[BUG] DMARC Reporting is playing ping pong

[FingerlessGlov3s]

Prerequisites

• Put an X between the brackets on this line if you have done all of the following:
  • Read about bug reporting in general: https://rspamd.com/doc/faq.html#how-to-report-bugs-found-in-rspamd
  • Enabled relevant debugging logs: https://rspamd.com/doc/faq.html#how-to-debug-some-module-in-rspamd
  • Checked the FAQs about Core files in case of fatal crash: https://rspamd.com/doc/faq.html#how-to-figure-out-why-rspamd-process-crashed
  • Tried ASAN package and obtained the ASAN report (if possible): https://rspamd.com/doc/faq.html#asan-builds
  • Checked that your issue isn't already filed: https://github.com/issues?utf8=%E2%9C%93&q=is%3Aissue+user%3Arspamd
  • Checked that there is not already an experimental package or master branch

Describe the bug
I've enabled dmarc reporting on my mailcow instance, and I've noticed its playing DMARC ping pong, where my server and another email server is sending dmarc reports back and forth everyday even though no actual emails are being sent. So their server is reporting back my dmarc deliveries and rspamd is doing the same to them. Unless I do something this will go on forever, until one side does something to stop it.

I personally believe this is a bug, as I can't see why you would want this ping pong of dmarc reporting to be happening.

Steps to Reproduce

1. Setup mailcow or your own rspamd environment.
2. Enable DMARC Reporting LINK
3. Send an email to dmarc-rua@dmarc-johnlewis.co.uk which should start the ping pong.

Expected behavior
rspamd to only report non Report Domain emails, or some form of excluded emails list on the reporting config.

Versions

Docker Image: mailcow/rspamd:1.79
Rspamd daemon version 3.1
Debian 11
VM running on Proxmox 7.1

Additional Information

my reporting config

reporting {
    enabled = true;
    email = 'dmarc@mydomain.com';
    domain = 'mydomain.com';
    org_name = 'myorg';
    helo = 'rspamd';
    smtp = 'postfix';
    smtp_port = 25;
    from_name = 'myorg DMARC Report';
    msgid_from = 'rspamd.mail.mydomain.com';
    max_entries = 2k;
    keys_expire = 2d;
}

my rua address is dmarc@mydomain.com

[PHPGangsta]

Hello,

it looks like you are not sending your DMARC reports from a (sub)domain where you deactivated DMARC reporting in your DNS entry?

One solution (or best practice) is to disable DMARC reporting for the subdomain you are sending from. If you for example send from reports@dmarc.mydomain.com, you set a DMARC record for that subdomain without a rua address. Then the loop is stopped.

It looks like neither you or "the other one" has done this, that's why there is a loop :-) Only one of you both has to disabled DMARC reporting for the subdomain used for sending, then the problem is solved.

Of cause the subdomain and the mailbox you are using for sending the reports has to exist, so you can receive bounces and process them if you need to. For example some mailboxes where you will send DMARC reports will be full, or don't exist, or they forbid attachments, or they detect your mails as spam (because there are "bad" IP addresses in it). That's why you want (or should) check the bounces and stop sending report mails to them.

Because you are sending emails with "bad IP addresses" in them, you might also consider to use a separate IP address or a separate domain for sending the DMARC reports, so the reputation of your IP address and your important domain does not decrease.

[FingerlessGlov3s]

Thanks for the speedy reply @PHPGangsta

I did think of doing it that way using a subdomain to send the DMARC address, then setup SPF and DKIM for that.
My RUA mailbox gets ingested in to parsedmarc anyway, so it filling up isn't an issue. I'm not just storing them like some people do.

I do think your solution is good idea, but also sounds a bit of a workaround. I can indeed implement this if this is the preferred solution to the problem by the project. 😇

[PHPGangsta]

@FingerlessGlov3s Your idea is also a good idea, and is easier for most people I guess. But rspamd cannot detect "DMARC report mails" via the Subject or so. For example a new configuration line like this might make sense:

reporting {
  skip_reporting_for_addrs = ["dmarc_reports@example.com"] # don't send reports for emails arriving at these addresses
}

If you are using a separate email address for sending the DMARC reports, you could (or should) add that email address to the array. Then rspamd could skip collecting DMARC data for emails arriving at these addresses.

That's easier than doing the "heavy stuff" like setting up a separate (sub)domain, creating a DMARC record without a rua address, and so on. But easier doesn't mean better 😄 Sending DMARC reports from a separate (sub)domain or separate IP address might be a good idea anyway because of domain+IP reputation.

[FingerlessGlov3s]

Indeed there are pro's and con's to each way of tackling the issue. 🤔

Maybe both is a good idea, if MS or Google do any sort of rep score based on if you have a RUA set or not.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[alainwolf]

How about ...
/etc/rspamd/local.d/settings.conf:

# Avoid loops with failed dmarc reports to be reported over and over again
dmarc_reports_bounces {
    id = "dmarc_reports_bounces";
    priority = high;
    rcpt: "dmarc_reports@example.com";
    apply {
        groups_disabled = [ "dmarc" ];
    }
}

Wouldn't something like this have the same effect? Without setting up subdomains.

[Izorkin]

Is it possible to add fo parameter checking to DMARC records?
If set value to fo=1, then the cyclic reporting should stop.

[vstakhov]

No, fo has nothing in relation to aggregate reports I'm afraid.