>I imagine this is worth noting in a Privacy Considerations or Security >Considerations paragraph or two, but not something that needs to be >repaired in the protocol somehow.
It's purely a documentation issue. If R sends reports to S, it's going to reveal something about how third parties relayed mail from S to R. That will reveal something about who those third parties are, and in some cases may allow report recipients to deduce information about some of of R's users. Any plausible fix would be incredibly cumbersome, along the lines of requiring the third party domains that show up in bounce addresses and signatures to publish policy records saying it's OK to include them in reports. It'd be totally impossible to audit, since those third parties have no way to see what's being reported about them. R's, John _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
