idnits 2.17.1 

draft-ietf-dmarc-aggregate-reporting-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords. 

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document date (November 11, 2020) is 1260 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'MAIL' is mentioned on line 325, but not defined

  == Missing Reference: 'MIME' is mentioned on line 247, but not defined

  == Missing Reference: 'GZIP' is mentioned on line 257, but not defined

  == Missing Reference: '0-9' is mentioned on line 473, but not defined

  == Missing Reference: '0-4' is mentioned on line 473, but not defined

  == Missing Reference: '0-5' is mentioned on line 473, but not defined


     Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	DMARC                                                    A. Brotman (ed)
3	Internet-Draft                                             Comcast, Inc.
4	Obsoletes: 7489 (if approved)                          November 11, 2020
5	Intended status: Standards Track
6	Expires: May 15, 2021

8	                       DMARC Aggregate Reporting
9	                draft-ietf-dmarc-aggregate-reporting-00

11	Abstract

13	   DMARC allows for domain holders to request aggregate reports from
14	   receivers.  This report is an XML document, and contains extensible
15	   elements that allow for other types of data to be specified later.
16	   The aggregate reports can be submitted to the domain holder's
17	   specified destination as supported by the receiver.

19	   This document (along with others) obsoletes RFC7489.

21	Status of This Memo

23	   This Internet-Draft is submitted in full conformance with the
24	   provisions of BCP 78 and BCP 79.

26	   Internet-Drafts are working documents of the Internet Engineering
27	   Task Force (IETF).  Note that other groups may also distribute
28	   working documents as Internet-Drafts.  The list of current Internet-
29	   Drafts is at https://datatracker.ietf.org/drafts/current/.

31	   Internet-Drafts are draft documents valid for a maximum of six months
32	   and may be updated, replaced, or obsoleted by other documents at any
33	   time.  It is inappropriate to use Internet-Drafts as reference
34	   material or to cite them other than as "work in progress."

36	   This Internet-Draft will expire on May 15, 2021.

38	Copyright Notice

40	   Copyright (c) 2020 IETF Trust and the persons identified as the
41	   document authors.  All rights reserved.

43	   This document is subject to BCP 78 and the IETF Trust's Legal
44	   Provisions Relating to IETF Documents
45	   (https://trustee.ietf.org/license-info) in effect on the date of
46	   publication of this document.  Please review these documents
47	   carefully, as they describe your rights and restrictions with respect
48	   to this document.  Code Components extracted from this document must
49	   include Simplified BSD License text as described in Section 4.e of
50	   the Trust Legal Provisions and are provided without warranty as
51	   described in the Simplified BSD License.

53	Table of Contents

55	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
56	     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   2
57	   2.  DMARC Feedback  . . . . . . . . . . . . . . . . . . . . . . .   2
58	     2.1.  Verifying External Destinations . . . . . . . . . . . . .   3
59	     2.2.  Aggregate Reports . . . . . . . . . . . . . . . . . . . .   3
60	       2.2.1.  Transport . . . . . . . . . . . . . . . . . . . . . .   5
61	   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
62	   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
63	   5.  Appendix A. DMARC XML Schema  . . . . . . . . . . . . . . . .   8
64	   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
65	     6.1.  Normative References  . . . . . . . . . . . . . . . . . .  13
66	     6.2.  Informative References  . . . . . . . . . . . . . . . . .  14
67	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  14

69	1.  Introduction

71	   A key component of DMARC is the ability for domain holders to request
72	   that receivers provide various types of reports.  These reports allow
73	   domain holders to have insight into which IP addresses are sending on
74	   their behalf, and some insight into whether or not the volume may be
75	   legitimate.  These reports expose information relating to the DMARC
76	   policy, as well as the outcome of SPF [RFC7208] & DKIM [RFC6376]
77	   validation.

79	1.1.  Terminology

81	   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
82	   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
83	   document, are to be interpreted as described in [RFC2119].

85	2.  DMARC Feedback

87	   Providing Domain Owners with visibility into how Mail Receivers
88	   implement and enforce the DMARC mechanism in the form of feedback is
89	   critical to establishing and maintaining accurate authentication
90	   deployments.  When Domain Owners can see what effect their policies
91	   and practices are having, they are better willing and able to use
92	   quarantine and reject policies.

94	2.1.  Verifying External Destinations

96	   [<https://trac.ietf.org/trac/dmarc/ticket/76>]

98	2.2.  Aggregate Reports

100	   The DMARC aggregate feedback report is designed to provide Domain
101	   Owners with precise insight into:

103	   o  authentication results,

105	   o  corrective action that needs to be taken by Domain Owners, and

107	   o  the effect of Domain Owner DMARC policy on email streams processed
108	      by Mail Receivers.

110	   Aggregate DMARC feedback provides visibility into real-world email
111	   streams that Domain Owners need to make informed decisions regarding
112	   the publication of DMARC policy.  When Domain Owners know what
113	   legitimate mail they are sending, what the authentication results are
114	   on that mail, and what forged mail receivers are getting, they can
115	   make better decisions about the policies they need and the steps they
116	   need to take to enable those policies.  When Domain Owners set
117	   policies appropriately and understand their effects, Mail Receivers
118	   can act on them confidently.

120	   Visibility comes in the form of daily (or more frequent) Mail
121	   Receiver-originated feedback reports that contain aggregate data on
122	   message streams relevant to the Domain Owner.  This information
123	   includes data about messages that passed DMARC authentication as well
124	   as those that did not.

126	   The format for these reports is defined in Appendix C.

128	   The report SHOULD include the following data:

130	   o  The DMARC policy discovered and applied, if any

132	   o  The selected message disposition

134	   o  The identifier evaluated by SPF and the SPF result, if any

136	   o  The identifier evaluated by DKIM and the DKIM result, if any

138	   o  For both DKIM and SPF, an indication of whether the identifier was
139	      in alignment

141	   o  Data for each Domain Owner's subdomain separately from mail from
142	      the sender's Organizational Domain, even if there is no explicit
143	      subdomain policy

145	   o  Sending and receiving domains

147	   o  The policy requested by the Domain Owner and the policy actually
148	      applied (if different)

150	   o  The number of successful authentications

152	   o  The counts of messages based on all messages received, even if
153	      their delivery is ultimately blocked by other filtering agents

155	   Note that Domain Owners or their agents may change the published
156	   DMARC policy for a domain or subdomain at any time.  From a Mail
157	   Receiver's perspective, this will occur during a reporting period and
158	   may be noticed during that period, at the end of that period when
159	   reports are generated, or during a subsequent reporting period, all
160	   depending on the Mail Receiver's implementation.  Under these
161	   conditions, it is possible that a Mail Receiver could do any of the
162	   following:

164	   o  generate for such a reporting period a single aggregate report
165	      that includes message dispositions based on the old policy, or a
166	      mix of the two policies, even though the report only contains a
167	      single "policy_published" element;

169	   o  generate multiple reports for the same period, one for each
170	      published policy occurring during the reporting period;

172	   o  generate a report whose end time occurs when the updated policy
173	      was detected, regardless of any requested report interval.

175	   The report SHOULD include the following data:

177	   o  The DMARC policy discovered and applied, if any

179	   o  The selected message disposition

181	   o  The identifier evaluated by SPF and the SPF result, if any

183	   o  The identifier evaluated by DKIM and the DKIM result, if any

185	   o  For both DKIM and SPF, an indication of whether the identifier was
186	      in alignment

188	   o  Data for each Domain Owner's subdomain separately from mail from
189	      the sender's Organizational Domain, even if there is no explicit
190	      subdomain policy

192	   o  Sending and receiving domains

194	   o  The policy requested by the Domain Owner and the policy actually
195	      applied (if different)

197	   o  The number of successful authentications

199	   o  The counts of messages based on all messages received, even if
200	      their delivery is ultimately blocked by other filtering agents

202	   Note that Domain Owners or their agents may change the published
203	   DMARC policy for a domain or subdomain at any time.  From a Mail
204	   Receiver's perspective, this will occur during a reporting period and
205	   may be noticed during that period, at the end of that period when
206	   reports are generated, or during a subsequent reporting period, all
207	   depending on the Mail Receiver's implementation.  Under these
208	   conditions, it is possible that a Mail Receiver could do any of the
209	   following:

211	   o  generate for such a reporting period a single aggregate report
212	      that includes message dispositions based on the old policy, or a
213	      mix of the two policies, even though the report only contains a
214	      single "policy_published" element;

216	   o  generate multiple reports for the same period, one for each
217	      published policy occurring during the reporting period;

219	   o  generate a report whose end time occurs when the updated policy
220	      was detected, regardless of any requested report interval.

222	2.2.1.  Transport

224	   Where the URI specified in a "rua" tag does not specify otherwise, a
225	   Mail Receiver generating a feedback report SHOULD employ a secure
226	   transport mechanism.

228	   The Mail Receiver, after preparing a report, MUST evaluate the
229	   provided reporting URIs in the order given.  Any reporting URI that
230	   includes a size limitation exceeded by the generated report (after
231	   compression and after any encoding required by the particular
232	   transport mechanism) MUST NOT be used.  An attempt MUST be made to
233	   deliver an aggregate report to every remaining URI, up to the
234	   Receiver's limits on supported URIs.

236	   If transport is not possible because the services advertised by the
237	   published URIs are not able to accept reports (e.g., the URI refers
238	   to a service that is unreachable, or all provided URIs specify size
239	   limits exceeded by the generated record), the Mail Receiver SHOULD
240	   send a short report (see Section 7.2.2) indicating that a report is
241	   available but could not be sent.  The Mail Receiver MAY cache that
242	   data and try again later, or MAY discard data that could not be sent.

244	2.2.1.1.  Email

246	   The message generated by the Mail Receiver MUST be a [MAIL] message
247	   formatted per [MIME].  The aggregate report itself MUST be included
248	   in one of the parts of the message.  A human-readable portion MAY be
249	   included as a MIME part (such as a text/plain part).

251	   The aggregate data MUST be an XML file that SHOULD be subjected to
252	   GZIP compression.  Declining to apply compression can cause the
253	   report to be too large for a receiver to process (a commonly observed
254	   receiver limit is ten megabytes); doing the compression increases the
255	   chances of acceptance of the report at some compute cost.  The
256	   aggregate data SHOULD be present using the media type "application/
257	   gzip" if compressed (see [GZIP]), and "text/xml" otherwise.  The
258	   filename is typically constructed using the following ABNF:

260	      filename = receiver "!" policy-domain "!" begin-timestamp
261	                 "!" end-timestamp [ "!" unique-id ] "." extension

263	      unique-id = 1*(ALPHA / DIGIT)

265	      receiver = domain
266	                 ; imported from [MAIL]

268	      policy-domain   = domain

270	      begin-timestamp = 1*DIGIT
271	                        ; seconds since 00:00:00 UTC January 1, 1970
272	                        ; indicating start of the time range contained
273	                        ; in the report

275	      end-timestamp = 1*DIGIT
276	                      ; seconds since 00:00:00 UTC January 1, 1970
277	                      ; indicating end of the time range contained
278	                      ; in the report

280	      extension = "xml" / "xml.gz"

282	   The extension MUST be "xml" for a plain XML file, or "xml.gz" for an
283	   XML file compressed using GZIP.

285	   "unique-id" allows an optional unique ID generated by the Mail
286	   Receiver to distinguish among multiple reports generated
287	   simultaneously by different sources within the same Domain Owner.

289	   For example, this is a possible filename for the gzip file of a
290	   report to the Domain Owner "example.com" from the Mail Receiver
291	   "mail.receiver.example":

293	         mail.receiver.example!example.com!1013662812!1013749130.gz

295	   No specific MIME message structure is required.  It is presumed that
296	   the aggregate reporting address will be equipped to extract MIME
297	   parts with the prescribed media type and filename and ignore the
298	   rest.

300	   Email streams carrying DMARC feedback data MUST conform to the DMARC
301	   mechanism, thereby resulting in an aligned "pass" (see Section 3.1).
302	   This practice minimizes the risk of report consumers processing
303	   fraudulent reports.

305	   The RFC5322.Subject field for individual report submissions SHOULD
306	   conform to the following ABNF:

308	      dmarc-subject = %x52.65.70.6f.72.74 1*FWS       ; "Report"
309	                      %x44.6f.6d.61.69.6e.3a 1*FWS    ; "Domain:"
310	                      domain-name 1*FWS               ; from RFC 6376
311	                      %x53.75.62.6d.69.74.74.65.72.3a ; "Submitter:"
312	                      1*FWS domain-name 1*FWS
313	                      %x52.65.70.6f.72.74.2d.49.44.3a ; "Report-ID:"
314	                      msg-id                          ; from RFC 5322

316	   The first domain-name indicates the DNS domain name about which the
317	   report was generated.  The second domain-name indicates the DNS
318	   domain name representing the Mail Receiver generating the report.
319	   The purpose of the Report-ID: portion of the field is to enable the
320	   Domain Owner to identify and ignore duplicate reports that might be
321	   sent by a Mail Receiver.

323	   For instance, this is a possible Subject field for a report to the
324	   Domain Owner "example.com" from the Mail Receiver
325	   "mail.receiver.example".  It is line-wrapped as allowed by [MAIL]:

327	                    Subject: Report Domain: example.com
328	                        Submitter: mail.receiver.example
329	                        Report-ID: <2002.02.15.1>

331	   This transport mechanism potentially encounters a problem when
332	   feedback data size exceeds maximum allowable attachment sizes for
333	   either the generator or the consumer.  See Section 7.2.2 for further
334	   discussion.

336	2.2.1.2.  Other Methods

338	   The specification as written allows for the addition of other
339	   registered URI schemes to be supported in later versions.

341	3.  Security Considerations

343	   TBD

345	4.  IANA Considerations

347	   TBD

349	5.  Appendix A.  DMARC XML Schema

351	    <?xml version="1.0"?>
352	    <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
353	      targetNamespace="http://dmarc.org/dmarc-xml/0.1">

355	    <!-- The time range in UTC covered by messages in this report,
356	         specified in seconds since epoch. -->
357	    <xs:complexType name="DateRangeType">
358	      <xs:all>
359	        <xs:element name="begin" type="xs:integer"/>
360	        <xs:element name="end" type="xs:integer"/>
361	      </xs:all>
362	    </xs:complexType>

364	    <!-- Report generator metadata. -->
365	    <xs:complexType name="ReportMetadataType">
366	      <xs:sequence>
367	        <xs:element name="org_name" type="xs:string"/>
368	        <xs:element name="email" type="xs:string"/>
369	        <xs:element name="extra_contact_info" type="xs:string"
370	                    minOccurs="0"/>
371	        <xs:element name="report_id" type="xs:string"/>
372	        <xs:element name="date_range" type="DateRangeType"/>
373	        <xs:element name="error" type="xs:string" minOccurs="0"
374	                    maxOccurs="unbounded"/>
375	      </xs:sequence>
376	    </xs:complexType>

378	    <!-- Alignment mode (relaxed or strict) for DKIM and SPF. -->
379	    <xs:simpleType name="AlignmentType">
380	      <xs:restriction base="xs:string">
381	        <xs:enumeration value="r"/>
382	        <xs:enumeration value="s"/>
383	      </xs:restriction>
384	    </xs:simpleType>

386	    <!-- The policy actions specified by p and sp in the
387	         DMARC record. -->
388	    <xs:simpleType name="DispositionType">
389	      <xs:restriction base="xs:string">
390	        <xs:enumeration value="none"/>
391	        <xs:enumeration value="quarantine"/>
392	        <xs:enumeration value="reject"/>
393	      </xs:restriction>
394	    </xs:simpleType>

396	    <!-- The DMARC policy that applied to the messages in
397	         this report. -->
398	    <xs:complexType name="PolicyPublishedType">
399	      <xs:all>
400	        <!-- The domain at which the DMARC record was found. -->
401	        <xs:element name="domain" type="xs:string"/>
402	        <!-- The DKIM alignment mode. -->
403	        <xs:element name="adkim" type="AlignmentType"
404	                    minOccurs="0"/>
405	        <!-- The SPF alignment mode. -->
406	        <xs:element name="aspf" type="AlignmentType"
407	                    minOccurs="0"/>
408	        <!-- The policy to apply to messages from the domain. -->
409	        <xs:element name="p" type="DispositionType"/>
410	        <!-- The policy to apply to messages from subdomains. -->
411	        <xs:element name="sp" type="DispositionType"/>
412	        <!-- The percent of messages to which policy applies. -->
413	        <xs:element name="pct" type="xs:integer"/>
414	        <!-- Failure reporting options in effect. -->
415	        <xs:element name="fo" type="xs:string"/>
416	      </xs:all>
417	    </xs:complexType>

419	    <!-- The DMARC-aligned authentication result. -->
420	    <xs:simpleType name="DMARCResultType">
421	      <xs:restriction base="xs:string">
422	        <xs:enumeration value="pass"/>
423	        <xs:enumeration value="fail"/>
424	      </xs:restriction>
425	    </xs:simpleType>

427	    <!-- Reasons that may affect DMARC disposition or execution
428	         thereof. -->

430	    <xs:simpleType name="PolicyOverrideType">
431	      <xs:restriction base="xs:string">
432	        <xs:enumeration value="forwarded"/>
433	        <xs:enumeration value="sampled_out"/>
434	        <xs:enumeration value="trusted_forwarder"/>
435	        <xs:enumeration value="mailing_list"/>
436	        <xs:enumeration value="local_policy"/>
437	        <xs:enumeration value="other"/>
438	      </xs:restriction>
439	    </xs:simpleType>

441	    <!-- How do we allow report generators to include new
442	         classes of override reasons if they want to be more
443	         specific than "other"? -->
444	    <xs:complexType name="PolicyOverrideReason">
445	      <xs:all>
446	        <xs:element name="type" type="PolicyOverrideType"/>
447	        <xs:element name="comment" type="xs:string"
448	                    minOccurs="0"/>
449	      </xs:all>
450	    </xs:complexType>

452	    <!-- Taking into account everything else in the record,
453	         the results of applying DMARC. -->
454	    <xs:complexType name="PolicyEvaluatedType">
455	      <xs:sequence>
456	        <xs:element name="disposition" type="DispositionType"/>
457	        <xs:element name="dkim" type="DMARCResultType"/>
458	        <xs:element name="spf" type="DMARCResultType"/>
459	        <xs:element name="reason" type="PolicyOverrideReason"
460	                    minOccurs="0" maxOccurs="unbounded"/>
461	      </xs:sequence>
462	    </xs:complexType>

464	    <!-- Credit to Roger L. Costello for IPv4 regex
465	         http://mailman.ic.ac.uk/pipermail/xml-dev/1999-December/
466	              018018.html -->
467	    <!-- Credit to java2s.com for IPv6 regex
468	         http://www.java2s.com/Code/XML/XML-Schema/
469	              IPv6addressesareeasiertodescribeusingasimpleregex.htm -->
470	    <xs:simpleType name="IPAddress">
471	      <xs:restriction base="xs:string">
472	        <xs:pattern value="((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]).){3}
473	                    (1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])|
474	                    ([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}"/>
475	      </xs:restriction>
476	    </xs:simpleType>
477	    <xs:complexType name="RowType">
478	      <xs:all>
479	        <!-- The connecting IP. -->
480	        <xs:element name="source_ip" type="IPAddress"/>
481	        <!-- The number of matching messages. -->
482	        <xs:element name="count" type="xs:integer"/>
483	        <!-- The DMARC disposition applying to matching
484	             messages. -->
485	        <xs:element name="policy_evaluated"
486	                    type="PolicyEvaluatedType"
487	                    minOccurs="1"/>
488	      </xs:all>
489	    </xs:complexType>

491	    <xs:complexType name="IdentifierType">
492	      <xs:all>
493	        <!-- The envelope recipient domain. -->
494	        <xs:element name="envelope_to" type="xs:string"
495	                    minOccurs="0"/>
496	        <!-- The RFC5321.MailFrom domain. -->
497	        <xs:element name="envelope_from" type="xs:string"
498	                    minOccurs="1"/>
499	        <!-- The RFC5322.From domain. -->
500	        <xs:element name="header_from" type="xs:string"
501	                    minOccurs="1"/>
502	      </xs:all>
503	    </xs:complexType>

505	    <!-- DKIM verification result, according to RFC 7001
506	         Section 2.6.1. -->
507	    <xs:simpleType name="DKIMResultType">
508	      <xs:restriction base="xs:string">
509	        <xs:enumeration value="none"/>
510	        <xs:enumeration value="pass"/>
511	        <xs:enumeration value="fail"/>
512	        <xs:enumeration value="policy"/>
513	        <xs:enumeration value="neutral"/>
514	        <xs:enumeration value="temperror"/>
515	        <xs:enumeration value="permerror"/>
516	      </xs:restriction>
517	    </xs:simpleType>

519	    <xs:complexType name="DKIMAuthResultType">
520	      <xs:all>
521	        <!-- The "d=" parameter in the signature. -->
522	        <xs:element name="domain" type="xs:string"
523	                    minOccurs="1"/>
524	        <!-- The "s=" parameter in the signature. -->
525	        <xs:element name="selector" type="xs:string"
526	                    minOccurs="0"/>
527	        <!-- The DKIM verification result. -->
528	        <xs:element name="result" type="DKIMResultType"
529	                    minOccurs="1"/>
530	        <!-- Any extra information (e.g., from
531	             Authentication-Results). -->
532	        <xs:element name="human_result" type="xs:string"
533	                    minOccurs="0"/>
534	      </xs:all>
535	    </xs:complexType>

537	    <!-- SPF domain scope. -->
538	    <xs:simpleType name="SPFDomainScope">
539	      <xs:restriction base="xs:string">
540	        <xs:enumeration value="helo"/>
541	        <xs:enumeration value="mfrom"/>
542	      </xs:restriction>
543	    </xs:simpleType>

545	    <!-- SPF result. -->
546	    <xs:simpleType name="SPFResultType">
547	      <xs:restriction base="xs:string">
548	        <xs:enumeration value="none"/>
549	        <xs:enumeration value="neutral"/>
550	        <xs:enumeration value="pass"/>
551	        <xs:enumeration value="fail"/>
552	        <xs:enumeration value="softfail"/>
553	        <!-- "TempError" commonly implemented as "unknown". -->
554	        <xs:enumeration value="temperror"/>
555	        <!-- "PermError" commonly implemented as "error". -->
556	        <xs:enumeration value="permerror"/>
557	      </xs:restriction>
558	    </xs:simpleType>

560	    <xs:complexType name="SPFAuthResultType">
561	      <xs:all>
562	        <!-- The checked domain. -->
563	        <xs:element name="domain" type="xs:string" minOccurs="1"/>
564	        <!-- The scope of the checked domain. -->
565	        <xs:element name="scope" type="SPFDomainScope" minOccurs="1"/>
566	        <!-- The SPF verification result. -->
567	        <xs:element name="result" type="SPFResultType"
568	                    minOccurs="1"/>
569	      </xs:all>
570	    </xs:complexType>

572	    <!-- This element contains DKIM and SPF results, uninterpreted
573	         with respect to DMARC. -->
574	    <xs:complexType name="AuthResultType">
575	      <xs:sequence>
576	        <!-- There may be no DKIM signatures, or multiple DKIM
577	             signatures. -->
578	        <xs:element name="dkim" type="DKIMAuthResultType"
579	          minOccurs="0" maxOccurs="unbounded"/>
580	        <!-- There will always be at least one SPF result. -->
581	        <xs:element name="spf" type="SPFAuthResultType" minOccurs="1"
582	                    maxOccurs="unbounded"/>
583	      </xs:sequence>
584	    </xs:complexType>

586	    <!-- This element contains all the authentication results that
587	         were evaluated by the receiving system for the given set of
588	         messages. -->
589	    <xs:complexType name="RecordType">
590	      <xs:sequence>
591	        <xs:element name="row" type="RowType"/>
592	        <xs:element name="identifiers" type="IdentifierType"/>
593	        <xs:element name="auth_results" type="AuthResultType"/>
594	      </xs:sequence>
595	    </xs:complexType>

597	    <!-- Parent -->
598	    <xs:element name="feedback">
599	      <xs:complexType>
600	        <xs:sequence>
601	          <xs:element name="version"
602	                      type="xs:decimal"/>
603	          <xs:element name="report_metadata"
604	                      type="ReportMetadataType"/>
605	          <xs:element name="policy_published"
606	                      type="PolicyPublishedType"/>
607	          <xs:element name="record" type="RecordType"
608	                      maxOccurs="unbounded"/>
609	        </xs:sequence>
610	      </xs:complexType>
611	    </xs:element>
612	    </xs:schema>

614	6.  References

616	6.1.  Normative References

618	   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
619	              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
620	              RFC 6376, DOI 10.17487/RFC6376, September 2011,
621	              <https://www.rfc-editor.org/info/rfc6376>.

623	   [RFC7208]  Kitterman, S., "Sender Policy Framework (SPF) for
624	              Authorizing Use of Domains in Email, Version 1", RFC 7208,
625	              DOI 10.17487/RFC7208, April 2014,
626	              <https://www.rfc-editor.org/info/rfc7208>.

628	6.2.  Informative References

630	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
631	              Requirement Levels", BCP 14, RFC 2119,
632	              DOI 10.17487/RFC2119, March 1997,
633	              <https://www.rfc-editor.org/info/rfc2119>.

635	Author's Address

637	   Alex Brotman
638	   Comcast, Inc.

640	   Email: alex_brotman@comcast.com