In article <[email protected]> you write: >Hi all, > >I'm going to post version -01 of failure reporting before 22 February. Please >express consensus or ask for changes. > >MD version: >https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-failure-reporting/blob/main/draft-ietf-dmarc-failure-reporting.md
My main concern continues to me that we should not have made this a separate draft, but we should put all of the reporting in one document. In sec 3 it says the reports SHOULD include all URIs. That is a privacy problem since it is common for unsubscribe URIs to contain the recipient address in plain text or an easily reversed encoding such as base32. The privacy considerations miss the fact that organization domains are only an approximation to actual domain ownership, and reports may be sent to someone unrelated to the actual sender. This is not hypothetical; I get reports for subdomains who are not me all the time. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
