In the bulk email space most messages are sent with a unique 5321.from address (VERP). Are you suggesting that no DMARC reports should be sent for commercial bulk mail?
laura > On 3 May 2021, at 12:21, Douglas Foster <dougfoster.emailstanda...@gmail.com> > wrote: > > To address Laura's concerns about individual targeting, the reporting needs > to ensure a minimum level of aggregation on all reports. > > This starts with MailFrom. If less than N unique recipient addresses are > included, the report should not be sent at all > > If a DKIM selector occurs on less than N unique recipient addresses, the DKIM > selector should be replaced with * or Null. > > I do not have a strong opinion about N, but am thinking 10. > > Doug Foster > > > > On Mon, May 3, 2021 at 4:49 AM Laura Atkins <la...@wordtothewise.com > <mailto:la...@wordtothewise.com>> wrote: > > >> On 3 May 2021, at 07:27, Hans-Martin Mosner <h...@heeg.de >> <mailto:h...@heeg.de>> wrote: >> >> Am 02.05.21 um 22:30 schrieb John Levine: >>> It appears that Matthäus Wander <mail@wander.science >>> <mailto:mail@wander.science>> said: >>>> envelope_to allows you to automatically correlate these reports and >>>> reconstruct the forwarding path. This helps to identify the culprit who >>>> is breaking DKIM signatures, especially with longer forwarding chains. >>>> Without envelope_to, reconstructing the mail flow requires guessing and >>>> manual work. >>> It is none of your business to whom I forward my mail. >> >> True, unless you (generic you, not John L.) make it my business by >> complaining about not receiving my mail either in a >> support request (which may cause quite some work) or in a public forum >> (which might damage my reputation and even cause >> more work). > > I will point out that for a lot of us online (specifically those of us who > don’t check any or all of the the cis-het-white-male categories) forwarding > mail and protecting our identities are crucial to our ability to actually > participate in an online life. Stalking and harassment are real. I, > personally, have been being low-level stalked by someone for over a decade > now. I have been put into positions where I have to make calculated decisions > about my ability to participate in places based on my personal safety. I have > involved the police in the past for specific threats against me. The first > time I was threatened and stalked online was more than 20 years ago. This is > not some ‘oh, it only happens to some people’, it happens to a lot of people, > regularly. > > The threats I’ve had to deal with, just for being a woman in an online > environment, are minor compared to some threats other women, BIPOC and > members of other marginalized groups have had to put up with. I’ve never had > to move out of my house for my safety. ISPs HAVE doxxed individuals in the > past, both accidentally and through deliberate policy decisions. Adding > personally identifiable information into DMARC reports is problematic in a > way I don’t think many men here realize. > > It is not anyone’s business how I might route mail to protect my safety. And, > frankly, the issues of data privacy and safety for people online > significantly trump the concern that someone’s reputation might be slightly > impacted because they can’t troubleshoot an individual mail failure. > >> I am too often in a position of being requested to solve a problem but the >> requestors don't even provide the minimal >> logging info or even error texts to even start analyzing their problem. In >> such cases I want to be able to look at as >> much info as possible so as to provide a decent service. >> >> I don't snoop on mail logging info to satisfy my curiosity or to increase my >> revenue, but to solve my user's problems. > > This is irrelevant. How, in fact, do you protect your users safety and > privacy? How do you ensure that the request is actually coming from your user > and not from someone attempting to discover where they are and defeat > personal safety measures your user has put in place to protect themselves > from harassment and stalking? Maybe they don’t provide the minimum logging > info or texts because they’re attempting to social engineer you into > revealing someone’s information and identity that forms a chain that leads to > their safety being compromised. > >> Whether envelope_to would help my work isn't clear, but apparently it would >> help Matthäus in his work. > > But is that work necessary and relevant? Does that process protect people? > Does it faciliate online threats, harassment and stalking? Will someone who > is trying to hide their location due to a credible threat be harmed by this > protocol decision? > > laura > > -- > Having an Email Crisis? We can help! 800 823-9674 > > Laura Atkins > Word to the Wise > la...@wordtothewise.com <mailto:la...@wordtothewise.com> > (650) 437-0741 > > Email Delivery Blog: https://wordtothewise.com/blog > <https://wordtothewise.com/blog> > > > > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org <mailto:dmarc@ietf.org> > https://www.ietf.org/mailman/listinfo/dmarc > <https://www.ietf.org/mailman/listinfo/dmarc> > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc