On Tue 22/Dec/2020 17:16:05 +0100 Michael Thomas wrote:
On 12/22/20 1:22 AM, Alessandro Vesely wrote:
NEW
Failure reports provide detailed information about the failure of a single
message or a group of similar messages failing for the same reason. They
are meant to aid extreme cases where a domain owner is unable to detect why
failures reported in aggregate form did occur. As an extension of other
kinds of failure notifications, these reports can contain either the content
of a failed message or just its header. The latter characteristic entails
severe privacy concerns. For that reason, and because it turned out not to
be important, failure reporting is usually disabled.
I'm not understanding what this "severe privacy concerns" are. It looks like a
glorified bounce message to me. My messages pass through the originating domain
in the clear, but it only becomes a "severe privacy concern" when it is
reflected back? How does that work?
Unlike bounces, you're delivering PII info to a third party.
In Europe, if you setup failure reporting that way, having a third-party
handling/ processing meta-data or even mail content requires you to inform your
customers about that, and ask permission. If third-party is outside EU, since
privacy shield got canceled last July, there is not even a legal basis anymore
that would allow you to do so at all. In all cases, you would be held
responsible for your customers data unless third-party is signing contracts
with you to accept EU privacy laws. EU has severe penalty for companies which
breaking GDPR.
I cannot tell for Canada or Australia.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
