On 12/22/20 8:50 AM, Alessandro Vesely wrote:
On Tue 22/Dec/2020 17:16:05 +0100 Michael Thomas wrote:
On 12/22/20 1:22 AM, Alessandro Vesely wrote:
NEW
Failure reports provide detailed information about the failure of
a single
message or a group of similar messages failing for the same
reason. They
are meant to aid extreme cases where a domain owner is unable to
detect why
failures reported in aggregate form did occur. As an extension
of other
kinds of failure notifications, these reports can contain either
the content
of a failed message or just its header. The latter
characteristic entails
severe privacy concerns. For that reason, and because it turned
out not to
be important, failure reporting is usually disabled.
I'm not understanding what this "severe privacy concerns" are. It
looks like a glorified bounce message to me. My messages pass through
the originating domain in the clear, but it only becomes a "severe
privacy concern" when it is reflected back? How does that work?
Unlike bounces, you're delivering PII info to a third party.
In Europe, if you setup failure reporting that way, having a
third-party handling/ processing meta-data or even mail content
requires you to inform your customers about that, and ask permission.
If third-party is outside EU, since privacy shield got canceled last
July, there is not even a legal basis anymore that would allow you to
do so at all. In all cases, you would be held responsible for your
customers data unless third-party is signing contracts with you to
accept EU privacy laws. EU has severe penalty for companies which
breaking GDPR.
Sorry, having to ask for permission because of laws does not constitute
a "severe privacy concern". That is completely outside of the scope of
IETF and we should be pandering to it.
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
