On 11/11/19 6:22 pm, Steven M Jones via dmarc-discuss wrote:
This has been a bit of a problem, as non-verification of “ruf” addresses combined with people copying sample DMARC records in their deployments led to what I have to assume are violations of GDPR and several other privacy regimes. I would hope people would see reporting address verification as an important mitigation of concerns about “ruf” reporting. My fear is that instead it makes the lawyers say “no” a few microseconds faster...
Speaking entirely speculatively: it occurs to me that as almost no-one is sending failure reports other than to domain registrants with whom an agreement is in place (either directly or through an intermediary), it is entirely possible that some receivers sending ruf reports aren't looking at the ruf field at all, but are instead manually configuring an address specified in the agreement. I have no evidence for this apart from the typical behaviour of lawyers and the tendency to lock down contact addresses in contract schedules, but it would explain what's being observed.
For receivers behaving this way who are subject to GDPR, there's a rather direct way to solve the problem: report the unsolicited disclosure of personal information by the receiver to the receiver's DPO. In some cases the DPO will be the reflexively risk-averse lawyer who will do anything possible to offload liability (and will therefore kill the receiver's participation in failure reporting), but most are deeply schooled in balancing interests (all processing on the 6(1)(f) "legitimate interests" basis requires that it be done formally; this would include all participation DMARC failure reporting) and will simply treat it as an error to fix promptly.
- Roland _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
