I work for an organization that has fairly stringent security requirements regarding where our data is stored. We recently moved towards DMARC, and are working with Agari.
One of the things that Agari does - essentially the most important - is receive and analyze any forensic data returned. The issue that we've noticed is that the forensic data is the entirety of the email. It isn't just header info, but contains the entire message text, along with attachments. This means that any externally-bound valid email that is mistakenly marked as a failure will have forensic data - ie the entire email - sent to Agari. They will house the emails on their internal servers, wherever their data center is. These emails are available for only 14 days....however, they cannot tell me how long their system backups are stored. It wouldn't matter if they could, as we have no way of auditing their security measures, enforcing requirements, validating encryption, backup storage security, etc. Agari advertises as a cloud service, yet they are not Fedramp'd, which I believe should put them out of consideration for most federal agencies, considering accidental disclosure of classified data via email, if flagged as a failure via DMARC, would cause the email and hence the sensitive data to be house outside of any government system. If Agari's systems were be to hacked, all of this data would be available - and again, they are not Fedramp'd, which ostensibly certifies their compliance with federal security requirements. Does anyone know if this issue has been discussed before (I couldn't find it), and how any of you out there that may work at organizations with similar security concerns, have dealt with this issue?
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)