On 31/05/18 04:51, Jonathan Kamens via dmarc-discuss wrote:
On 5/30/18 4:22 PM, John Levine wrote:
2) The people receiving the failure reports aren't "total strangers."
They are either (a) the same people who run the email infrastructure (if
failure reports are handled internally), who are presumably authorized
to look at email headers while troubleshooting issues, or (b)
third-party data processors (to use the GDPR terminology), which are
permitted as long as how they are using the data is disclosed to users.
They're sent to whoever some ruf= tag points to. I get all the
failure reports for any message with one of my domains on the From:
line, even if if was forged or a typo or a configuration error and
nobody related to me sent it. Sounds like total strangers to me.
I don't think you can be held responsible if a "total stranger's"
email ends up in your inbox because they put your domain in the From
line of the email without your authorization. Furthermore, of the
cases you mentioned ("forged", "typo", "configuration error"), I don't
think anything but "forged" happens with sufficient frequency to be
worth your concern or the concern of the European Union's member
states' Data Protection Authorities.
This confuses two different "total strangers" cases:
* One is the case where a message ended up somewhere unexpected
because someone mistyped an email address (whether in a message or
in a DMARC DNS record).
* One is where an email receiver is blindly sending failure reports to
organisations unknown to them.
The former is fine as it stands, so long as the parties involved take
responsible action with the resulting disclosures (deletion by the party
who unexpectedly received the data - because continued processing,
including retention, has no lawful basis - and correction of the error
by the party who misconfigured a mail client, mistyped an address book
entry, or mistyped a DMARC DNS record).
The latter is the important question. Sending failure reports to
strangers appears unjustifiable under GDPR.
- Roland
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
