Sending DMARC reports is somewhat hazardous
utcc.utoronto.ca51 points by zdw 8 hours ago
51 points by zdw 8 hours ago
DMARC is a relatively recent addition to the email security space, and while it seems a bit superfluous at first, is actually quite useful! Sending and receiving the reports (which, should be noted, is entirely optional) might indeed be helped by a setup separate from the main mail handling workflow, as the 'best effort' nature and the fact that lots of systems sending DMARC reports have no business delivering mail for the sender domain in the first place are quite distinct.
Both Microsoft and Google seem to do it just fine using their main infrastructure though, so there's that. And apart from (performing or hopefully kickstarting) troubleshooting of SPF and (especially) DKIM failures, going through the forensic reports (which not everyone sends, even if they do summaries, due to message privacy concerns) will definitely satisfy your 'WTF-quota' for the day, since you get to see some spoofed messages that are usually just blackholed, and some of those are truly bizarre...
> Both Microsoft and Google seem to do it just fine
Microsoft sends me DMARC reports saying "yes, everything was accepted 100%, all good". The delivery logs on our end look good as well. However, they silently drop a large portion of messages with a Hotmail destination.
>which, should be noted, is entirely optional
I wouldn't say entirely. I had a client with a large company contact me on LinkedIn saying that they wanted to buy my product but no one would respond to their emails. Their system was nuking my responses until I set up DMARC reporting, and I had no indication it was happening on my end. No "failed to deliver" message and nothing in the logs, just email that vanished into the ether.
That's interesting! Can you share which provider their MX record pointed to? Silently disappearing emails are typical Microsoft Forefront antics (but definitely also a misfeature of other products), but mostly when the originating domain has a p=reject DMARC policy. You didn't happen to relax that at the same time you added the reporting parameters?
Both Microsoft and Google seem to do it just fine
I routinely get between 5 and 10 duplicates of DMARC reports from Google for gmail. Searching on this, it's a known phenomenon. No one else has this issue. I don't get dupes from outlook.com, hotmail, yahoo, etc, etc.
But it's Google. Fairly typical for their modern quality control and engineering practices. I view them as a little like when Volkswagen stopped being run by engineers, and instead by accountants.
Same here, and the worst part is the duplicates appear to reuse the same Message-id, which confuses macOS Mail.app to no end :-/
I also don't see why the DMARC reporting would retry sending. If the receiver isn't receiving right away, surely it's okay to just drop that report to keep the queue small.
We already had 'low effort' mail queues (for things like password reset emails: these are retried 1/2/4/8 minutes apart and don't generate bounces, other than an API flag and a metrics record), to which we added 'least effort' for DMARC reports. Retry once, then forget about the entire thing other than incrementing a counter for the destination domain.
> retried 1/2/4/8 Minuten apart
That's generally not very clever, as it will impose an unneeded burden on a receiving server which actually has temporary resource problems, and it will collide with greylisting, for example.
RFC 5321 states in section "4.5.4.1. Sending Strategy" that the retry interval should be at least 30 minutes, while the give-up time needs to be at least 4–5 days:
> the retry interval should be at least 30 minutes, while the give-up time needs to be at least 4–5 days
RFCs have very little to do anymore with the realities of email delivery. And advocating for password reset emails to only be retried after 30 minutes (all while the user is manically mashing the 'resend link' button) and/or to be kept around for 5 days (while the link contained therein expires after an hour) doesn't either.
SHOULD is not MUST. These capitalized terms are have very specific meanings in RFCs, see RFC https://datatracker.ietf.org/doc/html/rfc2119. SHOULD is:
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
MUST is a requirement. You left out the "however" part:
In general, the retry interval SHOULD be at least 30 minutes; however, more sophisticated and variable strategies will be beneficial when the SMTP client can determine the reason for non-delivery.
There's absolutely nothing wrong with a fine tuned backoff. I am not saying the specific backoff discussed by GP is best, merely that 30 minutes is absolutely not a requirement, and in fact, discussed in tandem with the fact that "more sophisticated strategies" are actually beneficial.
The RFC does not agree with you. Partially quoted as you have, does not help.
I have strict and separate emails for aggregate and forensic. If it’s too much trouble setting it up on your server with all those spammers and borked entries you have my blessing.
I do operate DMARC report processing service and I have to agree that outdated reporting addresses living in DNS records (in my case, previous customers of mine still using their reporting addresses) are an issue.
Although the RFC 7.1 section regarding External Domain Validation [1] addresses this topic, I've found that lots of final hosts disregard this step and blast their reports to whatever reporting address is provided.
1: https://www.dmarctrust.com/email-dns/fundamentals/dmarc-dns-...
Do DMARC report tools like opendmarc-reports [0] comply with that section? Which tool have you seen that complies?
>I assume that putting a 'rua=' into your DMARC record makes it look more legitimate to (some) receiving systems.
Yes, Gmail for example will drop emails from mass-senders that don't implement both SPF and DKIM.
Still the 'r' parameters (reporting) in the DMARC record are optional, and there is no indication their presence bestows additional legitimacy to a sender.
(For me, it's sort-of the opposite: there are fun spam patterns to be found in DMARC records with reporting addresses!)
I keep getting e-mails containing a ZIP file with subject lines like:
Dmarc Aggregate Report Domain: {mydomain.com} Submitter: {Amazon SES} Date: {2025-11-16}
From postmaster@amazonses.com
Nothing in the body, no idea idea what they are. I've always assumed malware, so left them untouched. But if anyone can enlighten me, I'd be grateful
They're not zip files. They're gzipped XML files. Some shitty email programs will try to open them as ZIP files, fail, and then claim they're empty.
Amazon sends these when you or someone pretending to be you sends email to Amazon's domain.
They contain the DMARC report you asked for.
Receiving DMARC reports is just as hazardous. I frequently receive spam, phishing, malware, etc on my DMARC reporting addresses. I'm somewhat surprised I haven't seen any zip-bombs in DMARC reports yet.
Rejecting DMARC reports from any sender that doesn't have a correct SPF/DKIM/DMARC setup is the bare minimum.
Thanks for reminding me and looking into DMARC. I removed rua and only left ruf, such that I will only get reports about failing e-mails (not likely). The aggregate reports are useless for my small domain with effectively one e-mail.