Opened 16 months ago

Last modified 7 months ago

#99 assigned defect

Any proposed extension to use a https failure report must provide authentication

Reported by: mike@… Owned by: todd.herr@…
Priority: minor Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: - Keywords:


As in issue #98, failure reports are subject to spoofing and while just adding a spf/dkim requirement to authenticate the mail as coming from the legitimate sending domain, how such an authentication requirement for a https method is far from clear. In this use case the sender is an https client and as such doesn't benefit from existing TLS based methods of authentication (client certs are extremely rare). Naively that would require the sender to have some sort of account with the receiver which seems very unattractive and unscalable.

one possible workaround would be to fashion the report sent over https POST as an actual email identical to the email-based reports and require it to be DKIM signed on the sender. There may be other ways to solve this, but the larger issue is that it must be solved.

Change History (3)

comment:1 Changed 13 months ago by todd.herr@…

  • Owner set to todd.herr@…
  • Status changed from new to accepted

comment:2 Changed 13 months ago by todd.herr@…

  • Status changed from accepted to assigned

comment:3 Changed 7 months ago by todd.herr@…

  • Milestone set to Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Note: See TracTickets for help on using tickets.