On 1/26/21 12:29 PM, Todd Herr wrote:
On Tue, Jan 26, 2021 at 3:16 PM Michael Thomas <[email protected]
<mailto:[email protected]>> wrote:
Yes, DMARC reports are of value if you don't know all of the IP
addresses that send on your behalf. Some have even written blog
posts on the topic of using DMARC aggregate reports as a tool to
audit one's authentication practices, by publishing a policy of
p=none, collecting the reports, analyzing the data, fixing
problems, iterate, iterate, iterate until one is ready to move on
to the ultimate goal of p=reject.
How do I know when I'm done though if I don't know the IP
addresses who send on my behalf? Is it an actual forgery or is it
Marsha in marketing using a outsourced email blaster?
Time.
Some industry experts have suggested that one budget twelve to
eighteen months between first publishing a DMARC policy record and the
hoped-for transition to p=reject. YMMV, and a lot depends on the types
of messages that the organization sends, and their cadence. At the
extreme end of more than a year would be larger companies doing
seasonal or cyclical mailings, ones that maybe only market to certain
customer segments once or twice per year, tops. The more one knows
about one's mail flows and the better one's authentication practices
before deploying DMARC, the shorter that time can be, but a year or
more isn't unusual at all.
I don't see how time helps anything if I can't differentiate between our
legitimate traffic and attacker traffic. All an attacker would need to
do is send a mail cannon to mimic Marsha in Marketing every once in a
while and the entire thing resets. If it is a requirement to know all of
the legitimate IP addresses in order to make use of the reports as an
indicator, the draft should be very explicit about that.
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
