication.
  • A malicious influencer trying to mislead the domain admins by sending fake aggregate reports containing lots of failures. Such activity, akin to spear phishing, can discourage the domain admins from publishing strict DMARC policies, so that the attacker can abuse the domain.
Last edited 16 months ago by vesely@… (previous) (diff)

comment:3 Changed 14 months ago by johnl@…

  • Resolution set to wontfix
  • Status changed from new to closed

This ticket misunderstands how DMARC reporting works.

Note: See TracTickets for help on using tickets.