On Mon, Aug 25, 2025 at 2:51 AM Murray S. Kucherawy <[email protected]> wrote:
> On Sun, Aug 24, 2025 at 10:43 AM Alessandro Vesely <[email protected]> wrote: > >> > 7. Privacy Considerations >> > [...] >> > >> > Given these factors, many large-scale providers limit or entirely >> disable the >> > generation of failure reports, preferring to rely on aggregate reports, >> which >> > provide statistical visibility without exposing sensitive content. >> Operators >> > that choose to enable failure reporting are strongly encouraged to: >> >> 1. Privacy considerations apply not only to the generation, but also to >> the >> consumption of failure reports. >> > > What privacy concern is created by consuming a failure report? > > For the following scenario: - A is the domain owner that published the DMARC policy and consumes reports - B is the entity sending email that makes unauthorized use of A's domain - C is the recipient of said email, an entity heretofore unknown to A - D is the report generator Any report generated by D that is sent to A and that contains any of C's PII creates a privacy concern for D and also by extension an exposure of that PII to A. I'm not a lawyer nor am I well versed in privacy laws, but to the extent that such laws may apply, A now has a concern about how to deal with C's PII. -- Todd Herr Some Guy in VA LLC [email protected] 703-220-4153
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
