#76 closed enhancement (wontfix)

Remove requirement to verify external destination for rua reports

Reported by: todd.herr@… Owned by: alex_brotman@…
Priority: minor Milestone:
Component: dmarc-aggregate-reporting Version: 2.0
Severity: - Keywords: rua, policy, reporting, reports


RFC 7489, Section 7.1 mandates verification steps to take in the event that the Organizational Domain for the discovered DMARC policy does not match the Organizational Domain for the host part of the "rua" or "ruf" tag in the discovered policy.

The theory at work here is that bad actors could flood a victim address with reports by generating a large volume of mail that fails DMARC validation checks.

The reality, at least for aggregate reports, is that such reports are only sent once per day in most cases, and it's dubious as to whether or not these verification steps are even performed by some report generators.

Request here is to remove this requirement for rua reports.

Change History (3)

comment:1 Changed 17 months ago by todd.herr@…

  • Component changed from dmarc-bis to dmarc-aggregate-reporting
  • Owner set to alex_brotman@…
  • Status changed from new to assigned

Consensus on the list seemed to be to close this ticket (Thread had subject "Discussion: Removal of validation for external destinations (Ticket #76)")

Assigning to Alex, who brought it to the list, for final adjudication

comment:2 Changed 17 months ago by alex_brotman@…

Consensus seems to be leave it as is. No one (other than me) suggested we remove it.

comment:3 Changed 17 months ago by alex_brotman@…

  • Resolution set to wontfix
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.