Thanks, John and Tim. To my mind, this doesn't create a privacy problem any different from the existing ones around spam filtering, DLP, or NDRs: somebody in an administrative position may end up looking at message contents. You have to build well-understood processes and privileges around it, so you can warn and/or make promises to your users accordingly. It's just the newest thing to do that.
What I find puzzling about the Google Apps DMARC page is that it seems to actively discourage use of the ruf= tag under any circumstances. I suppose it's easier to say, "we don't support it," than, "using this can have all kinds of unpleasant consequences, so use only with extreme caution, and only after you fully understand what they are." I think I first heard about DMARC at the 2012 MAAWG in SF. Someone, either Paul Midgen or one of the Agari guys, likened enabling forensic reports to drinking from a fire hose. I found that apt. J On Mon, Apr 29, 2013 at 10:15 AM, John Levine <[email protected]> wrote: >> Hi John, Google doesn't generate the ruf= type reports. Why? Only >> Google can say, but my imaginative conjecture is that major providers >> don't want to handle the support load *and*, because DMARC is >> relatively new, they don't want to be trailblazers in the "hey, here's >> a new way to get access to potentially sensitive data" arena. > > Having looked at the reports I do get, I can confirm that ruf reports > leak all sorts of information about stuff you might not have anticipated. > As a minimum, you can expect to get a copy of every message that any of > your users sends to any mailing list. > > R's, > John > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) -- "Science is like an inoculation against charlatans who would have you believe whatever it is they tell you." (Neil DeGrasse Tyson) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
