Domain-based Message Authentication, Reporting, and Conformance (DMARC) Aggregate Reporting
draft-ietf-dmarc-aggregate-reporting-32

[Ballot discuss]
(revised ballot for -30)
** human_result.  It appears that there is at least one data element (human_result per Sections 2.1.1.12 and 2.1.1.13) which is intended to be a human readable string.  Per Section 4 of RFC2277 saying “protocols that transfer text MUST provide for carrying information about the language of that text”, what is the approach prescribed by this specification?  Should an xs:lang attribute be added to the human_result element?

[Ballot comment]
Thanks for addressing my comments in -29.

### Nits

In -29, the word remaining here is perhaps no longer needed:

```
An attempt MUST be made to deliver an aggregate report to
  every remaining URI, up to the Receiver's limits on supported URIs.
```

I think the intended behavior with the changes from -29 is to attempt to deliver to all URIs.

[Ballot comment]

Section states:

        If a report generator needs to re-send a report, the system
        MUST use the same filename as the original report. This would
        allow the receiver to overwrite the data from the original,
        or discard second instance of the report.

It seems dangerous to use file names based on received strings from unknown
sources, and I don't think an RFC should recommend to use such strings as
filenames, unless proper warnings are in place to exclude harmful ones (eg
"../../../").

While a maliciously formatted unique-id should be rejected per this specification,
perhaps add a warning in the Security Considerations for this to give explicit
warning to implementers.

While I think "dot dot slash dot dot slash etc passwd" seems less likely to be writable by the mail
user, this could be used to stuff files into the mail system (eg /var/mail or any of the outgoing mail queues)

[Ballot comment]
Section 7, paragraph 0
> 7.  Security Considerations

I wanted to thank Dhruv for his OPSDIR review. I agree with the issues he points out, and would like to see a resolution of his comments.

Others have already provided feedback on issues such as the use of acronyms without any expansion, identifiers such as 'p' or 'sp' that have not been defined except in the examples, and other comments that I am not going to repeat here.

The IANA review of this document seems to not have concluded yet.

[Ballot comment]
Thanks for working on this specification.

I am supporting Orie's discuss on section 2.5. I would also ask why do we call this section "transport"? First I was curious to have a section called transport :-), then I realized it describes some rules to generate report and delivering that report. Can we rename this section to something like "Gerenration and delivery" or something more meaningful in that context.

I also support Roman's discuss.

[Ballot discuss]
# Orie Steele, ART AD, comments for draft-ietf-dmarc-aggregate-reporting-27
CC @OR13

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-dmarc-aggregate-reporting-27.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/


Thanks to Martin Thomson for the ARTART Review.

Keep in mind I am not an expert on email.

## Discuss

### Size limit obsolete?

```
699   given.  Any reporting URI that includes a size limitation exceeded by
700   the generated report (after compression and after any encoding
701   required by the particular transport mechanism) MUST NOT be used.  An
702   attempt MUST be made to deliver an aggregate report to every
703   remaining URI, up to the Receiver's limits on supported URIs.
```

draft-ietf-dmarc-dmarcbis-39 states:

```
obs-dmarc-uri = dmarc-uri obs-dmarc-report-size
; Obsolete syntax, reporters should ignore the
; obs-dmarc-report-size if it is found in a DMARC Policy R
```

Is there an incompatibility between ignore and MUST NOT here?

Is the URI supposed to be ignored, and not used regardless of the size constraint?
Or is the URI supposed to not be ignored, and not used when the size constraint is exceeded?

```
705   If transport is not possible because the services advertised by the
706   published URIs are not able to accept reports (e.g., the URI refers
707   to a service that is unreachable, or all provided URIs specify size
708   limits exceeded by the generated record), the Mail Receiver MAY cache
709   that data and try again later, or MAY discard data that could not be
710   sent.
```

Does try again later here, mean check to see if the report size has changed?

[Ballot comment]
## Comments

### MAY distinguish by ridtxt

```
826   Optionally, the report sender MAY choose to use the same "ridtxt" as
827   a part or whole of the RFC5322.Message-Id header included with the
828   report.  Doing so may help receivers distinguish when a message is a
829   re-transmission or duplicate report.
```

This MAY seems undesirable, a retransmission would need a new unique id, a duplicate would need a new filename.
How is this may related to those requirements?

```
842   duplicate data lies with the receiver.  As noted above, the sender
843   MUST use the same unique identifiers when sending the report.  This
844   allows the receiver to better understand when duplicates happen.  A
```

... when intending to send the same report?



### Which section?

```
658   The document format supports optional elements for extensions.  The
659   absence or existence of this section SHOULD NOT create an error when
660   processing reports.  This will be covered in a separate section.
```

### Is there consensus on which of these is better / recommended?

```
669   period, all depending on the Mail Receiver's implementation.  Under
670   these conditions, it is possible that a Mail Receiver could do any of
671   the following:
```

### Limitations on human readable content types

```
734   corresponding media type from below.  A human-readable annotation MAY
735   be included as a body part (with a human-friendly content-type, such
736   as "text/plain" or "text/html").
```

Is i18n a consideration here?
Perhaps this human readable annotation is expected to be in the language of the Mail Receiver and not the Author Domain?

### Overwrite

```
773   "unique-id" allows an optional unique ID generated by the Mail
774   Receiver to distinguish among multiple reports generated
775   simultaneously by different sources within the same Domain Owner.  A
776   viable option may be to explore UUIDs [RFC9562].

778   If a report generator needs to re-send a report, the system MUST use
779   the same filename as the original report.  This would allow the
780   receiver to overwrite the data from the original, or discard second
781   instance of the report.
```

I assume that in the case of sending a report with the same filename a new unique id is required.
Is there a missing MUST here?

```
808   report was generated.  The second domain-name indicates the DNS
809   domain name representing the Mail Receiver generating the report.
810   The purpose of the Report-ID: portion of the field is to enable the
811   Domain Owner to identify and ignore duplicate reports that might be
812   sent by a Mail Receiver.
```

Implies this is optional, I wonder what is required for "conformance" here.


### fraudulent reports

```
793   Email streams carrying DMARC feedback data MUST conform to the DMARC
794   mechanism, thereby resulting in an aligned "pass" (see Section 4.4 of
795   [I-D.ietf-dmarc-dmarcbis]).  This practice minimizes the risk of
796   Report Consumers processing fraudulent reports.
```

What is a fraudulent report in this case?
Is it a report that contains fake records, but is transmitted in conformance with DMARC?
Is the MUST conform mechanism including conformance to draft-ietf-dmarc-aggregate-reporting?

```
798   The RFC5322.Subject field for individual report submissions MUST
799   conform to the following ABNF
```

Does this imply that any non conforming report will not be processed?

### Is there a consensus to recommend an option here?

```
847   *  Reject back to sender, ideally with a permfail error noting the
848       duplicate receipt
849   *  Discard upon receipt
850   *  Inspect the contents to evaluate the timestamps and reported data,
851       act as appropriate
852   *  Accept the duplicate data
```

## Nits

### which is the only valid value?

```
546   *  "scope" MUST contain "mfrom", the only valid value.
```

could be worded more clearly.


### was -> were

```
406   A "row" element contains the details of the connecting system, and
407   how many e-mails was received from it, for the particular combination
408   of the policy evaluated.
```


### PSO expand on first use

```
1083   Providing feedback reporting to PSOs for a PSD
```

Or add to terminology inherited from dmarcbis.

[Ballot discuss]
** Please include normative references for the different formal languages used in this document (i.e., schema and ABNF)

-- Section 2.1.1 and Appendix A.
  The format for these reports is defined in the XML Schema Definition
  (XSD) in Appendix A.

Please provide a normative reference to XSD.  Perhaps:

  [W3C.SCHEMA]
              Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn,
              "XML Schema Part 1: Structures Second Edition", W3C
              Recommendation REC-xmlschema-1-20041028, October 2004,
              .

  [W3C.SCHEMA.DTYPES]
              Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes
              Second Edition", W3C Recommendation REC-xmlschema-
              2-20041028, October 2004,
              .

-- Section 2.5.1 and 2.5.2

  The RFC5322.Subject field for individual report submissions MUST
  conform to the following ABNF:

Please provide a normative reference for ABNF.  Perhaps:

  [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              .

** human_result.  It appears that there is at least one data element (human_result per Sections 2.1.1.12 and 2.1.1.13) which is intended to be a human readable string.  Per Section 4 of RFC2277 saying “protocols that transfer text MUST provide for carrying information about the language of that text”, what is the approach prescribed by this specification?  Should an xs:lang attribute be added to the human_result element?

[Ballot comment]
** Given how [I-D.ietf-dmarc-dmarcbis] is cited numerous times to provide clarity for normative guidance, why is it an informative reference?

** From idnits:
  ** The abstract seems to contain references ([RFC7489],
    [I-D.ietf-dmarc-dmarcbis], [I-D.ietf-dmarc-failure-reporting]), which it
    shouldn't.  Please replace those with straight textual mentions of the
    documents in question.

** Section 6.3.  Editorial.
  This leakage could
  potentially be utilized as part of a program of pervasive
  surveillance (see [RFC7624]]).

The extra “]]” is causing an idnits error.

[Ballot comment]
# Gunter Van de Velde, RTG AD, comments for draft-ietf-dmarc-aggregate-reporting-28

# The line numbers used are rendered from IETF idnits tool: https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-dmarc-aggregate-reporting-28.txt

# DMARC isn't really my area of expertise, so this review comes from a network generalist perspective. Some of my comments might be due to not fully understanding the technology; just something to keep in mind!

# following you find some non-blocking comments.

# General Review
# ==============

## I noticed that the word "Mail" is sometimes written with an uppercase M and other times in lowercase. Additionally, "email" is used in some places. Was this intentional? Would it make sense to standardize it and simply use "mail" throughout for consistency?

## idnits identifies few downrefs. The shepherd report suggest that only RFC6713 is not in the downref register, however it seems that RFC7489 may also not be in there (https://datatracker.ietf.org/doc/downref/) and is an ISE document. The last call did call out the 3 downrefs.

# Detailed Review
# ===============

167   The report may include the following data:

GV> next a list of metadata included. Would it be useful to add usage structure for these?
For example:

Report ID
* Reporting Organization (ISP, mail receiver)
* Date range covered by the report

Email Authentication Results:
* SPF (Sender Policy Framework) alignment status
* DKIM (DomainKeys Identified Mail) alignment status
* DMARC policy result (pass/fail)

Sending Source Details:
* IP addresses of sending servers
* Number of messages sent from each IP
* Reverse DNS information of the sending IP

Policy Evaluation:
* The applied DMARC policy (none, quarantine, or reject)
* How many emails were accepted, rejected, or quarantined
* Alignment failures and reasons

Domain Alignment Check:
* Whether the SPF and DKIM domains align with the From: domain

597   1.  A signature that passes DKIM, in strict alignment with the
598       RFC5322.From domain
599   2.  A signature that passes DKIM, in relaxed alignment with the
600       RFC5322.From domain

GV> idnit or clarification. Not sure what "RFC5322.From domain" wants to specify? Is this a typo or copy/paste glitch?

789   mail.receiver.example!example.com!1013662812!1013749130.xml.gz
790   No specific MIME message structure is required.  It is presumed that

GV> idnit or clarification. Should this maybe read as:
There is no specific MIME message structure required with mail.receiver.example!example.com!1013662812!1013749130.xml.gz

Kind Regards,
Gunter Van de Velde
Routing Area Director

[Ballot comment]
Thanks for addressing my previous DISCUSS point (I told you that it was super easy to fix)

## COMMENTS (non-blocking)

### Abstract

It is unclear to me what is meant by `as supported by the receiver`.

s/replaces [RFC7489]/obsoletes and replaces [RFC7489]/

### Section 1

Suggest repeating the expansion for "DMARC".

s/to request that receivers/to request that e-mail receivers/ ? (see further)

### Section 2

Suggest to be consistent in the naming "Mail Receivers" (to be preferred) or "mail receivers" or "receivers".

### Section 2.1.1.8

What is a `The connecting IP`? I only know about "The connecting IP address" also valid for s/source_ip/source_ip_address/ (probably too late to change the element name).

### Section 2.1.1.10

Where is "RFC5322.From" defined ? I can guess it of course, but let's be accurate.

[Ballot discuss]

# Éric Vyncke, INT AD, comments for draft-ietf-dmarc-aggregate-reporting-27
CC @evyncke

Thank you for the work put into this document.

Please find below one blocking DISCUSS points (easy to address), some non-blocking COMMENT points (but replies would be appreciated even if only for my own education).

Special thanks to Barry Leiba for the shepherd's write-up including the WG consensus *and* the justification of the intended status.

Please note that Anthony Somerset is the DNS directorate reviewer and you may want to consider this dns-dir review as well when it will be available (no need to wait for it though):
https://datatracker.ietf.org/doc/draft-ietf-dmarc-aggregate-reporting/reviewrequest/21440/

I hope that this review helps to improve the document,

Regards,

-éric


## DISCUSS (blocking)

As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a DISCUSS ballot is just a request to have a discussion on the following topics:

### Appendix B

Please do not use RFC 1918 IP addresses such as `192.168.4.4`, but one of the documentation prefixes, e.g., "2001:db8::cafe"

Please use an example FQDN, i.e., s/report_sender@example-reporter.com/report_sender@reporter.example.com/

[Ballot comment]

## COMMENTS (non-blocking)

### Abstract

It is unclear to me what is meant by `as supported by the receiver`.

s/replaces [RFC7489]/obsoletes and replaces [RFC7489]/

### Section 1

Suggest repeating the expansion for "DMARC".

s/to request that receivers/to request that e-mail receivers/ ? (see further)

### Section 2

Suggest to be consistent in the naming "Mail Receivers" (to be preferred) or "mail receivers" or "receivers".

### Section 2.1.1.8

What is a `The connecting IP`? I only know about "The connecting IP address" also valid for s/source_ip/source_ip_address/ (probably too late to change the element name).

### Section 2.1.1.10

Where is "RFC5322.From" defined ? I can guess it of course, but let's be accurate.

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-dmarc-aggregate-reporting-23. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are two actions which we must complete.

First, in the ns registry in the IETF XML Registry group located at:

https://www.iana.org/assignments/xml-registry/

a single new registration will be made as follows:

ID: dmarc-2.0
URI: urn:ietf:params:xml:ns:dmarc-2.0
Filename: [ TBD-at-Registration ]
Reference: [ RFC-to-be ]

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

Second, in the schema registry also on the IETF XML Registry group located at:

https://www.iana.org/assignments/xml-registry/

a single new registration will be made as follows:

ID: dmarc-2.0
URI: urn:ietf:params:xml:ns:dmarc-2.0
Filename: [ TBD-at-Registration ]
Reference: [ RFC-to-be ]

As this also requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

We understand that these are the only actions required to be completed upon approval of this document.

NOTE: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

Request for Last Call review by ARTART Completed: On the Right Track. Reviewer: Martin Thomson. Sent review to list. Submission of review completed at an earlier date.

The following Last Call announcement was sent out (ends 2024-12-06):

From: The IESG
To: IETF-Announce
CC: barryleiba@computer.org, dmarc-chairs@ietf.org, dmarc@ietf.org, draft-ietf-dmarc-aggregate-reporting@ietf.org, superuser@gmail.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Domain-based Message Authentication, Reporting, and Conformance (DMARC) Aggregate Reporting) to Proposed Standard


The IESG has received a request from the Domain-based Message Authentication,
Reporting & Conformance WG (dmarc) to consider the following document: -
'Domain-based Message Authentication, Reporting, and Conformance
  (DMARC) Aggregate Reporting'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2024-12-06. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  Domain-based Message Authentication, Reporting, and Conformance
  (DMARC) allows for Domain Owners to request aggregate reports from
  receivers.  This report is an XML document, and contains extensible
  elements that allow for other types of data to be specified later.
  The aggregate reports can be submitted to the Domain Owner's
  specified destination as supported by the receiver.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-dmarc-aggregate-reporting/



No IPR declarations have been submitted directly on this I-D.


The document contains these normative downward references.
See RFC 3967 for additional information:
    rfc6713: The 'application/zlib' and 'application/gzip' Media Types (Informational - Internet Engineering Task Force (IETF) stream)
    rfc7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC) (Informational - Independent Submission stream)

This document is part of a set that includes draft-ietf-dmarc-dmarcbis, and the
set together obsoletes RFC 7489, the Independent-Stream DMARC definition.  The
set moved DMARC and its associated feedback reports to Standards Track.

The working group decided to split Aggregate Reporting and Failure Reporting
out from the protocol specification and into separate documents.  The working
group now has to decide whether, in the end, to publish or drop Failure
Reporting.  But this document, Aggregate Reporting, has solid consensus and
significant implementation and deployment.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  Broad agreement.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
 
  No particular controversy; the consensus was fairly easy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)
 
  No.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?
 
  There is very significant implementation of the existing (Independent Stream)
  DMARC protocol, which includes aggregate reporting.  There are too many
  implementations to document them.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.
 
  The main external organization involved here is M3AAWG, and there is significant
  M3AAWG participation in this working group (in particular, the chairs and document
  editors).  No further reviews are needed.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
 
  None are applicable.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?
 
  This is not applicable.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.
 
  No automated validation was done.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
 
  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?
   
    None, and none.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?
   
    Proposed Standard.  Because this is proposing a standard.  Yes.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.
   
    Yes, and there are no IPR disclosures to discuss.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.
   
    Yes.  Not applicable.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)
   
    Nothing to note.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].
   
    No.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?
   
    None.  Not applicable.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.
   
    RFC 6713

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?
   
    No.  Not applicable.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.
   
    Yes.  Yes.  The primary document that obsoletes 7489 is the related dmarcbis draft.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).
   
    Um... I reviewed it.  It's fine.  How does one "describe" that?  Everything that
    needs confirming is confirmed.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.
   
    None.  Not applicable.

This document is part of a set that includes draft-ietf-dmarc-dmarcbis, and the
set together obsoletes RFC 7489, the Independent-Stream DMARC definition.  The
set moved DMARC and its associated feedback reports to Standards Track.

The working group decided to split Aggregate Reporting and Failure Reporting
out from the protocol specification and into separate documents.  The working
group now has to decide whether, in the end, to publish or drop Failure
Reporting.  But this document, Aggregate Reporting, has solid consensus and
significant implementation and deployment.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  Broad agreement.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
 
  No particular controversy; the consensus was fairly easy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)
 
  No.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?
 
  There is very significant implementation of the existing (Independent Stream)
  DMARC protocol, which includes aggregate reporting.  There are too many
  implementations to document them.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.
 
  The main external organization involved here is M3AAWG, and there is significant
  M3AAWG participation in this working group (in particular, the chairs and document
  editors).  No further reviews are needed.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
 
  None are applicable.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?
 
  This is not applicable.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.
 
  No automated validation was done.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
 
  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?
   
    None, and none.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?
   
    Proposed Standard.  Because this is proposing a standard.  Yes.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.
   
    Yes, and there are no IPR disclosures to discuss.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.
   
    Yes.  Not applicable.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)
   
    Nothing to note.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].
   
    No.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?
   
    None.  Not applicable.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.
   
    RFC 6713

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?
   
    No.  Not applicable.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.
   
    Yes.  Yes.  The primary document that obsoletes 7489 is the related dmarcbis draft.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).
   
    Um... I reviewed it.  It's fine.  How does one "describe" that?  Everything that
    needs confirming is confirmed.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.
   
    None.  Not applicable.

This document is part of a set that includes draft-ietf-dmarc-dmarcbis, and the
set together obsoletes RFC 7489, the Independent-Stream DMARC definition.  The
set moved DMARC and its associated feedback reports to Standards Track.

The working group decided to split Aggregate Reporting and Failure Reporting
out from the protocol specification and into separate documents.  The working
group now has to decide whether, in the end, to publish or drop Failure
Reporting.  But this document, Aggregate Reporting, has solid consensus and
significant implementation and deployment.

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  Broad agreement.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?
 
  No particular controversy; the consensus was fairly easy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)
 
  No.

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?
 
  There is very significant implementation of the existing (Independent Stream)
  DMARC protocol, which includes aggregate reporting.  There are too many
  implementations to document them.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.
 
  The main external organization involved here is M3AAWG, and there is significant
  M3AAWG participation in this working group (in particular, the chairs and document
  editors).  No further reviews are needed.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.
 
  None are applicable.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?
 
  This is not applicable.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.
 
  No automated validation was done.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?
 
  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?
   
    None, and none.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?
   
    Proposed Standard.  Because this is proposing a standard.  Yes.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.
   
    Yes, and there are no IPR disclosures to discuss.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front page
    is greater than five, please provide a justification.
   
    Yes.  Not applicable.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)
   
    Nothing to note.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].
   
    RFCs 5890 and 8601 should be normative references.
    RFCs 7489 and 7624 should be informative references.
    There should be a citation by “GZIP compression” to RFC 1952, and that RFC
    should be in the normative references.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?
   
    None.  Not applicable.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.
   
    RFC 6713

18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?
   
    No.  Not applicable.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.
   
    Yes.  Yes.  The primary document that obsoletes 7489 is the related dmarcbis draft.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).
   
    Um... I reviewed it.  It's fine.  How does one "describe" that?  Everything that
    needs confirming is confirmed.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.
   
    None.  Not applicable.