[SOLVED] How is DMARC supposed to work? Getting flooded with reports.
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I recently subscribe to the users@tomcat.apache.org maillist. I am now getting innundated with DMARC reports. This morning I received 20 reports. This afternoon another 30. The vast majority of these are "<envelope_from>tomcat.apache.org" and/or <domain>tomcat.apache.org". Since subscribing to that maillist I have received well over 200 DMARC reports pertaining to tomcat.apache.org, yet I've only received a total of 22 messages from this list since I subscribed 6 days ago. The report "<org_name>" (providers) are all over, gmail, amazonses, microsoft, yahoo, ...
What's up? Why am I getting so many reports pertaining to tomcat.apache.org, even though I've only received 22 actual messages? How do I stop this flood without unsubscribing from this list?
I recently subscribe to the users@tomcat.apache.org maillist. I am now getting innundated with DMARC reports. This morning I received 20 reports. This afternoon another 30. The vast majority of these are "<envelope_from>tomcat.apache.org" and/or <domain>tomcat.apache.org". Since subscribing to that maillist I have received well over 200 DMARC reports pertaining to tomcat.apache.org, yet I've only received a total of 22 messages from this list since I subscribed 6 days ago. The report "<org_name>" (providers) are all over, gmail, amazonses, microsoft, yahoo, ...
What's up? Why am I getting so many reports pertaining to tomcat.apache.org, even though I've only received 22 actual messages? How do I stop this flood without unsubscribing from this list?
Also you should set "p=quarantine" because many receiving ends will complain about the "p=none" policy. See this for a combination with the pct option you're using.
I don't presume to know much about DMARC. To what "to" option are you referring? "mailto"? As to the p=quarantine, setting, I don't really understand how that works. The tomcat.apache.org DMARC report aren't necessarily indicating spam, so what is the "p=" criteria considering? Here's one example:
Not understanding much about DMARC, I don't get why the DKIM Disposition and SPF Dispostion (tags <dkim> and <spf>) are both "fail", but then it says SPF results (tag <auth_results><spf><results>) is "pass". Not all the tomcat.apache.org messages are the same. Some have SPF results "pass".
I'm unclear as to why I'm getting all these reports in the first place when I've only sent and/or received a total of 29 messages on this maillist in a week, yet I'm getting 30+ tomcat DMARC reports daily.
I don't presume to know much about DMARC. To what "to" option are you referring? "mailto"? As to the p=quarantine, setting, I don't really understand how that works. The tomcat.apache.org DMARC report aren't necessarily indicating spam, so what is the "p=" criteria considering?
It's "fo" with an F not "to". See the link in my post above about that option...
Not understanding much about DMARC, I don't get why the DKIM Disposition and SPF Dispostion (tags <dkim> and <spf>) are both "fail", but then it says SPF results (tag <auth_results><spf><results>) is "pass". Not all the tomcat.apache.org messages are the same. Some have SPF results "pass".
I'm unclear as to why I'm getting all these reports in the first place when I've only sent and/or received a total of 29 messages on this maillist in a week, yet I'm getting 30+ tomcat DMARC reports daily.
I guess that you get these fail/pass reports because in the mail you get when you post in the list, the "Header From" is different from the "Envelope From".
Well, this is interesting. I've gone from getting upwards of 60 DMARC reports daily, mostly from that tomcat.apache.org maillist domain, to now getting none at all. I'm back to the usual half-dozen reports a day. I'm wondering why. Would this have anything to do with whether opendkim is running or are these completely separate things? Thoughts appreciated.
Quote:
Originally Posted by bathory
I guess that you get these fail/pass reports because in the mail you get when you post in the list, the "Header From" is different from the "Envelope From".
Yes, that's what I was thinking. I'll have to investigate why those headers are different.
Two weeks after my last post I've received zero DMARC reports related to tomcat.apache.org whereas I was receiving 60-ish a day. I have no idea why. Thanks for that explanatory link.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.