[opendmarc-users] How to deal with blocked DMARC reports

Ken kenfcamp at gmail.com
Thu Jan 3 07:49:50 PST 2019


> procmail is to late to solve the problem in milters

Agreed but since what we're talking about is delivery rejections due to
no/bad accounts is (IMO) viable.

As I understand it (and correct me if I'm wrong), Report-NO-Send lists are
lists of domains which are not to receive reports. it's this implementation
(blocking by domain) that's not useful

"Report-NO-Send" lists should be based on email addresses, rather than
domains. The biggest reason is that if a records RUA/RUF address is
corrected then emails can resume for the domain.

> imho best way to solve is to create a new specifik milter to test that
> mailto: can be mailed to,

That's a lot of potential overhead depending on the amount of emails that
are received.
Additionally, there's also a chance this method could end up causing your
mail server to be black-listed

> why would domain owners like to have dmarc reporting when
> there mailserver does not accept it

Legitimate reasons: Address changed and record wasn't, Address no longer
valid (person left, etc) and record wasn't changed, person who setup the
record applied it to the wrong address, etc

Not so legitimate reasons: Just to be an *SS

On Thu, Jan 3, 2019 at 10:14 AM Benny Pedersen <me at junc.eu> wrote:

> Ken skrev den 2019-01-03 14:38:
>
> > I'm in full agreement, it is very annoying.
>
> users tend to use loopback ip mx for reporting, yes i have seen it
>
> > Unfortunately, the only other option I can think of at the moment
> > would be not sending reports.
>
> that only solves half of the problem, mailto: links can be to totaly
> diffrent domain then sender envelope domain :/
>
> so it support ddos another domain mx, why ietf have not thinked about
> that possible is imho sadly
>
> > It should be possible to create a filter for procmail (or whatever) to
> > do what you're looking for. But that's well beyond me
>
> procmail is to late to solve the problem in milters
>
> imho best way to solve is to create a new specifik milter to test that
> mailto: can be mailed to, if not succee tempfail senders that shoot them
> self in foots, why would domain owners like to have dmarc reporting when
> there mailserver does not accept it
>
> there was a time i see lots of domains used mx to 127.0.0.1, this was
> simple to reject in postfix, now we need to mx check mailto: in dmarc :/
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20190103/cae86079/attachment.htm>


More information about the opendmarc-users mailing list