On Thu 18/Feb/2021 17:52:55 +0100 Kurt Andersen (b) wrote:
On Thu, Feb 18, 2021 at 7:09 AM Ken O'Driscoll <ken=
[email protected]> wrote:
. . . I'd propose something like the below, which I think gets across what
we all want to say.
=======
Aggregate feedback reports contain anonymized data relating to messages
purportedly originating from the Domain Owner. The data does not contain
any identifying characteristics about individual senders or receivers. No
personal information such as individual email addresses, IP addresses of
individuals, or the content of any messages, is included in reports.
Mail Receivers should have no concerns in sending reports as they do not
contain personal information. In all cases, the data within the reports
relates to the authentication information provided by mail servers sending
messages on behalf of the Domain Owner. This information is necessary to
assist Domain Owners in implementing and maintaining DMARC.
Domain Owners should have no concerns in receiving reports as they do not
contain personal information. The reports only contain aggregated
anonymized data related to the authentication details of messages claiming
to originate from their domain. This information is essential for the
proper implementation and operation of DMARC. Domain Owners who are unable
to receive reports for organizational reasons, can choose to exclusively
direct the reports to an external processor.
=======
With a s/anonymized/aggregated/g change, this seems like reasonable
language. In technical terms, there is no anonymization involved. The only
other issue might be some ambiguity in the intepretation of the term
"individual senders or receivers" because the IP addresses of the MTAs
involved in the email interchange are definitely in the report. As someone
has pointed out earlier in the thread, a compromised home computer which is
able to send out on port 25 would indeed be exposed in such a scenario,
though it is a rare case.
I'd s/individual senders or receivers/individual users/.
Also s/authentication/domain-level authentication/.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
