I thought about putting the "I want ARF reports" information in the
email or in the DNS.
If it is solely in the DNS, then for every DKIM message, you have to
query the DNS, to check if the signing domain wants ARF reports. I
suspect most will not want them, or know what's that. This process may
commit uneccessary resources. I feel important to state in the email
that the signer wants an ARF report, and that the DNS could be used to
verify that statment.
Not for every signed message. Only for every signed report. Report
generators have to query DNS to send the report anyway.
We currently send reports to over 80k domains. I would wager that the
domains who currently sign are a subset of those (spammer domains
included), but if someone actually wants me to dig around to prove it I
suppose I can. Going forward, domains that care enough to sign their
mail will care enough to want abuse reports.
On privacy issues, some ARF processors strip the report from any
potential user identification, To: Message ID, email in the content
etc...
That's to protect the privacy of the reporter, not the privacy of the
message author. You would be surprised how many folks on shared IP
addresses try to get an FBL for the entire IP address instead of just
their domain. DKIM based FBLs should clear up that specific issue, but
I'm sure there will be some new 'gotcha'.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html