Info which is encoded in such a way that only the sender can understand rises
no PII concern, IMHO. A sender could cache sent messages and devise how to
encode the corresponding filenames in DKIM selectors. Reporting just the
failed signature would leak the whole message by reference. So what?
Now he knows which forwarded recipients are talking with his users.
Also, whether we use the current Org domain heuristic or a tree walk
to find a higher level DMARC record, there is no way to reliably tell
the relationship between a domain publishing the rua or ruf tag and a
subdomain being reported. Partly this is the Holy Roman Empire
problem, partly the PSL is just incomplete and always will be.
Right. A user can use a submission server which is trusted not to relay
messages to third parties. Yet, ruf= can point to a completely different
environment.
No, that's not what I was talking about. I am the registry for
someplace.ny.us, and the county government is co.someplace.ny.us. I get
all of the DMARC reports for the county's mail. Oops. I'm not being
hypothetical here.
To avoid that risk, one can send just the header, and redact it
appropriately. Should the spec give practical advice about how to do that?
Since it doesn't solve the problem, no.
Any lawyers in this WG?
The IETF most definitely does not provide legal advice.
That sounds more like a bug than a feature. We should at least check that
any advice given is legally sound.
There are 195 countries in the world, and many like the US have states or
provinces with different legal systems. Legally sound where?
R's,
John
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
