On Apr 29, 2013, at 3:43 PM, Scott Kitterman <[email protected]> wrote:
> On Monday, April 29, 2013 10:28:32 PM Franck Martin wrote: >> On Apr 29, 2013, at 1:53 PM, Steve Atkins <[email protected]> wrote: >>> On Apr 29, 2013, at 1:40 PM, Franck Martin <[email protected]> wrote: >>>> On Apr 29, 2013, at 1:34 PM, John R Levine <[email protected]> wrote: >>>>>>> For the institutional domains that are DMARC's main target, there's no >>>>>>> problem since there's no mail from individual users, but for domains >>>>>>> with people, and particularly domains where the people are not >>>>>>> employees of the domain operator, the privacy issues are worrying. >>>>>> >>>>>> p=none is used on all kind of domains. >>>>>> >>>>>> Per the spec, the sending of a failure report is not tied to any p=, >>>>>> only that the email fails dmarc.>>> >>>>> Quite right. For anyone with live users in their mail domains, ruf= >>>>> provides the system admin ability to snoop on mail that he should never >>>>> have seen.>> >>>> I think this statement is overreaching, you have not yet demonstrated >>>> that the system admin would have access to emails he would not been able >>>> to obtain via other means.> >>> If I send mail from my ISPs smarthost, using my corporate email address, >>> to a deliverable recipient, how would my corporate postmaster have access >>> to that email? >> Company policies forbid you to just do that... even to forward your email to >> an external mailbox...Just saying... This is part of the email retention >> regulations companies need to adopt. >> >> http://blog.sonian.com/bid/51121/Email-Retention-Policy-Not-Having-One-Could >> -Cost-Your-Company http://www.in.gov/icpr/files/policyemailandguidelines.pdf >> >> May be, we need to be clear on the legal/policy environment one must adhere >> to before using DMARC? > > I think the privacy/policy considerations are significantly different for > aggregate and individual reports, so there are at least two answers for that. > Agreed, In general people have not found aggregate report to be too much of an issue. Failure reports by their nature, like bounces, may contain a complete email. The important question for me is, who is responsible, the person publishing the DMARC record or the person following the instructions in the DMARC record. _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
