Two comments:
1) Most of the failure reports I've seen haven't included the message
body, they've only included the headers. So the exposure is limited. I
assume limiting the exposure is the whole reason why the reports don't
include message bodies.
2) The people receiving the failure reports aren't "total strangers."
They are either (a) the same people who run the email infrastructure (if
failure reports are handled internally), who are presumably authorized
to look at email headers while troubleshooting issues, or (b)
third-party data processors (to use the GDPR terminology), which are
permitted as long as how they are using the data is disclosed to users.
There /could be/ a GDPR issue if failure reports are sent to a
third-party processor /and/ that isn't disclosed to the user, but it
isn't /ipso facto/ a GDPR issue to use a third-party processor to manage
failure reports.
jik
(I know more about the GDPR than I would like, and less than I should. :-/ )
On 5/30/18 10:56 AM, Richard via dmarc-discuss wrote:
Date: Tuesday, May 29, 2018 19:35:27 -0400
From: John Levine via dmarc-discuss <dmarc-discuss@dmarc.org>
In article
<CAAQnKjChHsgxFy=BrxQsObeUVVPRMuDpFOcSP6v8dz2m_bT=+a...@mail.gmail.com
you write:
I'm surprised to learn of the low value of failure reports.
It's a lawyer thing. Failure reports send copies of your users'
mail to total strangers. Maybe those strangers had something to do
with that mail, maybe not. You can make various arguments about
why even if the strangers didn't have anything to do with the mail
they should get to see it anyway, but you know how lawyers are,
always telling you to spend $1000 to defend against a $10 risk.
I realize that enforcement of GDPR is still a work in progress, but:
> Failure reports send copies of your users'
> mail to total strangers.
would seem to run directly against its intent.
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
