[dmarc-discuss] Discrepancies between ISPs' aggregate reports

Dave Hensley dave at thinkmail.com
Tue Jun 12 13:07:49 PDT 2012

Hi Franck,

I'm not sure how interpolation could be accomplished... can you please
explain your suggestion a bit further?

What I've got right now is a report from, say, Yahoo, which tells me
that sometime between 12:00:00am and 11:59:59pm, the IP address sent 5 invalid messages to @yahoo.com users using my
domain name. And then I've got another report from, say, 126.com that
tells me that sometime between 4:00:00pm and 3:59:59pm, the same IP
address sent 3 invalid messages to @126.com users using
my domain name.

But if I don't get a timestamp for each individual message, how can I
calculate the total number of invalid messages that were sent during a
particular 24-hour window?


On Tue, Jun 12, 2012 at 3:47 PM, Franck Martin <fmartin at linkedin.com> wrote:
> Dave,
> This is great feedback. Yes people have been implementing the spec at
> different times, while the spec was getting developed. Some of these
> reports allowed to do a few fixes.
> By the way 126.com is netease who is the biggest ISP in China ;)
> http://www.slideshare.net/ichinastock/inside-netease
> I don't think you will be able to ask the report senders to sync on a
> specific time. Can't you interpolate based on the time to fit a 24 hours
> window?
> On 6/12/12 12:25 , "Dave Hensley" <dave at thinkmail.com> wrote:
>>Like many of you, I recently began receiving aggregate reports from
>>Yahoo, after receiving reports from Google for many months. I'm also
>>starting to receive reports from smaller ISPs, e.g. 126.com,
>>xs4all.nl, etc. It's wonderful that these early adopters are already
>>sending reports, but the subtle differences are tripping up the script
>>that I use to process them.
>>For example, according to http://www.dmarc.org/faq.html (if you click
>>on "I need to implement aggregate reports, what do they look like?"),
>>the reports should contain the following:
>>  <header_from>example.com</header_from>
>>Google's reports replace "identifiers" with "identities" (typo?).
>>Also, Yahoo's XML stream seems to be generated line-by-line, because
>>there are some weird whitespace issues:
>>  <begin>1339372800</begin>
>>  <end>1339459199 </end>
>>Note the extra space before the closing "end" tag. There is also
>>arbitrary whitespace at the end of each line. It was easy to fix my
>>script to trim all values, but this should probably still be fixed.
>>Finally, it seems that Google and Yahoo agree about the date range of
>>the reports (12:00:00am to 11:59:59pm UTC). But I've received reports
>>from 126.com that go from 4:00:00pm UTC to 3:59:59pm UTC, and the
>>report that I received today from xs4all.nl goes from 12:58:12pm UTC
>>to 1:00:04pm UTC the following day, which isn't even a 24-hour period.
>>Sadly, this makes it impossible to combine the reports together (to
>>aggregate the aggregate reports, as it were).
>>I hope that this message doesn't come off as peevish or denunciatory;
>>I think it's great that the system is working at this early stage and
>>that I'm already receiving these reports, and I certainly appreciate
>>all of the hard work that everyone has contributed. I just believe
>>that a few quick bug fixes would make the reports much more usable for
>>dmarc-discuss mailing list
>>dmarc-discuss at dmarc.org
>>NOTE: Participating in this list means you agree to the DMARC Note Well
>>terms (http://www.dmarc.org/note_well.html)

More information about the dmarc-discuss mailing list