On Wed 03/Aug/2022 21:52:21 +0200 John Levine wrote:
He insists that the failure reports mean something is wrong, the list needs to make them go away, which of course means rewriting headers to make it harder to tell who each message was from. I suggested that if he doesn't want the reports he's asking for he should not ask for them, or perhaps use a three line procmail script to sort the obviously benign list ones, but he's sure it's the list's fault.
For aggregate reports, one has to collect the information that will later be aggregated. Failure reporting apparently requires no data collection, which is probably wrong.
Having data available, a failure report generator can check whether a similar failure was reported already, and abort the report in case. Besides the target domain, data required to compute similarity may concern message path, DKIM selectors and SPF ids. It is per-domain data, not PII. On top of that, a random toss can help reduce the total number of reports to a given domain.
Should we specify what data to collect? Would that worsen the perceived privacy violations? Should we specify a max amount / percentage of reports per domain? Should we specify how long that data has to be kept? Best Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
