On Apr 29, 2013, at 12:28 PM, John Levine <[email protected]> wrote: >> To my mind, this doesn't create a privacy problem any different from >> the existing ones around spam filtering, DLP, or NDRs: somebody in an >> administrative position may end up looking at message contents. > > It's worse than that, since it sends reports to people who may have > not been anywhere in the mail path. For example, if one of my users > forwards her mail to a Gmail or Yahoo account, and sets up that > account to send mail using the From address in my domain, an ruf could > provide me with copies of every message she sends, even though > I operate none of the systems through which the mail sent. > > For the institutional domains that are DMARC's main target, there's no > problem since there's no mail from individual users, but for domains > with people, and particularly domains where the people are not > employees of the domain operator, the privacy issues are worrying. > p=none is used on all kind of domains.
Per the spec, the sending of a failure report is not tied to any p=, only that the email fails dmarc. _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
