On Tue, 22 Oct 2024, Emil Gustafsson wrote:
Actually the point I'm trying to make with #3 is that regardless of the agreement between the PSD and a registrant, there is a small privacy (or rather business secret) risk where a mailbox provider sending a report to a PSD leaks information that the registrant do not want the PSD to have. I think it is fair to argue that it is the registrant's own fault and they should not have signed the contract, but they might still cause both legal costs as well as PR impact on the mailbox provider.
I really do not think it is our job to second guess registrants' legal departments.
Let's imagine there is a company where illegal stuff is going on. An employee comes in on the weekend and sends a whistleblower report to the USDOJ. Unfortunately, the company gets a DMARC report, notices that someone sent a message to the USDOJ on Saturday, and it's since few people are around on weekends, it is easy to tell who it was. They fire him, and to emphasize their point send some goons around to break his legs. Hence nobody should send reports, ever.
Or slightly less extremely, lots of companies like Dmarcian, Red Sift, and ValiMail provide DMARC analysis services, and encourage people to send them DMARC reports for analysis. But there is no way for the analysis companies to tell whether the reports they receieve were really authorized but the company's management, or by a rogue employee, or due to a misunderstanding about where domain boundaries are. I am the legacy registry for some geographic <place>.ny.us domains and I get all sorts of DMARC reporrts for organizations in those domains that are not me.
If we're going to have reports at all, there will always be edge cases where they might go to places that some people don't like. There is no way for us to guess what all those cases are nor to make rules to forbid them short of forbidding reports altogether.
R's, John _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
