Actually the point I'm trying to make with #3 is that regardless of the agreement between the PSD and a registrant, there is a small privacy (or rather business secret) risk where a mailbox provider sending a report to a PSD leaks information that the registrant do not want the PSD to have. I think it is fair to argue that it is the registrant's own fault and they should not have signed the contract, but they might still cause both legal costs as well as PR impact on the mailbox provider. I'm not saying we have to change the text to match what we (or rather our privacy lawyers) are comfortable with today - but I think it is better to have language that at least calls out these risks or use a more conservative language (i.e. don't send the PSD reports about any known known domains) but mention additional options (send them for known domains accepting the privacy/PR risk and/or send a more obfuscated report).
Bottom line - whatever language we have I would prefer if it is not in conflict with what our implementation is likely to look like. But I guess there is always an out in that no mailbox provider is obligated to send any reports. /E On Mon, Oct 21, 2024 at 5:18 PM John R. Levine <[email protected]> wrote: > On Mon, 21 Oct 2024, Emil Gustafsson wrote: > > 3) For commercial cases (like .bank/.insurance) using rua/ruf for an > > existing domain with missing DMARC (falling back to PSD record) might > leak > > business secrets (so a privacy issue). > > A PSD is a registry, which means that the names under the PSD have a > business relationship with the PSD's operator. That relationship controls > what the two parties can do. In the case of .BANK and .INSURANCE, I > happen to know that the registry's rules require that the registrants have > a specific DMARC setup, and they use reports to the PSD to check that the > registrants have that setup. > > We have no idea what arrangements other registries might make with their > registrants, and we should not try to guess. > > I would be OK with language that notes that DMARC allows a PSD to collect > reports about subdomains that don't have their own DMARC records, and it's > up to the PSD and its subdomains to decide whether the PSD does collect > reports and if so what it does with them. > > R's, > John >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
