10. Privacy Considerations
Diese Seite fasst den entsprechenden Abschnitt von RFC 9989 zusammen und bewahrt DMARC-Tags, DNS-Namen, ABNF und IANA-Werte.
The privacy considerations from Section 10 are preserved below.
10. Privacy Considerations
This section discusses issues specific to private data that may be
included if DMARC reports are requested. Issues associated with
sending aggregate reports and failure reports are addressed in
[RFC9990] and [RFC9991], respectively.
10.1. Aggregate Report Considerations
Aggregate reports may, particularly for small organizations, provide
some limited insight into email sending patterns. As an example, in
a small organization, an aggregate report from a particular domain
may be sufficient to make the Report Consumer aware of sensitive
personal or business information. If setting a "rua" tag in a DMARC
Policy Record, the reporting address needs controls appropriate to
the organizational requirements to mitigate any risk associated with
receiving and handling reports.
In the case of "rua" requests for multi-organizational PSDs,
additional information leakage considerations exist. Multi-
organizational PSDs that do not mandate DMARC use by registrants risk
exposure of private data of registrant domains if they include the
"rua" tag in their DMARC Policy Record.
10.2. Failure Report Considerations
Failure reports do provide insight into email sending patterns,
including specific users. If requesting failure reports, data
management controls are needed to support appropriate management of
this information. The additional details available through failure
reports (relative to aggregate reports) can drive a need for
additional controls. As an example, a company may be legally
restricted from receiving data related to a specific subsidiary.
Before requesting failure reports, any such data spillage risks have
to be addressed through data management controls or publishing DMARC
Policy Records for relevant subdomains to prevent reporting on data
related to their emails.
Due to the nature of the email contents that may be shared through
failure reports, most Mail Receivers refuse to send them out of
privacy concerns. Out-of-band agreements between Report Consumers
and Mail Receivers may be required to address these concerns.
DMARC Policy Records for multi-organizational PSDs MUST NOT include
the "ruf" tag.