Forensic reporting for PSDs

[Daniel-t]

Ref:10.2 "DMARC records for multi-organizational PSDs MUST NOT include the ruf=tag."

This may be problematic for some 'private' Public Suffix Domains, such as "Gov.Au", where they may send email in their own right, and so might benefit from forensic reporting.

Perhaps it would be better to require that ruf= tags are ignored from PSDs except when the PSD is the Organisational Domain/RFC5322.From Domain

[alevesely]

The point of the second paragraph is currently expressed in draft-ietf-dmarc-failure-reporting-10, Section 2 like so:

Report generators MUST NOT consider ruf= tags in records having a "psd=y" tag, unless there are specific agreements between the interested parties.

Gov.au has no DMARC record at the time. If they publish one, they cannot write psd=y and psd=n at the same time. That is to say, a PSD can never be the Organizational Domain. However, it can be the From: domain. I'm going to put the question on the dmarc-ietf mailing list.

[Daniel-t]

Thanks @alevesely,

More relevant to my use case is qld.gov.au, which is still a PSD, as we have sub-domains owned by other organizations (various government departments), however emails are also sent directly from this domain.

[alevesely]

@Daniel-t, the WG opinion is negative.

Let me add that failure reporting is quite problematic, for privacy reasons, even for regular domains. Indeed, few MTAs send that stuff just because they find a ruf= tag in the DNS. Using DKIM-test sites is much more practical.

[jrlevine]

Ale is right -- almost nobody sends failure reports, largely due to privacy concerns. I gather that some providers have private agreements to send them and manage the privacy issues, but if you have private agreements you can do whatever you want and there's nothing to say about them in a standard.

[Daniel-t]

Thanks, We'll proceed with our planning based on the assumption that psd=y means no forensic reporting, as @jrlevine says its not a big impact, we receive about 20 forensic reports a day across ~3000 domains (using a shared dmarc reporting platform).

I reviewed the Mailing list conversation about this, and while I agree it wont be an issue for most PSDs (.com/.net etc). This will probably be relevant to the ~250 ".gov." public suffixes.