[opendmarc-dev] forensic reports
Andreas Schulze
sca at andreasschulze.de
Tue Jun 11 13:46:26 PDT 2013
Hi,
in Vienna I discussed with Franck Martin about forensic reports. He
suggested to always inspect them.
There are two views of reports:
1. reports a domainowner requests with a ruf address set in the dmarc record
2. reports created by a dmarc validator, opendmarc here.
This mail will discuss point two.
Opendmarc should always create as much as possible forensic data.
Even in cases where the domain does not specify a ruf address.
These reports may be imported into a local database operated by the
local dmarc validator.
The operator may get a detailed view about actual threads.
If requested by dmarc-record opendmarc will send these reports also to
these address.
Franck also suggested to collect as much as possible informations.
http://tools.ietf.org/html/rfc6591#section-3.1 allow to include
headers only or
the complete message attached to a forensic report.
Opendmarc send only headers (opendmarc.c, ~line 2516)
Q: may a domainowner specify the forensic report should be header only
or full body?
Anyway, opendmarc should generate forensic reports containing full
message to a local receiver.
Also I suggest a lookuptable to whitelist/limit the amound of forensic
reports sent to remote.
I have concerns about the volume of forensic reports I have to sent!
I like to specify: send forensic reports only for domain a and b but no other.
@Franck: I hope, I understood you correct and explain my thoughts well ...
Andreas
More information about the opendmarc-dev
mailing list