Skip to main content

8. Security Considerations

The security considerations from Section 8 are preserved below.

8.  Security Considerations

While reviewing this document and its security considerations, the
reader should also review the privacy considerations above, as well
as the privacy considerations and security considerations in Sections
10 and 11 of [RFC9989] and in Sections 7 and 8 of [RFC9990].

8.1. Denial of Service

Failure reports represent a possible denial-of-service attack that
could be perpetrated by an attacker who sends numerous messages
purporting to be from the intended victim Domain Owner but which fail
both SPF and DKIM; this would cause participating Mail Receivers to
send failure reports to the Domain Owner or its delegate(s),
potentially in large numbers. Accordingly, participating Mail
Receivers are encouraged to aggregate these reports as much as is
practical, using the Incidents field of the ARF [RFC5965]. Indeed,
the aim is not to count each and every failure but rather to report
different failure conditions. Various pruning techniques are
possible, including the following:

* Store reports for a period of time before sending them, allowing
detection, collection, and consolidation of like incidents;

* Apply rate-limiting, such as a maximum number of reports per
minute that will be generated (and the remainder discarded).