[Mailman-Users] Executive summary of DMARC issues

John Levine johnl at taugh.com
Thu May 15 05:39:20 CEST 2014

>Actually, From: domains can request reports even if DMARC p=none. It is
>unclear what might be done with these reports, but given what some
>domains have done with DMARC already, I for one would not be surprised
>if this information was used to color the reputation of the sending server.
>Note that currently, Yahoo.com only requests aggregate reports which *I
>think* do not identify the sending server, but AOL.com requests failure
>reports as well which are intended to identify servers and actual senders.

I've been collecting DMARC aggregate reports for over two years and
have over 40,000 of them.  I use some scripts that decompress and
parse the reports and put the interesting bits into a mysql database.
I also have 22,000 failure reports (fewer providers send them.)

The aggregate reports do indeed identify the sending server and are
pretty interesting.  For some of the larger mail systems, it's clear
from the tags in the reports that they have a pretty good idea where
the mailing lists are, which makes me wonder why they don't use that
info to whitelist around the DMARC damage.  I don't see any evidence
that DMARC failures alone are likely to get a server blacklisted,
although I wouldn't be surprised if it were a factor along with user
complaints and spam filter statistics.


PS: The scripts are at http://www.taugh.com/rddmarc/ if you want to
play along on your own system.  You can (and should) collect DMARC
stats without publishing any DMARC policies.

More information about the Mailman-Users mailing list