[dmarc-discuss] Re-verifying external report destinations

Roland Turner roland at rolandturner.com
Sat Nov 16 20:34:07 PST 2019

On 11/11/19 6:22 pm, Steven M Jones via dmarc-discuss wrote:

> This has been a bit of a problem, as non-verification of “ruf” addresses combined with people copying sample DMARC records in their deployments led to what I have to assume are violations of GDPR and several other privacy regimes.
> I would hope people would see reporting address verification as an important mitigation of concerns about “ruf” reporting. My fear is that instead it makes the lawyers say “no” a few microseconds faster...

Speaking entirely speculatively: it occurs to me that as almost no-one 
is sending failure reports other than to domain registrants with whom an 
agreement is in place (either directly or through an intermediary), it 
is entirely possible that some receivers sending ruf reports aren't 
looking at the ruf field at all, but are instead manually configuring an 
address specified in the agreement. I have no evidence for this apart 
from the typical behaviour of lawyers and the tendency to lock down 
contact addresses in contract schedules, but it would explain what's 
being observed.

For receivers behaving this way who are subject to GDPR, there's a 
rather direct way to solve the problem: report the unsolicited 
disclosure of personal information by the receiver to the receiver's 
DPO. In some cases the DPO will be the reflexively risk-averse lawyer 
who will do anything possible to offload liability (and will therefore 
kill the receiver's participation in failure reporting), but most are 
deeply schooled in balancing interests (all processing on the 6(1)(f) 
"legitimate interests" basis requires that it be done formally; this 
would include all participation DMARC failure reporting) and will simply 
treat it as an error to fix promptly.

- Roland

More information about the dmarc-discuss mailing list