Hello Steve, do you mean, that a mailhost sending emails for a particular domain, protected by restrictive DMARC policy, has no authority to decide, that persons appointed by the mailhost provider can read any email and any report?
I mean, a domain @A.int publishes “p=reject; [email protected]” and sends all emails over host mail.a.int . The provider gives access to all (sent) emails to person Z. Does publishing [email protected], by the domain owner mean, that the domain owner is capable to ensure that the persons who receive the failure reports and the persons who can read all sent mails from @a.int are the same persons? Or it means, that the domain owner is not capable to make such decision? Z is capable to sent a copy of all outgoing mails indended for a particular provider to a dedicated mailbox at that provider, fetch then the emails from the dedicated mailbox and filter the ones with Authentication-Result: dmarc=fail . > The mailbox provider has no way of knowing that you sent the mail. If it was > authenticated as coming from you this wouldn't be an issue. The receiving server knows, which IP address sent the mail and it knows, to which IP addresses set the failure report will go. If there is a match in the IP addresses, then the receiving server knows that the one who will get the report is also the one, who has anyway access to the message. I think now, that not sending failure reports has nothing to do with (privacy) concerns. It is either laziness of the receiving site to make the appropriate setup, or unwillingness to reveal information about mismatching DKIM implementation of sender and receiver. With willingness to align the implementations, a receiving site having (privacy) concerns, can offer a mailbox to the sending site, where the sending mailhost duplicates each email from the sending to the receiving host. Then the sending host can fetch the mails and look for A-R: dmarc=fail. That said I would like to see some text in the revisited DMARC specification about obtaining information about messages failing DMARC, sent from a particular mailhost to another mailhost, when the receiving site does not send failure reporst (for any reason), but is otherwise willing to exchange information about messages, failing DMARC validation. Regards Дилян On Sun, 2019-08-04 at 10:35 +0100, Steve Atkins wrote: > > On Aug 4, 2019, at 9:18 AM, Дилян Палаузов <[email protected]> > > wrote: > > > > Hello Steve, > > > > in both cases it is about information that was sent over from the same > > mailhost. > > The mailbox provider has no way of knowing that you sent the mail. If it was > authenticated as coming from you this wouldn't be an issue. > > One mail was sent to *you*. It's OK for you to have access to it. > > The other mail was sent to someone *not you*. There's no a priori reason you > should have access to the content of the message. > > Cheers, > Steve > > > > To whom the information was sent > > decides the operator of the mailhost, not the one who suppresses failure > > reports. > > > > In any case, for a failure report containing only the Message-Id it does > > not matter what information the email carried > > and to whom the information was sent. > > > > Regards > > Дилян > > > > On Sun, 2019-08-04 at 09:07 +0100, Steve Atkins wrote: > > > > On Aug 2, 2019, at 10:41 PM, Дилян Палаузов <[email protected]> > > > > wrote: > > > > > > > > Hello, > > > > > > > > I just thougth once again on this. > > > > > > > > Some of the senders of aggregate reports offer free mailboxes. > > > > > > > > Aggregate reports show that emails from a host to a provider of free > > > > mailboxes sometimes do not validate DMARC. > > > > > > > > The one provider sending emails opens a free mailbox on the receiver > > > > and then sends a secret copy of each, otherwise > > > > ordinary delivered email, to that special mailbox. > > > > > > > > Then the mails from that mailbox are downloaded, and the A-R header is > > > > checked. By this way the sender finds out, which > > > > messages exactly have failed DMARC validation. > > > > > > > > At the end the same information is obtained, that can be obtained by > > > > exchanging a failure report: which messages have > > > > failed. > > > > > > Information found in mail mail headers in accounts that you have created > > > includes email that's been sent to you. > > > > > > Information found in failure reports includes email that generally was > > > not sent to you. > > > > > > Cheers, > > > Steve > > > _______________________________________________ > > > dmarc mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/dmarc > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
