On Mon, Aug 25, 2025 at 5:34 AM Todd Herr <[email protected]> wrote:
> For the following scenario: > - A is the domain owner that published the DMARC policy and consumes > reports > - B is the entity sending email that makes unauthorized use of A's domain > - C is the recipient of said email, an entity heretofore unknown to A > - D is the report generator > > Any report generated by D that is sent to A and that contains any of > C's PII creates a privacy concern for D and also by extension an exposure > of that PII to A. I'm not a lawyer nor am I well versed in privacy laws, > but to the extent that such laws may apply, A now has a concern about how > to deal with C's PII. > I am also not a lawyer, but I suspect it's a stretch to say the recipient of an unintentional disclosure now has an obligation that has to be asserted or disclosed. As far as the protocol goes, at that point, the damage is already done. -MSK
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
