[dmarc-ietf] Re: Failure reports: Privacy Considerations

Sun, 24 Aug 2025 10:43:28 -0700 

On Sun 24/Aug/2025 00:52:01 +0200 Murray S. Kucherawy wrote:
As promised, this is what Trent and I propose as a replacement to the current Section 7, to enhance privacy considerations about failure reports based on accumulated experience. 


Comments welcome, of course.  A diff is not provided as this is a wholesale 
replacement, though there is clearly some text preserved from the version 
currently in the datatracker.



I'll only quote the parts I comment on:



7. Privacy Considerations
[...]


Given these factors, many large-scale providers limit or entirely disable the 
generation of failure reports, preferring to rely on aggregate reports, which 
provide statistical visibility without exposing sensitive content. Operators 
that choose to enable failure reporting are strongly encouraged to:




1. Privacy considerations apply not only to the generation, but also to the 
consumption of failure reports.



2. Perhaps we can say we /recommend limiting or entirely disabling/.  The 
wording of the paragraph doesn't make it clear whether the recommendation is 
directed only at large-scale providers or whether we're recommending to behave 
as large-scale providers do.  Would we dare a SHOULD NOT unless they know what 
they're doing?


3. I'm not sure a comparison with aggregate reports is significant here.


[...]


Moreover, some implementers and consumers of failure reports have attempted to 
use them for purposes such as deep threat hunting, malware inspection, or 
content analysis. While technically feasible, such uses exceed the scope of 
DMARC’s reporting intent and amplify privacy exposure by treating user 
communications as telemetry data. DMARC reporting is designed for 
authentication failure diagnostics, not for generalized message content analysis.



Isn't threat analysis one of the purposes of failure reports?



[...]


The risks associated with failure reports are compounded by volume and content 
distribution concerns. In high-volume domains, these reports may propagate 
large amounts of spam, phishing messages, or malware samples, inadvertently 
increasing the spread of abusive content.




Yup!  The target mailbox for failure reports had better be clear from antivirus 
filter, with the resulting risk for those who read it.  This is rather a 
security concern.



Best
Ale
--





_______________________________________________
dmarc mailing list -- dmarc@ietf.org
To unsubscribe send an email to dmarc-le...@ietf.org






















					Reply via email to