[opendmarc-users] bouncing failure report meltdown
Andrew J. Schorr
aschorr at telemetry-investments.com
Fri Sep 19 10:07:59 PDT 2014
Hi,
I foolishly configured opendmarc.conf with these settings:
FailureReports true
FailureReportsOnNone true
Then I received a problematic email from streetid.com. Their DMARC record
says:
bash-4.2$ host -t txt _dmarc.streetid.com
_dmarc.streetid.com descriptive text "v=DMARC1\; p=none\; pct=100\; rua=mailto:test at streetid.com\; ruf=mailto:test at streetid.com\; sp=none\; adkim=s\; aspf=s\; rf=afrf\; ri=86400\;"
As a result, my opendmarc server sent an ruf report to the specified
address test at streetid.com.
However, my email was rejected as undeliverable:
Delivery has failed to these recipients or groups:
test at streetid.com<mailto:test at streetid.com>
The email address you entered couldn't be found or is invalid. It may be due
to a bad entry in your Outlook or Outlook Web App recipient AutoComplete
cache. Use the steps below to clear the entry from the cache:
This started an infinite loop, since this message also failed the DMARC test.
I was fortunately paying attention, and I was able to reconfigure to:
FailureReports false
FailureReportsOnNone false
after receiving 276 undeliverable email messages in 27 minutes.
What is the recommended best practice for failure reports? It appears to me to
be very dangerous to enable FailureReports, since an invalid DMARC record such
as this one can cause a meltdown.
Regards,
Andy
More information about the opendmarc-users
mailing list