On 31/05/18 10:28, Richard via dmarc-discuss wrote:
Date: Thursday, May 31, 2018 09:26:38 +0800
From: Roland Turner via dmarc-discuss <dmarc-discuss@dmarc.org>
Sending failure reports to
strangers appears unjustifiable under GDPR.
A currently common case where reports are going where they shouldn't
is with mailing lists. If a list (that doesn't do rewrites) receives
a message purportedly from say yahoo (which is set to p=reject), mail
to every list member whose ESP enforces dmarc will cause a
bounce/reject potentially causing a failure report to be sent. These
list members have no relationship with yahoo, save that they are on a
list that someone sent to using a yahoo address, and have no control
over the list or ESP configuration. I can't think of a legitimate
reason for yahoo to get these reports.
Ongoing visibility of the impact of their p=reject decision seems
reasonable, although that could readily be obtained from aggregate
reports (and indeed more accurately, as more organisations send them).
Interdicting phishing is not relevant (where it might be if the address
were @paypal.com).
Even understanding the mechanism of selected failures seems a fairly
weak interest, and one that could be better pursued with private
channels rather than ruf=.
Interesting.
- Roland
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
