Saturday, June 01, 2024

Re: New filters auth and sign

On Sat, 01 Jun 2024 08:45:00 +0100,
"Corey Hickman" <coreyh@free.fr> wrote:
>
> does it have policy server included? for instance, when DKIM fails, the policy can be set up to deny the message.
>

Right now it ignores DMARC as if it doesn't exist.

Doing a DMARC lookup for domain and inserting it's results into the header
is possible and not a big deal, but it has some issues.

The first is parsing the From header. It is durable, but different MUA may
follow different logic and parser for this can be quite complicated. And
complicated means bugs.

The second is more ideological. DMARC needs something that aggregates the
results and sends out reports. It shouldn't be a filter for smtpd. But a
filter can write it's decision to log, and something should harvest it to
process and create reports that need to be sent. Anyway, forensic reports,
which should be close to real-time and include a lot of things from the
original email, is a much more complicated story.

All this brings up the question of personal data / GDPR and DMARC. I know of
a very good analysis of DMARC and GDPR in the case of German law [1], which
can be summarized as a quote:

The reports are fundamentally permitted and justified under data
protection law. However, the principle of proportionality is to be
complied with at all times.

Based on this analysis, I assume that only aggregated reports can be used
without legal headaches in the EU.

But implementing only a part of DMARC seems as much worse than not
implementing it at all, and implementing it in its entirety requires a lot
of pieces in place, much more than just a filter.

Thus, DMARC was discussed on the OpenBSD mailing lists a few months ago [2].

As a conclusion, I personally use the p=none policy, because I assume that
my mail should be delivered, and To is not the final destination, it's a
kind of starting direction of the mail's way to the recipient.

Footnotes:
[1] https://certified-senders.org/wp-content/uploads/2018/08/Report_DMARC_and_GDPR.pdf

[2] https://marc.info/?l=openbsd-misc&m=171015367409290&w=2

--
wbr, Kirill

No comments:

Post a Comment