Opened 2 years ago

Closed 14 months ago

#54 closed defect (fixed-consensus)

Remove or expand limits on number of recipients per report

Reported by: seth@… Owned by: todd.herr@…
Priority: major Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: - Keywords: clarify reports
Cc:

Description

https://tools.ietf.org/html/rfc7489#section-6.2 says "Receivers MAY impose a

limit on the number of URIs to which they will send reports but MUST
support the ability to send to at least two."

This has led to a lot of confusion, especially when a domain is sending reports to multiple recipients, if those listed later in the reporting URIs will (or could possibly be denied) reports.

No known DMARC validator implementation has any limits on the number of URIs which are sent to.

The suggestion is to either strike this requirement altogether, or raise the minimum to a number such as ten.

Change History (12)

comment:1 Changed 2 years ago by seth@…

  • Component changed from rfc7601bis to dmarc-bis
  • Owner draft-ietf-dmarc-rfc7601bis@… deleted
  • Status changed from new to assigned

comment:2 Changed 17 months ago by todd.herr@…

  • Owner set to todd.herr@…

comment:3 Changed 17 months ago by johnl@…

If nobody has limits, just take it out.
If I put a thousand addresses in my rua= tag. I think I deserve what I (don't) get.

comment:4 Changed 17 months ago by todd.herr@…

  • Status changed from assigned to started

comment:5 Changed 17 months ago by todd.herr@…

Removing requirement.

--- a/draft-ietf-dmarc-dmarcbis.md
+++ b/draft-ietf-dmarc-dmarcbis.md
@@ -640,12 +640,10 @@ objects in order and parsing the result as a single string.
 mechanism uses this as the format by which a Domain Owner specifies
 the destination for the two report types that are supported.
 
-The place such URIs are specified (see (#general-record-format)) allows a list of
-these to be provided.  A report is normally sent to each listed URI
-in the order provided by the Domain Owner.  Receivers MAY impose a
-limit on the number of URIs to which they will send reports but MUST
-support the ability to send to at least two.  The list of URIs is
-separated by commas (ASCII 0x2C).
+The place such URIs are specified (see (#general-record-format)) allows
+a list of these to be provided.  The list of URIs is separated by commas
+(ASCII 0x2c).  A report is normally sent to each listed URI in the order
+provided by the Domain Owner.  

comment:6 Changed 17 months ago by todd.herr@…

change pushed to main branch and merged

comment:7 Changed 17 months ago by todd.herr@…

  • Resolution set to fixed
  • Status changed from started to closed

comment:8 Changed 16 months ago by todd.herr@…

  • Resolution fixed deleted
  • Status changed from closed to new

comment:9 Changed 16 months ago by todd.herr@…

  • Status changed from new to assigned

comment:10 Changed 16 months ago by todd.herr@…

  • Status changed from assigned to infoneeded

comment:11 Changed 14 months ago by todd.herr@…

  • Status changed from infoneeded to assigned

Consensus from the 27 May 2021 Interim session (https://datatracker.ietf.org/doc/minutes-interim-2021-dmarc-01-202105270900/) and from discussion on the working group mailing list (https://mailarchive.ietf.org/arch/msg/dmarc/4CvtSeUtIyhDxLEi5mWIz9zq53I/) was to update the text as follows:

The place such URIs are specified (see Section 6.3) allows a list of these to be 
provided. The list of URIs is separated by commas (ASCII 0x2c). A report SHOULD 
be sent to each listed URI provided in the DMARC record.

comment:12 Changed 14 months ago by todd.herr@…

  • Resolution set to fixed-consensus
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.