When the EU passed the General Data Protection Regulation (GDPR) it triggered a worldwide examination of different types of data, including the data found in DMARC Aggregate (RUA) and Failure (RUF) reports. A legal analysis from ECO, the German Internet Industry group, breaks down all aspects of DMARC data and the concerns involved related to GDPR for report generators and consumers alike.
Assessing Aggregate Reports
The analysis makes a distinction between Aggregate and Failure reports in its review. Aggregate reports are sent daily from an email service to the owner of a domain, providing insight into messages claiming to be from that domain, whether they passed SPF and DKIM checks and how those messages were handled according to DMARC rules. In order to distinguish the senders, IP addresses of the sending mail servers are included in the reports.
The concern stems from a 2017 German Federal Court of Justice ruling that determined dynamic IP addresses of website visitors were legally protected personal data. Static IP addresses were already unanimously qualified as personal data and the GDPR reaffirms this decision.
The important distinction is that IP addresses also qualify as traffic data, according to case law. Traffic data may be used to “detect, narrow down or eliminate faults or errors in the telecommunication system.” Furthermore, email senders qualify as service providers who collaborate in the provision of telecommunication services. Third parties are also allowed to receive and analyze the data in pursuit of these goals.
Phishing, spam and misconfigurations are all considered faults or errors in the system. The report also notes that IP addresses can only identify individual users by merging with additional information. The risk posed by phishing also outweigh the concerns that including IP addresses in reports may create.
Taking everything into account, the analysis states that, “The reports are fundamentally permitted and justified under data protection law. However, the principle of proportionality is to be complied with at all times.”
What about Failure Reports?
The report does have some additional considerations with regard to failure reports. Failure reports are message-specific, which can be used to identify problems in more detail. The reports can potentially include the IP address, the sending email address, the recipient email address, the subject and the email body. A number of providers will not send these reports at all while others significantly reduce the included data, such as leaving out the subject and email body entirely.
The ECO report echos these practices for entities producing failure reports to redact unnecessary data:
“Based on the principle of data economy, it is urgently recommended to resort to redacting in order to avoid personal data of the recipient of a fraudulent mail from being transmitted. These data mandatorily include subject and body of the respective e-mail and the e-mail address of the recipient.”
Entities producing the failure reports should take those concerns into account. As a domain owner implementing DMARC and consuming the failure reports, the responsibility of redacting data isn’t within your control. If you have additional concerns regarding the failure reports, however, you can always disable them by not providing an RUF address in your DMARC record.
The report also provides some additional recommendations, such as ensuring that the recipient of the reports is authorized and willing to receive the data. If possible, deliver the reports first to the DMARC policy domain and then forward them to the external report address.
The ECO analysis concludes that “the implementation of DMARC is consistent with the EU GDPR,” as long as aggregate reports are used “to detect and narrow down spam and phishing and to protect the telecommunication systems.” Producers of failure reports, however, should be redacting information that is not necessary to the effective use of DMARC.
The full 19 page report is available at the Certified Senders Alliance.