> -----Original Message----- > From: ietf-bounces@xxxxxxxx [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Scott Kitterman > Sent: Monday, May 07, 2012 3:35 PM > To: ietf@xxxxxxxx > Subject: Re: Last Call: <draft-kucherawy-marf-source-ports-03.txt> (Source Ports in ARF Reports) to Proposed Standard > > My suggestion would be to change the last part of section three to > read: > > When any authentication failure report [AUTHFAILURE-REPORT] is generated > that includes the "Source-IP" reporting field (see Section 3.1 of > [AUTHFAILURE-REPORT]]), this field MAY also be included. > > Other than that, I think it's ready to go. If all one is doing is figuring out why something like a DKIM signature failed on an otherwise legitimate message, then I agree the source port isn't a useful input to that work. In fact, as far as DKIM goes, the source IP address is probably not useful either. If, however, one is trying to track down the transmission of fraudulent email such as phishing attacks, source ports can be used to identify the perpetrator more precisely when compared to logs. Support for this latter use case is why I believe RECOMMENDED is appropriate. -MSK