[opendmarc-users] How to deal with blocked DMARC reports

Benny Pedersen me at junc.eu
Sat Jan 5 14:05:10 PST 2019


Grant Taylor skrev den 2019-01-05 19:59:

> I have a hard time accepting the idea of configuring my server to
> refuse to accept email because the admin of the sending domain has
> misconfigured an /optional/ reporting / security feature.

note tempfail ?

i did not say reject

i think this problme here with dmarc is equal to the time when some 
domain had mx pointing to hostname that had a records pointing to 
127.0.0.1 or other non routetble ips

this stopped when postfix rejected mx with this ip ranges in sender 
domain mx

why let dmarc continue to have it imho same problem ?

note dmarc will be not rejecting maillists if maillist servers starting 
arc seal there mails, this will imho make mailman drop there take owner 
ships on senders that do dkim sign mails and as recieved on maillist is 
dkim pass

> I feel like rejecting email based on a bad reporting email address for
> DMARC is *WAY* more Draconian than rejecting email when sending
> domains have "…-all" in their SPF record.  (I digress.)

i did not say reject, but tempfail

>> why would domain owners like to have dmarc reporting when there 
>> mailserver does not accept it
> 
> I don't know that "like" is the best description here.  Ignorance,
> misconfiguration, misunderstanding dome to mind as legitimate reasons
> why there might be a bad email address in the DMARC record.

how can we help misconfigred dmarc hosts ?

can opendmarc milter use lua scripts to do test if domain can be 
reported to, before data is save to the stats file for reporting ?



More information about the opendmarc-users mailing list