IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports

"Kurt Andersen (b)" <kboth@drkurt.com> Tue, 05 January 2021 18:28 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 201E93A10EB for <dmarc@ietfa.amsl.com>; Tue, 5 Jan 2021 10:28:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gqwtnSFsxwgU for <dmarc@ietfa.amsl.com>; Tue, 5 Jan 2021 10:28:42 -0800 (PST)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69C683A10E5 for <dmarc@ietf.org>; Tue, 5 Jan 2021 10:28:42 -0800 (PST)
Received: by mail-io1-xd35.google.com with SMTP id w18so298583iot.0 for <dmarc@ietf.org>; Tue, 05 Jan 2021 10:28:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bm5s8AuMNZQR7dVGotGPpYk9f7G4bnB0IQlyvac2B8Q=; b=WLobeElaKeNFNHpaYLHLEvI2uWQOxPeSD11jqLk8K/3gOpK++dxrtErZk+HxjOJsA9 Pyu/GJZ0vMzn1hZkKfSZypcOK3L4hm2DeDprWqxuHGtFJP0h0N6/fuBRBvvZ3lKs3aIj GCYXzW1m5ne2dV8vpKGz+Xv6V9LkvuPRt+bAY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bm5s8AuMNZQR7dVGotGPpYk9f7G4bnB0IQlyvac2B8Q=; b=laFerzyG8Vmmf5iVSvSD/BTzeIKE5mV80Igzgk6Uupyiuy4z9rE/g1vG9xzd2EVtk8 p7zuCoUnPZtqUWVZGSXdLX1112MN6g8+3Lscp0mlAntJQTSg2VcyK0zvtw93fLk/B03O olCfINZ1YVmKf57oKsnMpctMnBbLal6pDjk8GXfFx7hiENYadA/HEUUaXQTuX36K3zNh 89EZK/j2qpaRmpkWzLh/uys0Gn3NLdnIG1oWr0MsoBMEqbdH7oBbLqAKmpvEJ9ZBzlL2 4lMoJfYlIn8WGloyh2X57FbBDQWy6ZJjGaokoLJ+DFRlFw5WyW3uIgDvatiTIQeAvnSR PtRw==
X-Gm-Message-State: AOAM532vTeF0l6Iy7MjT1eew++mbhk1USMx+VA4yvRW+Ky4Q2peOw827 OLLx40Mj5po5/OF1eBFHvNRuBX18LcNQETX9a+J7NJFAJnXIBg==
X-Google-Smtp-Source: ABdhPJxsBcIjX5M2HhOc28Eau1yPi+mhldCExCM31m/DbEWCh5ZYSAhVTWeM9SCZh6SwrvOCIGlSlv1R3rDOlHL5iKg=
X-Received: by 2002:a02:a1ca:: with SMTP id o10mr794877jah.19.1609871321529; Tue, 05 Jan 2021 10:28:41 -0800 (PST)
MIME-Version: 1.0
References: <20210104174623.2545154CFF9F@ary.qy> <FD45F9FC-46B0-40A9-ADC6-DDD7650D62F2@bluepopcorn.net> <ae77d9f-6f63-16ca-903a-7cb463a7b58d@taugh.com>
In-Reply-To: <ae77d9f-6f63-16ca-903a-7cb463a7b58d@taugh.com>
From: "Kurt Andersen (b)" <kboth@drkurt.com>
Date: Tue, 05 Jan 2021 10:28:13 -0800
Message-ID: <CABuGu1o2t7WaEOh+nsx3_MRUGgGHqKHzQ9302FM9-HL0GxvJvA@mail.gmail.com>
To: Paypal security confirm your password now <johnl@taugh.com>
Cc: Jim Fenton <fenton@bluepopcorn.net>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004115f405b82b60ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VIKfu2UADJGmhp2Mr35K-3v_s50>
Subject: Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 18:28:44 -0000

On Tue, Jan 5, 2021 at 10:18 AM Paypal security confirm your password now <
johnl@taugh.com> wrote:

> >> reputation for the domain. I have trouble imagining why anyone would
> >> think it's a good idea to get alignment by using third party domains
> >> that recipients don't know.
> >
> > Because recipients often can’t see (or don’t pay attention to) the
> domain
> > name and the reputation system you postulate doesn’t exist. OTOH,
> getting
> > alignment avoids a restrictive policy that might be associated with the
> > original domain.
>
> I think you're saying that I can always evade DMARC problems by putting an
> address I control on the From line and nobody will notice.  That would
> mean that DMARC is useless.
>
> If that's not what you're saying, could you clarify?
>

That is indeed the assertion - as long as you consider 97+% to be "always"
and interpret "nobody" in terms of real human actors (excluding the
automatons on this list) and discount the influence of receiver-level
reputation/filtering mechanisms. Personally, I think those levels of
rounding errors should not be ignored either for good or evil. The
formation of this working group and our initial deliverables provides some
level of concurrence with my personal perspective.

--Kurt

v2.23.0 | Report a Bug | By Email