On Friday, April 12, 2019 09:00:33 AM Seth Blank wrote: > On Fri, Apr 12, 2019 at 4:57 AM Scott Kitterman <[email protected]> > > wrote: > > I think adding a MUST NOT regarding RUF is a good idea. > > I think this is a bad idea for two very important reasons: > > 1) Any gTLD being used as a brand domain (i.e. .google, .microsoft, etc.) > may wish to use failure reports on these domains just as they would on > their .com's. > > 2) We wanted this spec to be the *minimum* delta from DMARC possible. > That's why we added the third lookup but removed all other items. A MUST > NOT for RUF no longer feels like a minimum delta. It also adds extra > overhead to any implementation changes needed to test the experiment. > > We should (and I believe do) make the case in privacy consideration that > failure reports for a third lookup is a bad idea. I don't think we need > more of this right now. If during the experiment it becomes clear that this > guidance is needed, then it can be folded into DMARC 2.0 when everything > comes together.
I think your first point is a reasonable one. For the second one, I think minimum may be in the eye of the beholder. From an implementation perspective, I think the difference is trivial (if X then don't do Y) and I think part of minimum is a design that makes sense from a privacy perspective. As a practical matter, since so few entities send RUF reports, it's not a major issue either way. Let's see what others think. I'm glad to take it back out if that's the way the group leans. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
