IETF Logo Mail Archive

Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)

Laura Atkins <laura@wordtothewise.com> Mon, 03 May 2021 11:36 UTC

Return-Path: <laura@wordtothewise.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5544D3A0A06 for <dmarc@ietfa.amsl.com>; Mon, 3 May 2021 04:36:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wordtothewise.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g387oLIxUmzz for <dmarc@ietfa.amsl.com>; Mon, 3 May 2021 04:36:50 -0700 (PDT)
Received: from mail.wordtothewise.com (mail.wordtothewise.com [104.225.223.158]) by ietfa.amsl.com (Postfix) with ESMTP id 797733A09FE for <dmarc@ietf.org>; Mon, 3 May 2021 04:36:50 -0700 (PDT)
Received: from [192.168.0.227] (unknown [37.228.231.27]) by mail.wordtothewise.com (Postfix) with ESMTPSA id 5BE7A9F149 for <dmarc@ietf.org>; Mon, 3 May 2021 04:36:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wordtothewise.com; s=aardvark; t=1620041809; bh=LJHPUadNT29ThsRkQKN3zeGcsDfmozLjxeYfPctbuZo=; h=From:Subject:Date:References:To:In-Reply-To:From; b=ChnKNiFXLRn86IbN5S2Sl5C7bufg7PSk7YzQ6uXcqBsXO8yEVaE2TSEezVB6CibS/ MkBVrCVT8jOLylV6zdXXOBeDEm58XumNxIagqvgEFhVg/AN3yjxZqJiDf9L4EXQW8U Wk2rP78MV2IMZNKh8548ZjoVAKrZ12j+Joo2cYik=
From: Laura Atkins <laura@wordtothewise.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9716FEAA-B7E1-4180-852F-30CACDEF05F4"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Mon, 03 May 2021 12:36:46 +0100
References: <20210502203007.2AE156284F0@ary.qy> <215690a6-2b04-3355-9999-816a1c3d7126@heeg.de> <70E22447-47F6-4B92-B47F-664A81107836@wordtothewise.com> <CAH48Zfy0_jvDAtwQ+MrK4kk=J1iqO=6z1+ToBPiAOYeJ5qWHyg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
In-Reply-To: <CAH48Zfy0_jvDAtwQ+MrK4kk=J1iqO=6z1+ToBPiAOYeJ5qWHyg@mail.gmail.com>
Message-Id: <692CBE21-4222-4353-8D03-EE4B287405EF@wordtothewise.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/rDTLEDJoQ6foDIkkzD0k5hES4uU>
Subject: Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 11:36:55 -0000

In the bulk email space most messages are sent with a unique 5321.from address (VERP). Are you suggesting that no DMARC reports should be sent for commercial bulk mail?

laura 



> On 3 May 2021, at 12:21, Douglas Foster <dougfoster.emailstandards@gmail.com> wrote:
> 
> To address Laura's concerns about individual targeting, the reporting needs to ensure a minimum level of aggregation on all reports.   
> 
> This starts with MailFrom.   If less than N unique recipient addresses are included, the report should not be sent at all
> 
> If a DKIM selector occurs on less than N unique recipient addresses, the DKIM selector should be replaced with * or Null.
> 
> I do not have a strong opinion about N, but am thinking 10.
> 
> Doug Foster
> 
> 
> 
> On Mon, May 3, 2021 at 4:49 AM Laura Atkins <laura@wordtothewise.com <mailto:laura@wordtothewise.com>> wrote:
> 
> 
>> On 3 May 2021, at 07:27, Hans-Martin Mosner <hmm@heeg.de <mailto:hmm@heeg.de>> wrote:
>> 
>> Am 02.05.21 um 22:30 schrieb John Levine:
>>> It appears that Matthäus Wander <mail@wander.science <mailto:mail@wander.science>> said:
>>>> envelope_to allows you to automatically correlate these reports and
>>>> reconstruct the forwarding path. This helps to identify the culprit who
>>>> is breaking DKIM signatures, especially with longer forwarding chains.
>>>> Without envelope_to, reconstructing the mail flow requires guessing and
>>>> manual work.
>>> It is none of your business to whom I forward my mail.
>> 
>> True, unless you (generic you, not John L.) make it my business by complaining about not receiving my mail either in a
>> support request (which may cause quite some work) or in a public forum (which might damage my reputation and even cause
>> more work).
> 
> I will point out that for a lot of us online (specifically those of us who don’t check any or all of the the cis-het-white-male categories) forwarding mail and protecting our identities are crucial to our ability to actually participate in an online life. Stalking and harassment are real. I, personally, have been being low-level stalked by someone for over a decade now. I have been put into positions where I have to make calculated decisions about my ability to participate in places based on my personal safety. I have involved the police in the past for specific threats against me. The first time I was threatened and stalked online was more than 20 years ago. This is not some ‘oh, it only happens to some people’, it happens to a lot of people, regularly. 
> 
> The threats I’ve had to deal with, just for being a woman in an online environment, are minor compared to some threats other women, BIPOC and members of other marginalized groups have had to put up with. I’ve never had to move out of my house for my safety. ISPs HAVE doxxed individuals in the past, both accidentally and through deliberate policy decisions. Adding personally identifiable information into DMARC reports is problematic in a way I don’t think many men here realize. 
> 
> It is not anyone’s business how I might route mail to protect my safety. And, frankly, the issues of data privacy and safety for people online significantly trump the concern that someone’s reputation might be slightly impacted because they can’t troubleshoot an individual mail failure. 
> 
>> I am too often in a position of being requested to solve a problem but the requestors don't even provide the minimal
>> logging info or even error texts to even start analyzing their problem. In such cases I want to be able to look at as
>> much info as possible so as to provide a decent service.
>> 
>> I don't snoop on mail logging info to satisfy my curiosity or to increase my revenue, but to solve my user's problems.
> 
> This is irrelevant. How, in fact, do you protect your users safety and privacy? How do you ensure that the request is actually coming from your user and not from someone attempting to discover where they are and defeat personal safety measures your user has put in place to protect themselves from harassment and stalking? Maybe they don’t provide the minimum logging info or texts because they’re attempting to social engineer you into revealing someone’s information and identity that forms a chain that leads to their safety being compromised. 
> 
>> Whether envelope_to would help my work isn't clear, but apparently it would help Matthäus in his work.
> 
> But is that work necessary and relevant? Does that process protect people? Does it faciliate online threats, harassment and stalking? Will someone who is trying to hide their location due to a credible threat be harmed by this protocol decision?
> 
> laura 
> 
> -- 
> Having an Email Crisis?  We can help! 800 823-9674 
> 
> Laura Atkins
> Word to the Wise
> laura@wordtothewise.com <mailto:laura@wordtothewise.com>
> (650) 437-0741		
> 
> Email Delivery Blog: https://wordtothewise.com/blog <https://wordtothewise.com/blog>	
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org <mailto:dmarc@ietf.org>
> https://www.ietf.org/mailman/listinfo/dmarc <https://www.ietf.org/mailman/listinfo/dmarc>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
laura@wordtothewise.com
(650) 437-0741		

Email Delivery Blog: https://wordtothewise.com/blog

v2.23.0 | Report a Bug | By Email