In article <[email protected]> you write: >> In sec 3 it says the reports SHOULD include all URIs. That is a privacy >> problem since it is common >> for unsubscribe URIs to contain the recipient address in plain text or an >> easily reversed encoding >> such as base32. > > >Would something generic as the following do? > > These reports SHOULD include any URI(s) from the message that failed > authentication, unless privacy reasons suggest otherwise. [...]
Why are we telling people to send URIs in preference to any other part of the message? I don't see the point. >Shall I add that verbatim as a second paragraph in Security Considerations? > > In addition, note that Organizational Domains are only an approximation > to actual domain ownership Therefore, reports may be sent to someone > unrelated to the actual sender or domain owner. Sure, with the correction above. R's, John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
