DMARC failure reports and GDPR

Unlike aggregate reports, DMARC failure reports contain personal data like email subject, sender address, recipient address, and sometimes even the original message body. What does this mean for GDPR compliance?

DMARC failure reports and GDPR

Unlike aggregate reports, DMARC failure reports are sent far less frequently due to privacy concerns and contain personal data like email subject, sender address, recipient address, and sometimes even the original message body. So what does this mean for GDPR compliance?

Privacy

Because we want to be GDPR compliant and don't want to get personal or save any privacy-sensitive data, we remove it as soon as we receive the report. Unfortunately, this will make the failure reports less valuable and harder to analyze.

Solution

If you want to view the original unfiltered message headers and body, you can add a public PGP key to your URIports account. The original headers and body are then encrypted upon arrival so that you—and only you—can view and decrypt them with your private key and password.

Pretty Good Privacy (PGP)

Here is a short introduction for those unfamiliar with PGP (Pretty Good Privacy). PGP is an encryption method that, among other things, provides cryptographic privacy and can be used to encrypt and decrypt texts, emails, files, etc.

Getting Started with PGP

All you need to do is download and install an application that can generate a unique private and public key pair for you. These "keys" are strings of letters, numbers, and characters and are usually stored in a text file from where you can copy/paste them into applications.

Example PGP Public Key

The private key is used to decrypt any message that was encrypted using the public key. You can share your public key with the world, allowing anyone to send you a secure message that only you can decrypt using your private key. The private key can also be protected with a password as an extra layer of protection (recommended).

Keep your private key private

You should never, ever share your private key (or password) with anyone or share it online. Also, be sure to keep it in a safe place. If you lose your private key, you won't be able to read encrypted messages with your public key.

Integrations

Some browser plugins, like Mailvelope, detect encrypted messages on web pages and automatically decrypt them for you. There are also plugins for email clients like Outlook for easy email encryption and decryption.

Add your public key to URIports

Got your public key? Great! Just log in to URIports and go to your settings (1). Then, hit the DMARC failure reports encryption button in the Security section (2), and you can paste your key. We'll check that the key is correct and save it to your account. From now on, new failure reports will automatically be encrypted.

Thank you for using URIports.