On 12/28/20 7:48 AM, Todd Herr wrote:
not a lawyer, but providing A with some information about a message
that A sent to X seems different, from a privacy perspective, than
providing A with some information about a message impersonating A that
B sent to X, and I thought perhaps the generic warning might mention
this distinction, if possible. Something like:
Security considerations
Failure reports provide detailed information about the failure of a
single message or a group of similar messages failing for the same
reason. They are meant to aid domain owners to detect why failures
reported in aggregate form occured. It is important to note these
reports can contain either the header or the entire content of a
failed message, AND THAT THE DOMAIN OWNER RECEIVING THE
REPORTS MAY NOT BE THE ORIGINATING PARTY FOR THE MESSAGE(S)
REFERENCED IN THE FAILURE REPORTS. IN ANY CASE, THEY may contain
personally identifiable information, which should be considered
when deciding
whether to generate such reports.
This is a tempest in a tea pot. This is an issue with the originating
domain and nobody else. They can send it to a third party even if the
url lists them to receive the report first. The receiving domain can't
know what they will do with the report, and the originating domain has
already seen the mail in clear text before it was sent. IETF should stay
out of the business of being nannies that it has no way to enforce.
Mike
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc