Markdown Version | Session Recording

Session Date/Time: 23 Jul 2025 12:30

DMARC Working Group Session - IETF 123

Summary

The DMARC working group convened to discuss the completion of the failure reporting (forensic reporting) document. The primary focus was determining whether to proceed with finishing the document as currently drafted or to abandon it. After extensive discussion about privacy concerns, operational utility, and implementation challenges, the working group decided to proceed with completing the document while adding strong privacy warnings and usage limitations at the beginning.

Key Discussion Points

• Document completion vs. abandonment: The working group had to choose between completing the failure reporting document or abandoning it and removing references from the base DMARC specification

• Privacy concerns: Several participants raised significant privacy issues with forensic reporting, noting that sensitive business information (product launches, employee terminations, calendar invites) has leaked through these reports

• Operational utility debate:

  • Opponents argued that aggregate reporting now provides sufficient information for DMARC's core authentication purposes, making forensic reports unnecessary
  • Proponents maintained that forensic reports provide valuable real-time abuse detection capabilities
  • Tree-walk reports now address the original use case of routing reports to appropriate domain owners

• Implementation reality: Discussion highlighted that major email providers have largely stopped sending forensic reports due to privacy concerns, yet the document's existence in the specification may encourage inappropriate use

• Historical context: The original DMARC development relied heavily on forensic reporting for anti-abuse purposes, though operational experience has shown aggregate reporting is sufficient for most authentication troubleshooting

Decisions and Action Items

Decision: Proceed with completing the failure reporting document with significant modifications to address privacy concerns

Action Items:

1. Murray and Trent will draft privacy warning text and usage limitation guidance for the beginning of the document (Target: mid-August)
2. Seth will help engage previous contributors who participated in earlier discussions but haven't been active since recharter
3. Mike will continue section-by-section review focusing on editorial improvements rather than major structural changes
4. Working group chairs will be more aggressive in keeping mailing list discussions on-topic and within scope

Next Steps

• Target completion by IETF 124 (July timeframe, approximately 3 months)
• Privacy warning text to be completed by mid-August 2024
• Continue with focused editorial review rather than comprehensive restructuring
• No in-person session planned for Montreal (IETF 124)
• Working group will close permanently upon document completion
• Estimated timeline allows for approximately 14 weeks with section-by-section review as needed

The working group emphasized the need for clear deadlines and aggressive timeline management given the community's history of delays. The charter scope is limited to either completing or abandoning this specific document, with no authority for broader changes to DMARC specifications.