On 5/30/18 4:22 PM, John Levine wrote:
2) The people receiving the failure reports aren't "total strangers."
They are either (a) the same people who run the email infrastructure (if
failure reports are handled internally), who are presumably authorized
to look at email headers while troubleshooting issues, or (b)
third-party data processors (to use the GDPR terminology), which are
permitted as long as how they are using the data is disclosed to users.
They're sent to whoever some ruf= tag points to. I get all the
failure reports for any message with one of my domains on the From:
line, even if if was forged or a typo or a configuration error and
nobody related to me sent it. Sounds like total strangers to me.
I don't think you can be held responsible if a "total stranger's" email
ends up in your inbox because they put your domain in the From line of
the email without your authorization. Furthermore, of the cases you
mentioned ("forged", "typo", "configuration error"), I don't think
anything but "forged" happens with sufficient frequency to be worth your
concern or the concern of the European Union's member states' Data
Protection Authorities.
Jonathan Kamens
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
