[dmarc-discuss] RUA validation
Murray S. Kucherawy
msk at cloudmark.com
Tue Jan 31 13:29:45 PST 2012
> -----Original Message-----
> From: dmarc-discuss-bounces at blackops.org [mailto:dmarc-discuss-bounces at blackops.org] On Behalf Of David F. Skoll
> Sent: Tuesday, January 31, 2012 1:20 PM
> To: dmarc-discuss at dmarc.org
> Subject: Re: [dmarc-discuss] RUA validation
>
> What about something like:
>
> If the From: domain is example.org and the rua is
> mailto:report at r.example.com, do a DMARC lookup on:
>
> _dmarc.example.org._dmarc.r.example.com
>
> If that lookup succeeds and has a rua that matches the original rua,
> send the report, else don't.
>
> This lets third parties have fine control over what they accept. Or is
> this over-thinking it? :)
This, or something like it, is not a bad compromise. A similar thing has been proposed in another working group recently, where there's a signal to send a report that has to be confirmed with a DNS query for a TXT record.
I think I'd prefer something like example.org._r._dmarc.example.org, and just record existence is enough to confirm approval of the relationship. "_r" indicates that it's a request for such confirmation. This is also what ATPS does.
The issue then is that a storm of mail pointing to fake reporting addresses like this causes a DNS storm against example.org. I wonder if "Yeah, but negative caching will help that" is a good enough answer to people that will complain.
-MSK
More information about the dmarc-discuss
mailing list