idnits 2.17.1 draft-kucherawy-dmarc-dmarcbis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (6 April 2020) is 1482 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'CFWS' is mentioned on line 1735, but not defined == Missing Reference: '0-9' is mentioned on line 3229, but not defined == Missing Reference: '0-4' is mentioned on line 3229, but not defined == Missing Reference: '0-5' is mentioned on line 3229, but not defined ** Downref: Normative reference to an Informational RFC: RFC 4949 ** Downref: Normative reference to an Informational RFC: RFC 6713 Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DMARC M. Kucherawy (ed) 3 Internet-Draft 4 Obsoletes: 7489 (if approved) E. Zwicky (ed) 5 Intended status: Standards Track 6 Expires: 8 October 2020 T. Wicinski (ed) 7 6 April 2020 9 Domain-based Message Authentication, Reporting, and Conformance (DMARC) 10 draft-kucherawy-dmarc-dmarcbis-01 12 Abstract 14 Domain-based Message Authentication, Reporting, and Conformance 15 (DMARC) is a scalable mechanism by which a mail-originating 16 organization can express domain-level policies and preferences for 17 message validation, disposition, and reporting, that a mail-receiving 18 organization can use to improve mail handling. 20 Originators of Internet Mail need to be able to associate reliable 21 and authenticated domain identifiers with messages, communicate 22 policies about messages that use those identifiers, and report about 23 mail using those identifiers. These abilities have several benefits: 24 Receivers can provide feedback to Domain Owners about the use of 25 their domains; this feedback can provide valuable insight about the 26 management of internal operations and the presence of external domain 27 name abuse. 29 DMARC does not produce or encourage elevated delivery privilege of 30 authenticated email. DMARC is a mechanism for policy distribution 31 that enables increasingly strict handling of messages that fail 32 authentication checks, ranging from no action, through altered 33 delivery, up to message rejection. 35 This document obsoletes RFC 7489. 37 Status of This Memo 39 This Internet-Draft is submitted in full conformance with the 40 provisions of BCP 78 and BCP 79. 42 Internet-Drafts are working documents of the Internet Engineering 43 Task Force (IETF). Note that other groups may also distribute 44 working documents as Internet-Drafts. The list of current Internet- 45 Drafts is at https://datatracker.ietf.org/drafts/current/. 47 Internet-Drafts are draft documents valid for a maximum of six months 48 and may be updated, replaced, or obsoleted by other documents at any 49 time. It is inappropriate to use Internet-Drafts as reference 50 material or to cite them other than as "work in progress." 52 This Internet-Draft will expire on 8 October 2020. 54 Copyright Notice 56 Copyright (c) 2020 IETF Trust and the persons identified as the 57 document authors. All rights reserved. 59 This document is subject to BCP 78 and the IETF Trust's Legal 60 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 61 license-info) in effect on the date of publication of this document. 62 Please review these documents carefully, as they describe your rights 63 and restrictions with respect to this document. Code Components 64 extracted from this document must include Simplified BSD License text 65 as described in Section 4.e of the Trust Legal Provisions and are 66 provided without warranty as described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 71 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 6 72 2.1. High-Level Goals . . . . . . . . . . . . . . . . . . . . 6 73 2.2. Out of Scope . . . . . . . . . . . . . . . . . . . . . . 6 74 2.3. Scalability . . . . . . . . . . . . . . . . . . . . . . . 7 75 2.4. Anti-Phishing . . . . . . . . . . . . . . . . . . . . . . 7 76 3. Terminology and Definitions . . . . . . . . . . . . . . . . . 8 77 3.1. Identifier Alignment . . . . . . . . . . . . . . . . . . 9 78 3.1.1. DKIM-Authenticated Identifiers . . . . . . . . . . . 10 79 3.1.2. SPF-Authenticated Identifiers . . . . . . . . . . . . 11 80 3.1.3. Alignment and Extension Technologies . . . . . . . . 11 81 3.2. Organizational Domain . . . . . . . . . . . . . . . . . . 11 82 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 12 83 4.1. Authentication Mechanisms . . . . . . . . . . . . . . . . 12 84 4.2. Key Concepts . . . . . . . . . . . . . . . . . . . . . . 13 85 4.3. Flow Diagram . . . . . . . . . . . . . . . . . . . . . . 13 86 5. Use of RFC5322.From . . . . . . . . . . . . . . . . . . . . . 15 87 6. Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 88 6.1. DMARC Policy Record . . . . . . . . . . . . . . . . . . . 17 89 6.2. DMARC URIs . . . . . . . . . . . . . . . . . . . . . . . 17 90 6.3. General Record Format . . . . . . . . . . . . . . . . . . 18 91 6.4. Formal Definition . . . . . . . . . . . . . . . . . . . . 21 92 6.5. Domain Owner Actions . . . . . . . . . . . . . . . . . . 23 93 6.6. Mail Receiver Actions . . . . . . . . . . . . . . . . . . 23 94 6.6.1. Extract Author Domain . . . . . . . . . . . . . . . . 23 95 6.6.2. Determine Handling Policy . . . . . . . . . . . . . . 24 96 6.6.3. Policy Discovery . . . . . . . . . . . . . . . . . . 25 97 6.6.4. Message Sampling . . . . . . . . . . . . . . . . . . 26 98 6.6.5. Store Results of DMARC Processing . . . . . . . . . . 27 99 6.7. Policy Enforcement Considerations . . . . . . . . . . . . 27 100 7. DMARC Feedback . . . . . . . . . . . . . . . . . . . . . . . 28 101 7.1. Verifying External Destinations . . . . . . . . . . . . . 28 102 7.2. Aggregate Reports . . . . . . . . . . . . . . . . . . . . 30 103 7.2.1. Transport . . . . . . . . . . . . . . . . . . . . . . 32 104 7.2.2. Error Reports . . . . . . . . . . . . . . . . . . . . 35 105 7.3. Failure Reports . . . . . . . . . . . . . . . . . . . . . 36 106 7.3.1. Reporting Format Update . . . . . . . . . . . . . . . 37 107 8. Minimum Implementations . . . . . . . . . . . . . . . . . . . 37 108 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 38 109 9.1. Data Exposure Considerations . . . . . . . . . . . . . . 38 110 9.2. Report Recipients . . . . . . . . . . . . . . . . . . . . 39 111 10. Other Topics . . . . . . . . . . . . . . . . . . . . . . . . 39 112 10.1. Issues Specific to SPF . . . . . . . . . . . . . . . . . 39 113 10.2. DNS Load and Caching . . . . . . . . . . . . . . . . . . 40 114 10.3. Rejecting Messages . . . . . . . . . . . . . . . . . . . 40 115 10.4. Identifier Alignment Considerations . . . . . . . . . . 41 116 10.5. Interoperability Issues . . . . . . . . . . . . . . . . 41 117 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 118 11.1. Authentication-Results Method Registry Update . . . . . 42 119 11.2. Authentication-Results Result Registry Update . . . . . 42 120 11.3. Feedback Report Header Fields Registry Update . . . . . 44 121 11.4. DMARC Tag Registry . . . . . . . . . . . . . . . . . . . 44 122 11.5. DMARC Report Format Registry . . . . . . . . . . . . . . 45 123 11.6. Underscored and Globally Scoped DNS Node Names 124 Registry . . . . . . . . . . . . . . . . . . . . . . . . 46 125 12. Security Considerations . . . . . . . . . . . . . . . . . . . 46 126 12.1. Authentication Methods . . . . . . . . . . . . . . . . . 46 127 12.2. Attacks on Reporting URIs . . . . . . . . . . . . . . . 47 128 12.3. DNS Security . . . . . . . . . . . . . . . . . . . . . . 47 129 12.4. Display Name Attacks . . . . . . . . . . . . . . . . . . 47 130 12.5. External Reporting Addresses . . . . . . . . . . . . . . 48 131 12.6. Secure Protocols . . . . . . . . . . . . . . . . . . . . 49 132 13. Normative References . . . . . . . . . . . . . . . . . . . . 49 133 14. Informative References . . . . . . . . . . . . . . . . . . . 51 134 Appendix A. Technology Considerations . . . . . . . . . . . . . 52 135 A.1. S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . 52 136 A.2. Method Exclusion . . . . . . . . . . . . . . . . . . . . 53 137 A.3. Sender Header Field . . . . . . . . . . . . . . . . . . . 54 138 A.4. Domain Existence Test . . . . . . . . . . . . . . . . . . 54 139 A.5. Issues with ADSP in Operation . . . . . . . . . . . . . . 55 140 A.6. Organizational Domain Discovery Issues . . . . . . . . . 56 141 A.6.1. Public Suffix Lists . . . . . . . . . . . . . . . . . 56 142 Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 57 143 B.1. Identifier Alignment Examples . . . . . . . . . . . . . . 57 144 B.1.1. SPF . . . . . . . . . . . . . . . . . . . . . . . . . 57 145 B.1.2. DKIM . . . . . . . . . . . . . . . . . . . . . . . . 58 146 B.2. Domain Owner Example . . . . . . . . . . . . . . . . . . 59 147 B.2.1. Entire Domain, Monitoring Only . . . . . . . . . . . 59 148 B.2.2. Entire Domain, Monitoring Only, Per-Message 149 Reports . . . . . . . . . . . . . . . . . . . . . . . 60 150 B.2.3. Per-Message Failure Reports Directed to Third 151 Party . . . . . . . . . . . . . . . . . . . . . . . . 61 152 B.2.4. Subdomain, Sampling, and Multiple Aggregate Report 153 URIs . . . . . . . . . . . . . . . . . . . . . . . . 62 154 B.3. Mail Receiver Example . . . . . . . . . . . . . . . . . . 63 155 B.4. Processing of SMTP Time . . . . . . . . . . . . . . . . . 63 156 B.5. Utilization of Aggregate Feedback: Example . . . . . . . 65 157 B.6. mailto Transport Example . . . . . . . . . . . . . . . . 65 158 Appendix C. DMARC XML Schema . . . . . . . . . . . . . . . . . . 66 159 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 73 160 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 73 162 1. Introduction 164 RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING: 165 The source for this draft is maintained in GitHub at: 166 https://github.com/moonshiner/draft-kucherawy-dmarc-dmarcbis 167 (https://github.com/moonshiner/draft-kucherawy-dmarc-dmarcbis) 169 The Sender Policy Framework ([RFC7208]) and DomainKeys Identified 170 Mail ([RFC6376]) provide domain-level authentication. They enable 171 cooperating email receivers to detect mail authorized to use the 172 domain name, which can permit differential handling. (A detailed 173 discussion of the threats these systems attempt to address can be 174 found in [RFC4686].) However, there has been no single widely 175 accepted or publicly available mechanism to communication of domain- 176 specific message-handling policies for receivers, or to request 177 reporting of authentication and disposition of received mail. Absent 178 the ability to obtain feedback reports, originators who have 179 implemented email authentication have difficulty determining how 180 effective their authentication is. As a consequence, use of 181 authentication failures to filter mail typically does not succeed. 183 Over time, one-on-one relationships were established between select 184 senders and receivers with privately communicated means to assert 185 policy and receive message traffic and authentication disposition 186 reporting. Although these ad hoc practices have been generally 187 successful, they require significant manual coordination between 188 parties, and this model does not scale for general use on the 189 Internet. 191 This document defines Domain-based Message Authentication, Reporting, 192 and Conformance (DMARC), a mechanism by which email operators 193 leverage existing authentication and policy advertisement 194 technologies to enable both message-stream feedback and enforcement 195 of policies against unauthenticated email. 197 DMARC allows Domain Owners and receivers to collaborate by: 199 1. Providing receivers with assertions about Domain Owners' policies 201 2. Providing feedback to senders so they can monitor authentication 202 and judge threats 204 The basic outline of DMARC is as follows: 206 1. Domain Owners publish policy assertions about domains via the 207 DNS. 209 2. Receivers compare the RFC5322.From address in the mail to the SPF 210 and DKIM results, if present, and the DMARC policy in DNS. 212 3. These receivers can use these results to determine how the mail 213 should be handled. 215 4. The receiver sends reports to the Domain Owner or its designee 216 about mail claiming to be from their domain. 218 Security terms used in this document are defined in [RFC4949]. 220 DMARC differs from previous approaches to policy advertisement (e.g., 221 [RFC7208] and [RFC5617]) in that: 223 * Authentication technologies are: 225 1. decoupled from any technology-specific policy mechanisms, and 227 2. used solely to establish reliable per-message domain-level 228 identifiers. 230 * Multiple authentication technologies are used to: 232 1. reduce the impact of transient authentication errors 234 2. reduce the impact of site-specific configuration errors and 235 deployment gaps 237 3. enable more use cases than any individual technology supports 238 alone 240 * Receiver-generated feedback is supported, allowing senders to 241 establish confidence in authentication practices. 243 * The domain name extracted from a message's RFC5322.From field is 244 the primary identifier in the DMARC mechanism. This identifier is 245 used in conjunction with the results of the underlying 246 authentication technologies to evaluate results under DMARC. 248 Experience with DMARC has revealed some issues of interoperability 249 with email in general that require due consideration before 250 deployment, particularly with configurations that can cause mail to 251 be rejected. These are discussed in Section 10. 253 2. Requirements 255 Specification of DMARC is guided by the following high-level goals, 256 security dependencies, detailed requirements, and items that are 257 documented as out of scope. 259 2.1. High-Level Goals 261 DMARC has the following high-level goals: 263 * Allow Domain Owners to assert the preferred handling of 264 authentication failures, for messages purporting to have 265 authorship within the domain. 267 * Allow Domain Owners to verify their authentication deployment. 269 * Minimize implementation complexity for both senders and receivers, 270 as well as the impact on handling and delivery of legitimate 271 messages. 273 * Reduce the amount of successfully delivered spoofed email. 275 * Work at Internet scale. 277 2.2. Out of Scope 279 Several topics and issues are specifically out of scope for the 280 initial version of this work. These include the following: 282 * different treatment of messages that are not authenticated versus 283 those that fail authentication; 285 * evaluation of anything other than RFC5322.From; 287 * multiple reporting formats; 288 * publishing policy other than via the DNS; 290 * reporting or otherwise evaluating other than the last-hop IP 291 address; 293 * attacks in the RFC5322.From field, also known as "display name" 294 attacks; 296 * authentication of entities other than domains, since DMARC is 297 built upon SPF and DKIM, which authenticate domains; and 299 * content analysis. 301 2.3. Scalability 303 Scalability is a major issue for systems that need to operate in a 304 system as widely deployed as current SMTP email. For this reason, 305 DMARC seeks to avoid the need for third parties or pre-sending 306 agreements between senders and receivers. This preserves the 307 positive aspects of the current email infrastructure. 309 Although DMARC does not introduce third-party senders (namely 310 external agents authorized to send on behalf of an operator) to the 311 email-handling flow, it also does not preclude them. Such third 312 parties are free to provide services in conjunction with DMARC. 314 2.4. Anti-Phishing 316 DMARC is designed to prevent bad actors from sending mail that claims 317 to come from legitimate senders, particularly senders of 318 transactional email (official mail that is about business 319 transactions). One of the primary uses of this kind of spoofed mail 320 is phishing (enticing users to provide information by pretending to 321 be the legitimate service requesting the information). Thus, DMARC 322 is significantly informed by ongoing efforts to enact large-scale, 323 Internet-wide anti-phishing measures. 325 Although DMARC can only be used to combat specific forms of exact- 326 domain spoofing directly, the DMARC mechanism has been found to be 327 useful in the creation of reliable and defensible message streams. 329 DMARC does not attempt to solve all problems with spoofed or 330 otherwise fraudulent email. In particular, it does not address the 331 use of visually similar domain names ("cousin domains") or abuse of 332 the RFC5322.From human-readable . 334 3. Terminology and Definitions 336 This section defines terms used in the rest of the document. 338 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 339 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 340 "OPTIONAL" in this document are to be interpreted as described in BCP 341 14 [RFC2119] [RFC8174] when, and only when, they appear in all 342 capitals, as shown here. 344 Readers are encouraged to be familiar with the contents of [RFC5598]. 345 In particular, that document defines various roles in the messaging 346 infrastructure that can appear the same or separate in various 347 contexts. For example, a Domain Owner could, via the messaging 348 security mechanisms on which DMARC is based, delegate the ability to 349 send mail as the Domain Owner to a third party with another role. 350 This document does not address the distinctions among such roles; the 351 reader is encouraged to become familiar with that material before 352 continuing. 354 The following terms are also used: 356 Authenticated Identifiers: Domain-level identifiers that are 357 validated using authentication technologies are referred to as 358 "Authenticated Identifiers". See Section 4.1 for details about 359 the supported mechanisms. 361 Author Domain: The domain name of the apparent author, as extracted 362 from the RFC5322.From field. 364 Domain Owner: An entity or organization that owns a DNS domain. The 365 term "owns" here indicates that the entity or organization being 366 referenced holds the registration of that DNS domain. Domain 367 Owners range from complex, globally distributed organizations, to 368 service providers working on behalf of non-technical clients, to 369 individuals responsible for maintaining personal domains. This 370 specification uses this term as analogous to an Administrative 371 Management Domain as defined in [RFC5598]. It can also refer to 372 delegates, such as Report Receivers, when those are outside of 373 their immediate management domain. 375 Identifier Alignment: When the domain in the RFC5322.From address 376 matches a domain validated by SPF or DKIM (or both), it has 377 Identifier Alignment. 379 Mail Receiver: The entity or organization that receives and 380 processes email. Mail Receivers operate one or more Internet- 381 facing Mail Transport Agents (MTAs). 383 Organizational Domain: The domain that was registered with a domain 384 name registrar. In the absence of more accurate methods, 385 heuristics are used to determine this, since it is not always the 386 case that the registered domain name is simply a top-level DNS 387 domain plus one component (e.g., "example.com", where "com" is a 388 top-level domain). The Organizational Domain is determined by 389 applying the algorithm found in Section 3.2. 391 Report Receiver: An operator that receives reports from another 392 operator implementing the reporting mechanism described in this 393 document. Such an operator might be receiving reports about its 394 own messages, or reports about messages related to another 395 operator. This term applies collectively to the system components 396 that receive and process these reports and the organizations that 397 operate them. 399 3.1. Identifier Alignment 401 Email authentication technologies authenticate various (and 402 disparate) aspects of an individual message. For example, [RFC6376] 403 authenticates the domain that affixed a signature to the message, 404 while [RFC7208] can authenticate either the domain that appears in 405 the RFC5321.MailFrom (MAIL FROM) portion of [RFC5322] or the 406 RFC5321.EHLO/ HELO domain, or both. These may be different domains, 407 and they are typically not visible to the end user. 409 DMARC authenticates use of the RFC5322.From domain by requiring that 410 it match (be aligned with) an Authenticated Identifier. The 411 RFC5322.From domain was selected as the central identity of the DMARC 412 mechanism because it is a required message header field and therefore 413 guaranteed to be present in compliant messages, and most Mail User 414 Agents (MUAs) represent the RFC5322.From field as the originator of 415 the message and render some or all of this header field's content to 416 end users. 418 Thus, this field is the one used by end users to identify the source 419 of the message and therefore is a prime target for abuse. Many high- 420 profile email sources, such as email service providers, require that 421 the sending agent have authenticated before email can be generated. 422 Thus, for these mailboxes, the mechanism described in this document 423 provides recipient end users with strong evidence that the message 424 was indeed originated by the agent they associate with that mailbox, 425 if the end user knows that these various protections have been 426 provided. 428 Domain names in this context are to be compared in a case-insensitive 429 manner, per [RFC4343]. 431 It is important to note that Identifier Alignment cannot occur with a 432 message that is not valid per [RFC5322], particularly one with a 433 malformed, absent, or repeated RFC5322.From field, since in that case 434 there is no reliable way to determine a DMARC policy that applies to 435 the message. Accordingly, DMARC operation is predicated on the input 436 being a valid RFC5322 message object, and handling of such non- 437 compliant cases is outside of the scope of this specification. 438 Further discussion of this can be found in Section 6.6.1. 440 Each of the underlying authentication technologies that DMARC takes 441 as input yields authenticated domains as their outputs when they 442 succeed. From the perspective of DMARC, each can be operated in a 443 "strict" mode or a "relaxed" mode. A Domain Owner would normally 444 select strict mode if it wanted Mail Receivers to apply DMARC 445 processing only to messages bearing an RFC5322.From domain exactly 446 matching the domains those mechanisms will verify. Relaxed mode can 447 be used when the operator also wishes to affect message flows bearing 448 subdomains of the verified domains. 450 3.1.1. DKIM-Authenticated Identifiers 452 DMARC permits Identifier Alignment, based on the result of a DKIM 453 authentication, to be strict or relaxed. (Note that these are not 454 related to DKIM's "simple" and "relaxed" canonicalization modes.) 456 In relaxed mode, the Organizational Domains of both the [RFC6376]- 457 authenticated signing domain (taken from the value of the "d=" tag in 458 the signature) and that of the RFC5322.From domain must be equal if 459 the identifiers are to be considered aligned. In strict mode, only 460 an exact match between both of the Fully Qualified Domain Names 461 (FQDNs) is considered to produce Identifier Alignment. 463 To illustrate, in relaxed mode, if a validated DKIM signature 464 successfully verifies with a "d=" domain of "example.com", and the 465 RFC5322.From address is "alerts@news.example.com", the DKIM "d=" 466 domain and the RFC5322.From domain are considered to be "in 467 alignment". In strict mode, this test would fail, since the "d=" 468 domain does not exactly match the FQDN of the address. 470 However, a DKIM signature bearing a value of "d=com" would never 471 allow an "in alignment" result, as "com" should appear on all public 472 suffix lists (see Appendix A.6.1) and therefore cannot be an 473 Organizational Domain. 475 Identifier Alignment is required because a message can bear a valid 476 signature from any domain, including domains used by a mailing list 477 or even a bad actor. Therefore, merely bearing a valid signature is 478 not enough to infer authenticity of the Author Domain. 480 Note that a single email can contain multiple DKIM signatures, and it 481 is considered to be a DMARC "pass" if any DKIM signature is aligned 482 and verifies. 484 3.1.2. SPF-Authenticated Identifiers 486 DMARC permits Identifier Alignment, based on the result of an SPF 487 authentication, to be strict or relaxed. 489 In relaxed mode, the [RFC3986]-authenticated domain and RFC5322.From 490 domain must have the same Organizational Domain. In strict mode, 491 only an exact DNS domain match is considered to produce Identifier 492 Alignment. 494 Note that the RFC5321.HELO identity is not typically used in the 495 context of DMARC (except when required to "fake" an otherwise null 496 reverse-path), even though a "pure SPF" implementation according to 497 [RFC7208] would check that identifier. 499 For example, if a message passes an SPF check with an 500 RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address 501 portion of the RFC5322.From field contains "payments@example.com", 502 the Authenticated RFC5321.MailFrom domain identifier and the 503 RFC5322.From domain are considered to be "in alignment" in relaxed 504 mode, but not in strict mode. 506 3.1.3. Alignment and Extension Technologies 508 If in the future DMARC is extended to include the use of other 509 authentication mechanisms, the extensions will need to allow for 510 domain identifier extraction so that alignment with the RFC5322.From 511 domain can be verified. 513 3.2. Organizational Domain 515 The Organizational Domain is determined using the following 516 algorithm: 518 1. Acquire a "public suffix" list, i.e., a list of DNS domain names 519 reserved for registrations. Some country Top-Level Domains 520 (TLDs) make specific registration requirements, e.g., the United 521 Kingdom places company registrations under ".co.uk"; other TLDs 522 such as ".com" appear in the IANA registry of top-level DNS 523 domains. A public suffix list is the union of all of these. 524 Appendix A.6.1 contains some discussion about obtaining a public 525 suffix list. 527 2. Break the subject DNS domain name into a set of "n" ordered 528 labels. Number these labels from right to left; e.g., for 529 "example.com", "com" would be label 1 and "example" would be 530 label 2. 532 3. Search the public suffix list for the name that matches the 533 largest number of labels found in the subject DNS domain. Let 534 that number be "x". 536 4. Construct a new DNS domain name using the name that matched from 537 the public suffix list and prefixing to it the "x+1"th label from 538 the subject domain. This new name is the Organizational Domain. 540 Thus, since "com" is an IANA-registered TLD, a subject domain of 541 "a.b.c.d.example.com" would have an Organizational Domain of 542 "example.com". 544 The process of determining a suffix is currently a heuristic one. No 545 list is guaranteed to be accurate or current. 547 In addition to Mediators, mail that is sent by authorized, 548 independent third parties might not be sent with Identifier 549 Alignment, also preventing a "pass" result. 551 Issues specific to the use of policy mechanisms alongside DKIM are 552 further discussed in [RFC6377], particularly Section 5.2. 554 4. Overview 556 This section provides a general overview of the design and operation 557 of the DMARC environment. 559 4.1. Authentication Mechanisms 561 The following mechanisms for determining Authenticated Identifiers 562 are supported in this version of DMARC: 564 * [RFC6376], which provides a domain-level identifier in the content 565 of the "d=" tag of a validated DKIM-Signature header field. 567 * [RFC3986], which can authenticate both the domain found in an 568 [RFC5322] HELO/EHLO command (the HELO identity) and the domain 569 found in an SMTP MAIL command (the MAIL FROM identity). DMARC 570 uses the result of SPF authentication of the MAIL FROM identity. 571 Section 2.4 of [RFC7208] describes MAIL FROM processing for cases 572 in which the MAIL command has a null path. 574 4.2. Key Concepts 576 DMARC policies are published by the Domain Owner, and retrieved by 577 the Mail Receiver during the SMTP session, via the DNS. 579 DMARC's filtering function is based on whether the RFC5322.From field 580 domain is aligned with (matches) an authenticated domain name from 581 SPF or DKIM. When a DMARC policy is published for the domain name 582 found in the RFC5322.From field, and that domain name is not 583 validated through SPF or DKIM, the disposition of that message can be 584 affected by that DMARC policy when delivered to a participating 585 receiver. 587 It is important to note that the authentication mechanisms employed 588 by DMARC authenticate only a DNS domain and do not authenticate the 589 local-part of any email address identifier found in a message, nor do 590 they validate the legitimacy of message content. 592 DMARC's feedback component involves the collection of information 593 about received messages claiming to be from the Organizational Domain 594 for periodic aggregate reports to the Domain Owner. The parameters 595 and format for such reports are discussed in later sections of this 596 document. 598 A DMARC-enabled Mail Receiver might also generate per-message reports 599 that contain information related to individual messages that fail SPF 600 and/or DKIM. Per-message failure reports are a useful source of 601 information when debugging deployments (if messages can be determined 602 to be legitimate even though failing authentication) or in analyzing 603 attacks. The capability for such services is enabled by DMARC but 604 defined in other referenced material such as [RFC6591]. 606 A message satisfies the DMARC checks if at least one of the supported 607 authentication mechanisms: 609 1. produces a "pass" result, and 611 2. produces that result based on an identifier that is in alignment, 612 as defined in Section 3. 614 4.3. Flow Diagram 615 +---------------+ 616 | Author Domain |< . . . . . . . . . . . . . . . . . . . . . . . 617 +---------------+ . . . 618 | . . . 619 V V V . 620 +-----------+ +--------+ +----------+ +----------+ . 621 | MSA |<***>| DKIM | | DKIM | | SPF | . 622 | Service | | Signer | | Verifier | | Verifier | . 623 +-----------+ +--------+ +----------+ +----------+ . 624 | ^ ^ . 625 | ************** . 626 V * . 627 +------+ (~~~~~~~~~~~~) +------+ * . 628 | sMTA |------->( other MTAs )----->| rMTA | * . 629 +------+ (~~~~~~~~~~~~) +------+ * . 630 | * ........ 631 | * . 632 V * . 633 +-----------+ V V 634 +---------+ | MDA | +----------+ 635 | User |<--| Filtering |<***>| DMARC | 636 | Mailbox | | Engine | | Verifier | 637 +---------+ +-----------+ +----------+ 639 MSA = Mail Submission Agent 640 MDA = Mail Delivery Agent 642 The above diagram shows a simple flow of messages through a DMARC- 643 aware system. Solid lines denote the actual message flow, dotted 644 lines involve DNS queries used to retrieve message policy related to 645 the supported message authentication schemes, and asterisk lines 646 indicate data exchange between message-handling modules and message 647 authentication modules. "sMTA" is the sending MTA, and "rMTA" is the 648 receiving MTA. 650 In essence, the steps are as follows: 652 1. Domain Owner constructs an SPF policy and publishes it in its 653 DNS database as per [RFC7208]. Domain Owner also configures its 654 system for DKIM signing as described in [RFC6376]. Finally, 655 Domain Owner publishes via the DNS a DMARC message-handling 656 policy. 658 2. Author generates a message and hands the message to Domain 659 Owner's designated mail submission service. 661 3. Submission service passes relevant details to the DKIM signing 662 module in order to generate a DKIM signature to be applied to 663 the message. 665 4. Submission service relays the now-signed message to its 666 designated transport service for routing to its intended 667 recipient(s). 669 5. Message may pass through other relays but eventually arrives at 670 a recipient's transport service. 672 6. Recipient delivery service conducts SPF and DKIM authentication 673 checks by passing the necessary data to their respective 674 modules, each of which requires queries to the Author Domain's 675 DNS data (when identifiers are aligned; see below). 677 7. The results of these are passed to the DMARC module along with 678 the Author's domain. The DMARC module attempts to retrieve a 679 policy from the DNS for that domain. If none is found, the 680 DMARC module determines the Organizational Domain and repeats 681 the attempt to retrieve a policy from the DNS. (This is 682 described in further detail in Section 6.6.3.) 684 8. If a policy is found, it is combined with the Author's domain 685 and the SPF and DKIM results to produce a DMARC policy result (a 686 "pass" or "fail") and can optionally cause one of two kinds of 687 reports to be generated (not shown). 689 9. Recipient transport service either delivers the message to the 690 recipient inbox or takes other local policy action based on the 691 DMARC result (not shown). 693 10. When requested, Recipient transport service collects data from 694 the message delivery session to be used in providing feedback 695 (see Section 7). 697 5. Use of RFC5322.From 699 One of the most obvious points of security scrutiny for DMARC is the 700 choice to focus on an identifier, namely the RFC5322.From address, 701 which is part of a body of data that has been trivially forged 702 throughout the history of email. 704 Several points suggest that it is the most correct and safest thing 705 to do in this context: 707 * Of all the identifiers that are part of the message itself, this 708 is the only one guaranteed to be present. 710 * It seems the best choice of an identifier on which to focus, as 711 most MUAs display some or all of the contents of that field in a 712 manner strongly suggesting those data as reflective of the true 713 originator of the message. 715 The absence of a single, properly formed RFC5322.From field renders 716 the message invalid. Handling of such a message is outside of the 717 scope of this specification. 719 Since the sorts of mail typically protected by DMARC participants 720 tend to only have single Authors, DMARC participants generally 721 operate under a slightly restricted profile of RFC5322 with respect 722 to the expected syntax of this field. See Section 6.6 for details. 724 6. Policy 726 DMARC policies are published by Domain Owners and applied by Mail 727 Receivers. 729 A Domain Owner advertises DMARC participation of one or more of its 730 domains by adding a DNS TXT record (described in Section 6.1) to 731 those domains. In doing so, Domain Owners make specific requests of 732 Mail Receivers regarding the disposition of messages purporting to be 733 from one of the Domain Owner's domains and the provision of feedback 734 about those messages. 736 A Domain Owner may choose not to participate in DMARC evaluation by 737 Mail Receivers. In this case, the Domain Owner simply declines to 738 advertise participation in those schemes. For example, if the 739 results of path authorization checks ought not be considered as part 740 of the overall DMARC result for a given Author Domain, then the 741 Domain Owner does not publish an SPF policy record that can produce 742 an SPF pass result. 744 A Mail Receiver implementing the DMARC mechanism SHOULD make a best- 745 effort attempt to adhere to the Domain Owner's published DMARC policy 746 when a message fails the DMARC test. Since email streams can be 747 complicated (due to forwarding, existing RFC5322.From domain-spoofing 748 services, etc.), Mail Receivers MAY deviate from a Domain Owner's 749 published policy during message processing and SHOULD make available 750 the fact of and reason for the deviation to the Domain Owner via 751 feedback reporting, specifically using the "PolicyOverride" feature 752 of the aggregate report (see Section 7.2). 754 6.1. DMARC Policy Record 756 Domain Owner DMARC preferences are stored as DNS TXT records in 757 subdomains named "_dmarc". For example, the Domain Owner of 758 "example.com" would post DMARC preferences in a TXT record at 759 "_dmarc.example.com". Similarly, a Mail Receiver wishing to query 760 for DMARC preferences regarding mail with an RFC5322.From domain of 761 "example.com" would issue a TXT query to the DNS for the subdomain of 762 "_dmarc.example.com". The DNS-located DMARC preference data will 763 hereafter be called the "DMARC record". 765 DMARC's use of the Domain Name Service is driven by DMARC's use of 766 domain names and the nature of the query it performs. The query 767 requirement matches with the DNS, for obtaining simple parametric 768 information. It uses an established method of storing the 769 information, associated with the target domain name, namely an 770 isolated TXT record that is restricted to the DMARC context. Use of 771 the DNS as the query service has the benefit of reusing an extremely 772 well-established operations, administration, and management 773 infrastructure, rather than creating a new one. 775 Per [RFC1035], a TXT record can comprise several "character-string" 776 objects. Where this is the case, the module performing DMARC 777 evaluation MUST concatenate these strings by joining together the 778 objects in order and parsing the result as a single string. 780 6.2. DMARC URIs 782 [RFC3986] defines a generic syntax for identifying a resource. The 783 DMARC mechanism uses this as the format by which a Domain Owner 784 specifies the destination for the two report types that are 785 supported. 787 The place such URIs are specified (see Section 6.3) allows a list of 788 these to be provided. A report is normally sent to each listed URI 789 in the order provided by the Domain Owner. Receivers MAY impose a 790 limit on the number of URIs to which they will send reports but MUST 791 support the ability to send to at least two. The list of URIs is 792 separated by commas (ASCII 0x2C). 794 Each URI can have associated with it a maximum report size that may 795 be sent to it. This is accomplished by appending an exclamation 796 point (ASCII 0x21), followed by a maximum-size indication, before a 797 separating comma or terminating semicolon. 799 Thus, a DMARC URI is a URI within which any commas or exclamation 800 points are percent-encoded per [RFC3986], followed by an OPTIONAL 801 exclamation point and a maximum-size specification, and, if there are 802 additional reporting URIs in the list, a comma and the next URI. 804 For example, the URI "mailto:reports@example.com!50m" would request 805 that a report be sent via email to "reports@example.com" so long as 806 the report payload does not exceed 50 megabytes. 808 A formal definition is provided in Section 6.4. 810 6.3. General Record Format 812 DMARC records follow the extensible "tag-value" syntax for DNS-based 813 key records defined in DKIM [RFC6376]. 815 Section 11 creates a registry for known DMARC tags and registers the 816 initial set defined in this document. Only tags defined in this 817 document or in later extensions, and thus added to that registry, are 818 to be processed; unknown tags MUST be ignored. 820 The following tags are introduced as the initial valid DMARC tags: 822 adkim: (plain-text; OPTIONAL; default is "r".) Indicates whether 823 strict or relaxed DKIM Identifier Alignment mode is required by 824 the Domain Owner. See Section 3.1.1 for details. Valid values 825 are as follows: 827 r: relaxed mode 829 s: strict mode 831 aspf: (plain-text; OPTIONAL; default is "r".) Indicates whether 832 strict or relaxed SPF Identifier Alignment mode is required by the 833 Domain Owner. See Section 3.1.2 for details. Valid values are as 834 follows: 836 r: relaxed mode 838 s: strict mode 840 fo: Failure reporting options (plain-text; OPTIONAL; default is "0") 841 Provides requested options for generation of failure reports. 842 Report generators MAY choose to adhere to the requested options. 843 This tag's content MUST be ignored if a "ruf" tag (below) is not 844 also specified. The value of this tag is a colon-separated list 845 of characters that indicate failure reporting options as follows: 847 0: Generate a DMARC failure report if all underlying 848 authentication mechanisms fail to produce an aligned "pass" 849 result. 851 1: Generate a DMARC failure report if any underlying 852 authentication mechanism produced something other than an 853 aligned "pass" result. 855 d: Generate a DKIM failure report if the message had a signature 856 that failed evaluation, regardless of its alignment. DKIM- 857 specific reporting is described in [RFC6651]. 859 s: Generate an SPF failure report if the message failed SPF 860 evaluation, regardless of its alignment. SPF-specific 861 reporting is described in [RFC6652]. 863 p: Requested Mail Receiver policy (plain-text; REQUIRED for policy 864 records). Indicates the policy to be enacted by the Receiver at 865 the request of the Domain Owner. Policy applies to the domain 866 queried and to subdomains, unless subdomain policy is explicitly 867 described using the "sp" tag. This tag is mandatory for policy 868 records only, but not for third-party reporting records (see 869 Section 7.1). Possible values are as follows: 871 none: The Domain Owner requests no specific action be taken 872 regarding delivery of messages. 874 quarantine: The Domain Owner wishes to have email that fails the 875 DMARC mechanism check be treated by Mail Receivers as 876 suspicious. Depending on the capabilities of the Mail 877 Receiver, this can mean "place into spam folder", "scrutinize 878 with additional intensity", and/or "flag as suspicious". 880 reject: The Domain Owner wishes for Mail Receivers to reject 881 email that fails the DMARC mechanism check. Rejection SHOULD 882 occur during the SMTP transaction. See Section 10.3 for some 883 discussion of SMTP rejection methods and their implications. 885 pct: (plain-text integer between 0 and 100, inclusive; OPTIONAL; 886 default is 100). Percentage of messages from the Domain Owner's 887 mail stream to which the DMARC policy is to be applied. However, 888 this MUST NOT be applied to the DMARC-generated reports, all of 889 which must be sent and received unhindered. The purpose of the 890 "pct" tag is to allow Domain Owners to enact a slow rollout 891 enforcement of the DMARC mechanism. The prospect of "all or 892 nothing" is recognized as preventing many organizations from 893 experimenting with strong authentication-based mechanisms. See 894 Section 6.6.4 for details. Note that random selection based on 895 this percentage, such as the following pseudocode, is adequate: 897 if (random mod 100) < pct then selected = true else selected = 898 false 900 rf: Format to be used for message-specific failure reports (colon- 901 separated plain-text list of values; OPTIONAL; default is "afrf"). 902 The value of this tag is a list of one or more report formats as 903 requested by the Domain Owner to be used when a message fails both 904 [RFC3986] and [RFC6376] tests to report details of the individual 905 failure. The values MUST be present in the registry of reporting 906 formats defined in Section 11; a Mail Receiver observing a 907 different value SHOULD ignore it or MAY ignore the entire DMARC 908 record. For this version, only "afrf" (the auth-failure report 909 type defined in [RFC6591]) is presently supported. See 910 Section 7.3 for details. For interoperability, the Authentication 911 Failure Reporting Format (AFRF) MUST be supported. 913 ri: Interval requested between aggregate reports (plain-text 32-bit 914 unsigned integer; OPTIONAL; default is 86400). Indicates a 915 request to Receivers to generate aggregate reports separated by no 916 more than the requested number of seconds. DMARC implementations 917 MUST be able to provide daily reports and SHOULD be able to 918 provide hourly reports when requested. However, anything other 919 than a daily report is understood to be accommodated on a best- 920 effort basis. 922 rua: Addresses to which aggregate feedback is to be sent (comma- 923 separated plain-text list of DMARC URIs; OPTIONAL). A comma or 924 exclamation point that is part of such a DMARC URI MUST be encoded 925 per Section 2.1 of [RFC3986] so as to distinguish it from the list 926 delimiter or an OPTIONAL size limit. Section 7.1 discusses 927 considerations that apply when the domain name of a URI differs 928 from that of the domain advertising the policy. See Section 12.5 929 for additional considerations. Any valid URI can be specified. A 930 Mail Receiver MUST implement support for a "mailto:" URI, i.e., 931 the ability to send a DMARC report via electronic mail. If not 932 provided, Mail Receivers MUST NOT generate aggregate feedback 933 reports. URIs not supported by Mail Receivers MUST be ignored. 934 The aggregate feedback report format is described in Section 7.2 936 ruf: Addresses to which message-specific failure information is to 937 be reported (comma-separated plain-text list of DMARC URIs; 938 OPTIONAL). If present, the Domain Owner is requesting Mail 939 Receivers to send detailed failure reports about messages that 940 fail the DMARC evaluation in specific ways (see the "fo" tag 941 above). The format of the message to be generated MUST follow the 942 format specified for the "rf" tag. Section 7.1 discusses 943 considerations that apply when the domain name of a URI differs 944 from that of the domain advertising the policy. A Mail Receiver 945 MUST implement support for a "mailto:" URI, i.e., the ability to 946 send a DMARC report via electronic mail. If not provided, Mail 947 Receivers MUST NOT generate failure reports. See Section 12.5 for 948 additional considerations. 950 sp: Requested Mail Receiver policy for all subdomains (plain-text; 951 OPTIONAL). Indicates the policy to be enacted by the Receiver at 952 the request of the Domain Owner. It applies only to subdomains of 953 the domain queried and not to the domain itself. Its syntax is 954 identical to that of the "p" tag defined above. If absent, the 955 policy specified by the "p" tag MUST be applied for subdomains. 956 Note that "sp" will be ignored for DMARC records published on 957 subdomains of Organizational Domains due to the effect of the 958 DMARC policy discovery mechanism described in Section 6.6.3. 960 v: Version (plain-text; REQUIRED). Identifies the record retrieved 961 as a DMARC record. It MUST have the value of "DMARC1". The value 962 of this tag MUST match precisely; if it does not or it is absent, 963 the entire retrieved record MUST be ignored. It MUST be the first 964 tag in the list. 966 A DMARC policy record MUST comply with the formal specification found 967 in Section 6.4 in that the "v" and "p" tags MUST be present and MUST 968 appear in that order. Unknown tags MUST be ignored. Syntax errors 969 in the remainder of the record SHOULD be discarded in favor of 970 default values (if any) or ignored outright. 972 Note that given the rules of the previous paragraph, addition of a 973 new tag into the registered list of tags does not itself require a 974 new version of DMARC to be generated (with a corresponding change to 975 the "v" tag's value), but a change to any existing tags does require 976 a new version of DMARC. 978 6.4. Formal Definition 980 The formal definition of the DMARC format, using [RFC5234], is as 981 follows: 983 [FIXTHIS: Reference to [RFC3986] in code block] 985 dmarc-uri = URI [ "!" 1*DIGIT [ "k" / "m" / "g" / "t" ] ] 986 ; "URI" is imported from [RFC3986]; commas (ASCII 987 ; 0x2C) and exclamation points (ASCII 0x21) 988 ; MUST be encoded; the numeric portion MUST fit 989 ; within an unsigned 64-bit integer 991 dmarc-record = dmarc-version dmarc-sep 992 [dmarc-request] 994 [dmarc-sep dmarc-srequest] 995 [dmarc-sep dmarc-auri] 996 [dmarc-sep dmarc-furi] 997 [dmarc-sep dmarc-adkim] 998 [dmarc-sep dmarc-aspf] 999 [dmarc-sep dmarc-ainterval] 1000 [dmarc-sep dmarc-fo] 1001 [dmarc-sep dmarc-rfmt] 1002 [dmarc-sep dmarc-percent] 1003 [dmarc-sep] 1004 ; components other than dmarc-version and 1005 ; dmarc-request may appear in any order 1007 dmarc-version = "v" *WSP "=" *WSP %x44 %x4d %x41 %x52 %x43 %x31 1009 dmarc-sep = *WSP %x3b *WSP 1011 dmarc-request = "p" *WSP "=" *WSP 1012 ( "none" / "quarantine" / "reject" ) 1014 dmarc-srequest = "sp" *WSP "=" *WSP 1015 ( "none" / "quarantine" / "reject" ) 1017 dmarc-auri = "rua" *WSP "=" *WSP 1018 dmarc-uri *(*WSP "," *WSP dmarc-uri) 1020 dmarc-furi = "ruf" *WSP "=" *WSP 1021 dmarc-uri *(*WSP "," *WSP dmarc-uri) 1023 dmarc-adkim = "adkim" *WSP "=" *WSP 1024 ( "r" / "s" ) 1026 dmarc-aspf = "aspf" *WSP "=" *WSP 1027 ( "r" / "s" ) 1029 dmarc-ainterval = "ri" *WSP "=" *WSP 1*DIGIT 1031 dmarc-fo = "fo" *WSP "=" *WSP 1032 ( "0" / "1" / "d" / "s" ) 1033 *(*WSP ":" *WSP ( "0" / "1" / "d" / "s" )) 1035 dmarc-rfmt = "rf" *WSP "=" *WSP Keyword *(*WSP ":" Keyword) 1036 ; registered reporting formats only 1038 dmarc-percent = "pct" *WSP "=" *WSP 1039 1*3DIGIT 1041 "Keyword" is imported from Section 4.1.2 of [RFC5321]. 1043 A size limitation in a dmarc-uri, if provided, is interpreted as a 1044 count of units followed by an OPTIONAL unit size ("k" for kilobytes, 1045 "m" for megabytes, "g" for gigabytes, "t" for terabytes). Without a 1046 unit, the number is presumed to be a basic byte count. Note that the 1047 units are considered to be powers of two; a kilobyte is 2^10, a 1048 megabyte is 2^20, etc. 1050 6.5. Domain Owner Actions 1052 To implement the DMARC mechanism, the only action required of a 1053 Domain Owner is the creation of the DMARC policy record in the DNS. 1054 However, in order to make meaningful use of DMARC, a Domain Owner 1055 must at minimum either establish an address to receive reports, or 1056 deploy authentication technologies and ensure Identifier Alignment. 1057 Most Domain Owners will want to do both. 1059 DMARC reports will be of significant size, and the addresses that 1060 receive them are publicly visible, so we encourage Domain Owners to 1061 set up dedicated email addresses to receive and process reports, and 1062 to deploy abuse countermeasures on those email addresses as 1063 appropriate. 1065 Authentication technologies are discussed in [RFC6376] (see also 1066 [RFC5585] and [RFC5863]) and [RFC7208]. 1068 6.6. Mail Receiver Actions 1070 This section describes receiver actions in the DMARC environment. 1072 6.6.1. Extract Author Domain 1074 The domain in the RFC5322.From field is extracted as the domain to be 1075 evaluated by DMARC. If the domain is encoded with UTF-8, the domain 1076 name must be converted to an A-label, as described in Section 2.3 of 1077 [RFC5890], for further processing. 1079 In order to be processed by DMARC, a message typically needs to 1080 contain exactly one RFC5322.From domain (a single From: field with a 1081 single domain in it). Not all messages meet this requirement, and 1082 handling of them is outside of the scope of this document. Typical 1083 exceptions, and the way they have been historically handled by DMARC 1084 participants, are as follows: 1086 * Messages with multiple RFC5322.From fields are typically rejected, 1087 since that form is forbidden under RFC 5322 [RFC5322]; 1089 * Messages bearing a single RFC5322.From field containing multiple 1090 addresses (and, thus, multiple domain names to be evaluated) are 1091 typically rejected because the sorts of mail normally protected by 1092 DMARC do not use this format; 1094 * Messages that have no RFC5322.From field at all are typically 1095 rejected, since that form is forbidden under RFC 5322 [RFC5322]; 1097 * Messages with an RFC5322.From field that contains no meaningful 1098 domains, such as RFC 5322 [RFC5322]'s "group" syntax, are 1099 typically ignored. 1101 The case of a syntactically valid multi-valued RFC5322.From field 1102 presents a particular challenge. The process in this case is to 1103 apply the DMARC check using each of those domains found in the 1104 RFC5322.From field as the Author Domain and apply the most strict 1105 policy selected among the checks that fail. 1107 6.6.2. Determine Handling Policy 1109 To arrive at a policy for an individual message, Mail Receivers MUST 1110 perform the following actions or their semantic equivalents. Steps 1111 2-4 MAY be done in parallel, whereas steps 5 and 6 require input from 1112 previous steps. 1114 The steps are as follows: 1116 1. Extract the RFC5322.From domain from the message (as above). 1118 2. Query the DNS for a DMARC policy record. Continue if one is 1119 found, or terminate DMARC evaluation otherwise. See 1120 Section 6.6.3 for details. 1122 3. Perform DKIM signature verification checks. A single email could 1123 contain multiple DKIM signatures. The results of this step are 1124 passed to the remainder of the algorithm and MUST include the 1125 value of the "d=" tag from each checked DKIM signature. 1127 4. Perform SPF validation checks. The results of this step are 1128 passed to the remainder of the algorithm and MUST include the 1129 domain name used to complete the SPF check. 1131 5. Conduct Identifier Alignment checks. With authentication checks 1132 and policy discovery performed, the Mail Receiver checks to see 1133 if Authenticated Identifiers fall into alignment as described in 1134 Section 3. If one or more of the Authenticated Identifiers align 1135 with the RFC5322.From domain, the message is considered to pass 1136 the DMARC mechanism check. All other conditions (authentication 1137 failures, identifier mismatches) are considered to be DMARC 1138 mechanism check failures. 1140 6. Apply policy. Emails that fail the DMARC mechanism check are 1141 disposed of in accordance with the discovered DMARC policy of the 1142 Domain Owner. See Section 6.3 for details. 1144 Heuristics applied in the absence of use by a Domain Owner of either 1145 SPF or DKIM (e.g., [Best-Guess-SPF]) SHOULD NOT be used, as it may be 1146 the case that the Domain Owner wishes a Message Receiver not to 1147 consider the results of that underlying authentication protocol at 1148 all. 1150 DMARC evaluation can only yield a "pass" result after one of the 1151 underlying authentication mechanisms passes for an aligned 1152 identifier. If neither passes and one or both of them fail due to a 1153 temporary error, the Receiver evaluating the message is unable to 1154 conclude that the DMARC mechanism had a permanent failure; they 1155 therefore cannot apply the advertised DMARC policy. When otherwise 1156 appropriate, Receivers MAY send feedback reports regarding temporary 1157 errors. 1159 Handling of messages for which SPF and/or DKIM evaluation encounter a 1160 permanent DNS error is left to the discretion of the Mail Receiver. 1162 6.6.3. Policy Discovery 1164 As stated above, the DMARC mechanism uses DNS TXT records to 1165 advertise policy. Policy discovery is accomplished via a method 1166 similar to the method used for SPF records. This method, and the 1167 important differences between DMARC and SPF mechanisms, are discussed 1168 below. 1170 To balance the conflicting requirements of supporting wildcarding, 1171 allowing subdomain policy overrides, and limiting DNS query load, the 1172 following DNS lookup scheme is employed: 1174 1. Mail Receivers MUST query the DNS for a DMARC TXT record at the 1175 DNS domain matching the one found in the RFC5322.From domain in 1176 the message. A possibly empty set of records is returned. 1178 2. Records that do not start with a "v=" tag that identifies the 1179 current version of DMARC are discarded. 1181 3. If the set is now empty, the Mail Receiver MUST query the DNS for 1182 a DMARC TXT record at the DNS domain matching the Organizational 1183 Domain in place of the RFC5322.From domain in the message (if 1184 different). This record can contain policy to be asserted for 1185 subdomains of the Organizational Domain. A possibly empty set of 1186 records is returned. 1188 4. Records that do not start with a "v=" tag that identifies the 1189 current version of DMARC are discarded. 1191 5. If the remaining set contains multiple records or no records, 1192 policy discovery terminates and DMARC processing is not applied 1193 to this message. 1195 6. If a retrieved policy record does not contain a valid "p" tag, or 1196 contains an "sp" tag that is not valid, then: 1198 1. if a "rua" tag is present and contains at least one 1199 syntactically valid reporting URI, the Mail Receiver SHOULD 1200 act as if a record containing a valid "v" tag and "p=none" 1201 was retrieved, and continue processing; 1203 2. otherwise, the Mail Receiver applies no DMARC processing to 1204 this message. 1206 If the set produced by the mechanism above contains no DMARC policy 1207 record (i.e., any indication that there is no such record as opposed 1208 to a transient DNS error), Mail Receivers SHOULD NOT apply the DMARC 1209 mechanism to the message. 1211 Handling of DNS errors when querying for the DMARC policy record is 1212 left to the discretion of the Mail Receiver. For example, to ensure 1213 minimal disruption of mail flow, transient errors could result in 1214 delivery of the message ("fail open"), or they could result in the 1215 message being temporarily rejected (i.e., an SMTP 4yx reply), which 1216 invites the sending MTA to try again after the condition has possibly 1217 cleared, allowing a definite DMARC conclusion to be reached ("fail 1218 closed"). 1220 6.6.4. Message Sampling 1222 If the "pct" tag is present in the policy record, the Mail Receiver 1223 MUST NOT enact the requested policy ("p" tag or "sp" tag") on more 1224 than the stated percent of the totality of affected messages. 1225 However, regardless of whether or not the "pct" tag is present, the 1226 Mail Receiver MUST include all relevant message data in any reports 1227 produced. 1229 If email is subject to the DMARC policy of "quarantine", the Mail 1230 Receiver SHOULD quarantine the message. If the email is not subject 1231 to the "quarantine" policy (due to the "pct" tag), the Mail Receiver 1232 SHOULD apply local message classification as normal. 1234 If email is subject to the DMARC policy of "reject", the Mail 1235 Receiver SHOULD reject the message (see Section 10.3). If the email 1236 is not subject to the "reject" policy (due to the "pct" tag), the 1237 Mail Receiver SHOULD treat the email as though the "quarantine" 1238 policy applies. This behavior allows Domain Owners to experiment 1239 with progressively stronger policies without relaxing existing 1240 policy. 1242 Mail Receivers implement "pct" via statistical mechanisms that 1243 achieve a close approximation to the requested percentage and provide 1244 a representative sample across a reporting period. 1246 6.6.5. Store Results of DMARC Processing 1248 The results of Mail Receiver-based DMARC processing should be stored 1249 for eventual presentation back to the Domain Owner in the form of 1250 aggregate feedback reports. Section 6.3 and Section 7.2 discuss 1251 aggregate feedback. 1253 6.7. Policy Enforcement Considerations 1255 Mail Receivers MAY choose to reject or quarantine email even if email 1256 passes the DMARC mechanism check. The DMARC mechanism does not 1257 inform Mail Receivers whether an email stream is "good". Mail 1258 Receivers are encouraged to maintain anti-abuse technologies to 1259 combat the possibility of DMARC-enabled criminal campaigns. 1261 Mail Receivers MAY choose to accept email that fails the DMARC 1262 mechanism check even if the Domain Owner has published a "reject" 1263 policy. Mail Receivers need to make a best effort not to increase 1264 the likelihood of accepting abusive mail if they choose not to comply 1265 with a Domain Owner's reject, against policy. At a minimum, addition 1266 of the Authentication-Results header field (see [RFC8601]) is 1267 RECOMMENDED when delivery of failing mail is done. When this is 1268 done, the DNS domain name thus recorded MUST be encoded as an 1269 A-label. 1271 Mail Receivers are only obligated to report reject or quarantine 1272 policy actions in aggregate feedback reports that are due to DMARC 1273 policy. They are not required to report reject or quarantine actions 1274 that are the result of local policy. If local policy information is 1275 exposed, abusers can gain insight into the effectiveness and delivery 1276 rates of spam campaigns. 1278 Final disposition of a message is always a matter of local policy. 1279 An operator that wishes to favor DMARC policy over SPF policy, for 1280 example, will disregard the SPF policy, since enacting an SPF- 1281 determined rejection prevents evaluation of DKIM; DKIM might 1282 otherwise pass, satisfying the DMARC evaluation. There is a trade- 1283 off to doing so, namely acceptance and processing of the entire 1284 message body in exchange for the enhanced protection DMARC provides. 1286 DMARC-compliant Mail Receivers typically disregard any mail-handling 1287 directive discovered as part of an authentication mechanism (e.g., 1288 Author Domain Signing Practices (ADSP), SPF) where a DMARC record is 1289 also discovered that specifies a policy other than "none". Deviating 1290 from this practice introduces inconsistency among DMARC operators in 1291 terms of handling of the message. However, such deviation is not 1292 proscribed. 1294 To enable Domain Owners to receive DMARC feedback without impacting 1295 existing mail processing, discovered policies of "p=none" SHOULD NOT 1296 modify existing mail disposition processing. 1298 Mail Receivers SHOULD also implement reporting instructions of DMARC, 1299 even in the absence of a request for DKIM reporting [RFC6651] or SPF 1300 reporting [RFC6652]. Furthermore, the presence of such requests 1301 SHOULD NOT affect DMARC reporting. 1303 7. DMARC Feedback 1305 Providing Domain Owners with visibility into how Mail Receivers 1306 implement and enforce the DMARC mechanism in the form of feedback is 1307 critical to establishing and maintaining accurate authentication 1308 deployments. When Domain Owners can see what effect their policies 1309 and practices are having, they are better willing and able to use 1310 quarantine and reject policies. 1312 7.1. Verifying External Destinations 1314 It is possible to specify destinations for the different reports that 1315 are outside the authority of the Domain Owner making the request. 1316 This allows domains that do not operate mail servers to request 1317 reports and have them go someplace that is able to receive and 1318 process them. 1320 Without checks, this would allow a bad actor to publish a DMARC 1321 policy record that requests that reports be sent to a victim address, 1322 and then send a large volume of mail that will fail both DKIM and SPF 1323 checks to a wide variety of destinations; the victim will in turn be 1324 flooded with unwanted reports. Therefore, a verification mechanism 1325 is included. 1327 When a Mail Receiver discovers a DMARC policy in the DNS, and the 1328 Organizational Domain at which that record was discovered is not 1329 identical to the Organizational Domain of the host part of the 1330 authority component of a [RFC3986] specified in the "rua" or "ruf" 1331 tag, the following verification steps are to be taken: 1333 1. Extract the host portion of the authority component of the URI. 1334 Call this the "destination host", as it refers to a Report 1335 Receiver. 1337 2. Prepend the string "_report._dmarc". 1339 3. Prepend the domain name from which the policy was retrieved, 1340 after conversion to an A-label if needed. 1342 4. Query the DNS for a TXT record at the constructed name. If the 1343 result of this request is a temporary DNS error of some kind 1344 (e.g., a timeout), the Mail Receiver MAY elect to temporarily 1345 fail the delivery so the verification test can be repeated later. 1347 5. For each record returned, parse the result as a series of 1348 "tag=value" pairs, i.e., the same overall format as the policy 1349 record (see Section 6.4). In particular, the "v=DMARC1;" tag is 1350 mandatory and MUST appear first in the list. Discard any that do 1351 not pass this test. 1353 6. If the result includes no TXT resource records that pass basic 1354 parsing, a positive determination of the external reporting 1355 relationship cannot be made; stop. 1357 7. If at least one TXT resource record remains in the set after 1358 parsing, then the external reporting arrangement was authorized 1359 by the Report Receiver. 1361 8. If a "rua" or "ruf" tag is thus discovered, replace the 1362 corresponding value extracted from the domain's DMARC policy 1363 record with the one found in this record. This permits the 1364 Report Receiver to override the report destination. However, to 1365 prevent loops or indirect abuse, the overriding URI MUST use the 1366 same destination host from the first step. 1368 For example, if a DMARC policy query for "blue.example.com" contained 1369 "rua=mailto:reports@red.example.net", the host extracted from the 1370 latter ("red.example.net") does not match "blue.example.com", so this 1371 procedure is enacted. A TXT query for 1372 "blue.example.com._report._dmarc.red.example.net" is issued. If a 1373 single reply comes back containing a tag of "v=DMARC1;", then the 1374 relationship between the two is confirmed. Moreover, 1375 "red.example.net" has the opportunity to override the report 1376 destination requested by "blue.example.com" if needed. 1378 Where the above algorithm fails to confirm that the external 1379 reporting was authorized by the Report Receiver, the URI MUST be 1380 ignored by the Mail Receiver generating the report. Further, if the 1381 confirming record includes a URI whose host is again different than 1382 the domain publishing that override, the Mail Receiver generating the 1383 report MUST NOT generate a report to either the original or the 1384 override URI. 1386 A Report Receiver publishes such a record in its DNS if it wishes to 1387 receive reports for other domains. 1389 A Report Receiver that is willing to receive reports for any domain 1390 can use a wildcard DNS record. For example, a TXT resource record at 1391 "*._report._dmarc.example.com" containing at least "v=DMARC1;" 1392 confirms that example.com is willing to receive DMARC reports for any 1393 domain. 1395 If the Report Receiver is overcome by volume, it can simply remove 1396 the confirming DNS record. However, due to positive caching, the 1397 change could take as long as the time-to-live (TTL) on the record to 1398 go into effect. 1400 A Mail Receiver might decide not to enact this procedure if, for 1401 example, it relies on a local list of domains for which external 1402 reporting addresses are permitted. 1404 7.2. Aggregate Reports 1406 The DMARC aggregate feedback report is designed to provide Domain 1407 Owners with precise insight into: 1409 * authentication results, 1411 * corrective action that needs to be taken by Domain Owners, and 1413 * the effect of Domain Owner DMARC policy on email streams processed 1414 by Mail Receivers. 1416 Aggregate DMARC feedback provides visibility into real-world email 1417 streams that Domain Owners need to make informed decisions regarding 1418 the publication of DMARC policy. When Domain Owners know what 1419 legitimate mail they are sending, what the authentication results are 1420 on that mail, and what forged mail receivers are getting, they can 1421 make better decisions about the policies they need and the steps they 1422 need to take to enable those policies. When Domain Owners set 1423 policies appropriately and understand their effects, Mail Receivers 1424 can act on them confidently. 1426 Visibility comes in the form of daily (or more frequent) Mail 1427 Receiver-originated feedback reports that contain aggregate data on 1428 message streams relevant to the Domain Owner. This information 1429 includes data about messages that passed DMARC authentication as well 1430 as those that did not. 1432 The format for these reports is defined in Appendix C. 1434 The report SHOULD include the following data: 1436 * The DMARC policy discovered and applied, if any 1438 * The selected message disposition 1440 * The identifier evaluated by SPF and the SPF result, if any 1442 * The identifier evaluated by DKIM and the DKIM result, if any 1444 * For both DKIM and SPF, an indication of whether the identifier was 1445 in alignment 1447 * Data for each Domain Owner's subdomain separately from mail from 1448 the sender's Organizational Domain, even if there is no explicit 1449 subdomain policy 1451 * Sending and receiving domains 1453 * The policy requested by the Domain Owner and the policy actually 1454 applied (if different) 1456 * The number of successful authentications 1458 * The counts of messages based on all messages received, even if 1459 their delivery is ultimately blocked by other filtering agents 1461 Note that Domain Owners or their agents may change the published 1462 DMARC policy for a domain or subdomain at any time. From a Mail 1463 Receiver's perspective, this will occur during a reporting period and 1464 may be noticed during that period, at the end of that period when 1465 reports are generated, or during a subsequent reporting period, all 1466 depending on the Mail Receiver's implementation. Under these 1467 conditions, it is possible that a Mail Receiver could do any of the 1468 following: 1470 * generate for such a reporting period a single aggregate report 1471 that includes message dispositions based on the old policy, or a 1472 mix of the two policies, even though the report only contains a 1473 single "policy_published" element; 1475 * generate multiple reports for the same period, one for each 1476 published policy occurring during the reporting period; 1478 * generate a report whose end time occurs when the updated policy 1479 was detected, regardless of any requested report interval. 1481 Such policy changes are expected to be infrequent for any given 1482 domain, whereas more stringent policy monitoring requirements on the 1483 Mail Receiver would produce a very large burden at Internet scale. 1484 Therefore, it is the responsibility of report consumers and Domain 1485 Owners to be aware of this situation and allow for such mixed reports 1486 during the propagation of the new policy to Mail Receivers. 1488 Aggregate reports are most useful when they all cover a common time 1489 period. By contrast, correlation of these reports from multiple 1490 generators when they cover incongruent time periods is difficult or 1491 impossible. Report generators SHOULD, wherever possible, adhere to 1492 hour boundaries for the reporting period they are using. For 1493 example, starting a per-day report at 00:00; starting per-hour 1494 reports at 00:00, 01:00, 02:00; etc. Report generators using a 1495 24-hour report period are strongly encouraged to begin that period at 1496 00:00 UTC, regardless of local timezone or time of report production, 1497 in order to facilitate correlation. 1499 A Mail Receiver discovers reporting requests when it looks up a DMARC 1500 policy record that corresponds to an RFC5322.From domain on received 1501 mail. The presence of the "rua" tag specifies where to send 1502 feedback. 1504 7.2.1. Transport 1506 Where the URI specified in a "rua" tag does not specify otherwise, a 1507 Mail Receiver generating a feedback report SHOULD employ a secure 1508 transport mechanism. 1510 The Mail Receiver, after preparing a report, MUST evaluate the 1511 provided reporting URIs in the order given. Any reporting URI that 1512 includes a size limitation exceeded by the generated report (after 1513 compression and after any encoding required by the particular 1514 transport mechanism) MUST NOT be used. An attempt MUST be made to 1515 deliver an aggregate report to every remaining URI, up to the 1516 Receiver's limits on supported URIs. 1518 If transport is not possible because the services advertised by the 1519 published URIs are not able to accept reports (e.g., the URI refers 1520 to a service that is unreachable, or all provided URIs specify size 1521 limits exceeded by the generated record), the Mail Receiver SHOULD 1522 send a short report (see Section 7.2.2) indicating that a report is 1523 available but could not be sent. The Mail Receiver MAY cache that 1524 data and try again later, or MAY discard data that could not be sent. 1526 7.2.1.1. Email 1528 The message generated by the Mail Receiver MUST be a [RFC5322] 1529 message formatted per [RFC2045]. The aggregate report itself MUST be 1530 included in one of the parts of the message. A human-readable 1531 portion MAY be included as a MIME part (such as a text/plain part). 1533 The aggregate data MUST be an XML file that SHOULD be subjected to 1534 GZIP compression. Declining to apply compression can cause the 1535 report to be too large for a receiver to process (a commonly observed 1536 receiver limit is ten megabytes); doing the compression increases the 1537 chances of acceptance of the report at some compute cost. The 1538 aggregate data SHOULD be present using the media type "application/ 1539 gzip" if compressed (see [RFC6713]), and "text/xml" otherwise. The 1540 filename is typically constructed using the following ABNF: 1542 filename = receiver "!" policy-domain "!" begin-timestamp 1543 "!" end-timestamp [ "!" unique-id ] "." extension 1545 unique-id = 1*(ALPHA / DIGIT) 1547 receiver = domain 1548 ; imported from [@!RFC5322] 1550 policy-domain = domain 1552 begin-timestamp = 1*DIGIT 1553 ; seconds since 00:00:00 UTC January 1, 1970 1554 ; indicating start of the time range contained 1555 ; in the report 1557 end-timestamp = 1*DIGIT 1558 ; seconds since 00:00:00 UTC January 1, 1970 1559 ; indicating end of the time range contained 1560 ; in the report 1562 extension = "xml" / "xml.gz" 1564 The extension MUST be "xml" for a plain XML file, or "xml.gz" for an 1565 XML file compressed using GZIP. 1567 "unique-id" allows an optional unique ID generated by the Mail 1568 Receiver to distinguish among multiple reports generated 1569 simultaneously by different sources within the same Domain Owner. 1571 For example, this is a possible filename for the gzip file of a 1572 report to the Domain Owner "example.com" from the Mail Receiver 1573 "mail.receiver.example": 1575 mail.receiver.example!example.com!1013662812!1013749130.gz 1577 No specific MIME message structure is required. It is presumed that 1578 the aggregate reporting address will be equipped to extract MIME 1579 parts with the prescribed media type and filename and ignore the 1580 rest. 1582 Email streams carrying DMARC feedback data MUST conform to the DMARC 1583 mechanism, thereby resulting in an aligned "pass" (see Section 3.1). 1584 This practice minimizes the risk of report consumers processing 1585 fraudulent reports. 1587 The RFC5322.Subject field for individual report submissions SHOULD 1588 conform to the following ABNF: 1590 dmarc-subject = %x52.65.70.6f.72.74 1*FWS ; "Report" 1591 %x44.6f.6d.61.69.6e.3a 1*FWS ; "Domain:" 1592 domain-name 1*FWS ; from RFC 6376 1593 %x53.75.62.6d.69.74.74.65.72.3a ; "Submitter:" 1594 1*FWS domain-name 1*FWS 1595 %x52.65.70.6f.72.74.2d.49.44.3a ; "Report-ID:" 1596 msg-id ; from RFC 5322 1598 The first domain-name indicates the DNS domain name about which the 1599 report was generated. The second domain-name indicates the DNS 1600 domain name representing the Mail Receiver generating the report. 1601 The purpose of the Report-ID: portion of the field is to enable the 1602 Domain Owner to identify and ignore duplicate reports that might be 1603 sent by a Mail Receiver. 1605 For instance, this is a possible Subject field for a report to the 1606 Domain Owner "example.com" from the Mail Receiver 1607 "mail.receiver.example". It is line-wrapped as allowed by [RFC5322]: 1609 Subject: Report Domain: example.com 1610 Submitter: mail.receiver.example 1611 Report-ID: <2002.02.15.1> 1613 This transport mechanism potentially encounters a problem when 1614 feedback data size exceeds maximum allowable attachment sizes for 1615 either the generator or the consumer. See Section 7.2.2 for further 1616 discussion. 1618 7.2.1.2. Other Methods 1620 The specification as written allows for the addition of other 1621 registered URI schemes to be supported in later versions. 1623 7.2.2. Error Reports 1625 When a Mail Receiver is unable to complete delivery of a report via 1626 any of the URIs listed by the Domain Owner, the Mail Receiver SHOULD 1627 generate an error message. An attempt MUST be made to send this 1628 report to all listed "mailto" URIs, and it MAY also be sent to any or 1629 all other listed URIs. 1631 The error report MUST be formatted per [RFC2045]. A text/plain part 1632 MUST be included that contains field-value pairs such as those found 1633 in Section 2 of [RFC3464]. The fields required, which may appear in 1634 any order, are as follows: 1636 Report-Date: A [RFC5322]-formatted date expression indicating when 1637 the transport failure occurred. 1639 Report-Domain: The domain-name about which the failed report was 1640 generated. 1642 Report-ID: The Report-ID: that the report tried to use. 1644 Report-Size: The size, in bytes, of the report that was unable to be 1645 sent. This MUST represent the number of bytes that the Mail 1646 Receiver attempted to send. Where more than one transport system 1647 was attempted, the sizes may be different; in such cases, separate 1648 error reports MUST be generated so that this value matches the 1649 actual attempt that was made. 1651 Submitter: The domain-name representing the Mail Receiver that 1652 generated, but was unable to submit, the report. 1654 Submitting-URI: The URI(s) to which the Mail Receiver tried, but 1655 failed, to submit the report. 1657 An additional text/plain part MAY be included that gives a human- 1658 readable explanation of the above and MAY also include a URI that can 1659 be used to seek assistance. 1661 7.3. Failure Reports 1663 Failure reports are normally generated and sent almost immediately 1664 after the Mail Receiver detects a DMARC failure. Rather than waiting 1665 for an aggregate report, these reports are useful for quickly 1666 notifying the Domain Owners when there is an authentication failure. 1667 Whether the failure is due to an infrastructure problem or the 1668 message is inauthentic, failure reports also provide more information 1669 about the failed message than is available in an aggregate report. 1671 These reports SHOULD include any URI(s) from the message that failed 1672 authentication. These reports SHOULD include as much of the message 1673 and message header as is reasonable to support the Domain Owner's 1674 investigation into what caused the message to fail authentication and 1675 track down the sender. 1677 When a Domain Owner requests failure reports for the purpose of 1678 forensic analysis, and the Mail Receiver is willing to provide such 1679 reports, the Mail Receiver generates and sends a message using the 1680 format described in [RFC6591]; this document updates that reporting 1681 format, as described in Section 7.3.1. 1683 The destination(s) and nature of the reports are defined by the "ruf" 1684 and "fo" tags as defined in Section 6.3. 1686 Where multiple URIs are selected to receive failure reports, the 1687 report generator MUST make an attempt to deliver to each of them. 1689 An obvious consideration is the denial-of-service attack that can be 1690 perpetrated by an attacker who sends numerous messages purporting to 1691 be from the intended victim Domain Owner but that fail both SPF and 1692 DKIM; this would cause participating Mail Receivers to send failure 1693 reports to the Domain Owner or its delegate in potentially huge 1694 volumes. Accordingly, participating Mail Receivers are encouraged to 1695 aggregate these reports as much as is practical, using the Incidents 1696 field of the Abuse Reporting Format ([RFC5965]). Various aggregation 1697 techniques are possible, including the following: 1699 * only send a report to the first recipient of multi-recipient 1700 messages; 1702 * store reports for a period of time before sending them, allowing 1703 detection, collection, and reporting of like incidents; 1705 * apply rate limiting, such as a maximum number of reports per 1706 minute that will be generated (and the remainder discarded). 1708 7.3.1. Reporting Format Update 1710 Operators implementing this specification also implement an augmented 1711 version of [RFC6591] as follows: 1713 1. A DMARC failure report includes the following ARF header fields, 1714 with the indicated normative requirement levels: 1716 * Identity-Alignment (REQUIRED; defined below) 1718 * Delivery-Result (OPTIONAL) 1720 * DKIM-Domain, DKIM-Identity, DKIM-Selector (REQUIRED if the 1721 message was signed by DKIM) 1723 * DKIM-Canonicalized-Header, DKIM-Canonicalized-Body (OPTIONAL 1724 if the message was signed by DKIM) 1726 * SPF-DNS (REQUIRED) 1728 2. The "Identity-Alignment" field is defined to contain a comma- 1729 separated list of authentication mechanism names that produced an 1730 aligned identity, or the keyword "none" if none did. ABNF: 1732 id-align = "Identity-Alignment:" [CFWS] 1733 ( "none" / 1734 dmarc-method *( [CFWS] "," [CFWS] dmarc-method ) ) 1735 [CFWS] 1737 dmarc-method = ( "dkim" / "spf" ) 1738 ; each may appear at most once in an id-align 1740 3. Authentication Failure Type "dmarc" is defined, which is to be 1741 used when a failure report is generated because some or all of 1742 the authentication mechanisms failed to produce aligned 1743 identifiers. Note that a failure report generator MAY also 1744 independently produce an AFRF message for any or all of the 1745 underlying authentication methods. 1747 8. Minimum Implementations 1749 A minimum implementation of DMARC has the following characteristics: 1751 * Is able to send and/or receive reports at least daily; 1753 * Is able to send and/or receive reports using "mailto" URIs; 1754 * Other than in exceptional circumstances such as resource 1755 exhaustion, can generate or accept a report up to ten megabytes in 1756 size; 1758 * If acting as a Mail Receiver, fully implements the provisions of 1759 Section 6.6. 1761 9. Privacy Considerations 1763 This section discusses security issues specific to private data that 1764 may be included in the interactions that are part of DMARC. 1766 9.1. Data Exposure Considerations 1768 Aggregate reports are limited in scope to DMARC policy and 1769 disposition results, to information pertaining to the underlying 1770 authentication mechanisms, and to the identifiers involved in DMARC 1771 validation. 1773 Failed-message reporting provides message-specific details pertaining 1774 to authentication failures. Individual reports can contain message 1775 content as well as trace header fields. Domain Owners are able to 1776 analyze individual reports and attempt to determine root causes of 1777 authentication mechanism failures, gain insight into 1778 misconfigurations or other problems with email and network 1779 infrastructure, or inspect messages for insight into abusive 1780 practices. 1782 Both report types may expose sender and recipient identifiers (e.g., 1783 RFC5322.From addresses), and although the [RFC6591] format used for 1784 failed-message reporting supports redaction, failed-message reporting 1785 is capable of exposing the entire message to the report recipient. 1787 Domain Owners requesting reports will receive information about mail 1788 claiming to be from them, which includes mail that was not, in fact, 1789 from them. Information about the final destination of mail where it 1790 might otherwise be obscured by intermediate systems will therefore be 1791 exposed. 1793 When message-forwarding arrangements exist, Domain Owners requesting 1794 reports will also receive information about mail forwarded to domains 1795 that were not originally part of their messages' recipient lists. 1796 This means that destination domains previously unknown to the Domain 1797 Owner may now become visible. 1799 Disclosure of information about the messages is being requested by 1800 the entity generating the email in the first place, i.e., the Domain 1801 Owner and not the Mail Receiver, so this may not fit squarely within 1802 existing privacy policy provisions. For some providers, aggregate 1803 reporting and failed-message reporting are viewed as a function 1804 similar to complaint reporting about spamming or phishing and are 1805 treated similarly under the privacy policy. Report generators (i.e., 1806 Mail Receivers) are encouraged to review their reporting limitations 1807 under such policies before enabling DMARC reporting. 1809 9.2. Report Recipients 1811 A DMARC record can specify that reports should be sent to an 1812 intermediary operating on behalf of the Domain Owner. This is done 1813 when the Domain Owner contracts with an entity to monitor mail 1814 streams for abuse and performance issues. Receipt by third parties 1815 of such data may or may not be permitted by the Mail Receiver's 1816 privacy policy, terms of use, or other similar governing document. 1817 Domain Owners and Mail Receivers should both review and understand if 1818 their own internal policies constrain the use and transmission of 1819 DMARC reporting. 1821 Some potential exists for report recipients to perform traffic 1822 analysis, making it possible to obtain metadata about the Receiver's 1823 traffic. In addition to verifying compliance with policies, 1824 Receivers need to consider that before sending reports to a third 1825 party. 1827 10. Other Topics 1829 This section discusses some topics regarding choices made in the 1830 development of DMARC, largely to commit the history to record. 1832 10.1. Issues Specific to SPF 1834 Though DMARC does not inherently change the semantics of an SPF 1835 policy record, historically lax enforcement of such policies has led 1836 many to publish extremely broad records containing many large network 1837 ranges. Domain Owners are strongly encouraged to carefully review 1838 their SPF records to understand which networks are authorized to send 1839 on behalf of the Domain Owner before publishing a DMARC record. 1841 Some receiver architectures might implement SPF in advance of any 1842 DMARC operations. This means that a "-" prefix on a sender's SPF 1843 mechanism, such as "-all", could cause that rejection to go into 1844 effect early in handling, causing message rejection before any DMARC 1845 processing takes place. Operators choosing to use "-all" should be 1846 aware of this. 1848 10.2. DNS Load and Caching 1850 DMARC policies are communicated using the DNS and therefore inherit a 1851 number of considerations related to DNS caching. The inherent 1852 conflict between freshness and the impact of caching on the reduction 1853 of DNS-lookup overhead should be considered from the Mail Receiver's 1854 point of view. Should Domain Owners publish a DNS record with a very 1855 short TTL, Mail Receivers can be provoked through the injection of 1856 large volumes of messages to overwhelm the Domain Owner's DNS. 1857 Although this is not a concern specific to DMARC, the implications of 1858 a very short TTL should be considered when publishing DMARC policies. 1860 Conversely, long TTLs will cause records to be cached for long 1861 periods of time. This can cause a critical change to DMARC 1862 parameters advertised by a Domain Owner to go unnoticed for the 1863 length of the TTL (while waiting for DNS caches to expire). Avoiding 1864 this problem can mean shorter TTLs, with the potential problems 1865 described above. A balance should be sought to maintain 1866 responsiveness of DMARC preference changes while preserving the 1867 benefits of DNS caching. 1869 10.3. Rejecting Messages 1871 This proposal calls for rejection of a message during the SMTP 1872 session under certain circumstances. This is preferable to 1873 generation of a Delivery Status Notification ([RFC3464]), since 1874 fraudulent messages caught and rejected using DMARC would then result 1875 in annoying generation of such failure reports that go back to the 1876 RFC5321.MailFrom address. 1878 This synchronous rejection is typically done in one of two ways: 1880 * Full rejection, wherein the SMTP server issues a 5xy reply code as 1881 an indication to the SMTP client that the transaction failed; the 1882 SMTP client is then responsible for generating notification that 1883 delivery failed (see Section 4.2.5 of [RFC5321]). 1885 * A "silent discard", wherein the SMTP server returns a 2xy reply 1886 code implying to the client that delivery (or, at least, relay) 1887 was successfully completed, but then simply discarding the message 1888 with no further action. 1890 Each of these has a cost. For instance, a silent discard can help to 1891 prevent backscatter, but it also effectively means that the SMTP 1892 server has to be programmed to give a false result, which can 1893 confound external debugging efforts. 1895 Similarly, the text portion of the SMTP reply may be important to 1896 consider. For example, when rejecting a message, revealing the 1897 reason for the rejection might give an attacker enough information to 1898 bypass those efforts on a later attempt, though it might also assist 1899 a legitimate client to determine the source of some local issue that 1900 caused the rejection. 1902 In the latter case, when doing an SMTP rejection, providing a clear 1903 hint can be useful in resolving issues. A receiver might indicate in 1904 plain text the reason for the rejection by using the word "DMARC" 1905 somewhere in the reply text. Many systems are able to scan the SMTP 1906 reply text to determine the nature of the rejection. Thus, providing 1907 a machine-detectable reason for rejection allows the problems causing 1908 rejections to be properly addressed by automated systems. For 1909 example: 1911 550 5.7.1 Email rejected per DMARC policy for example.com 1913 If a Mail Receiver elects to defer delivery due to inability to 1914 retrieve or apply DMARC policy, this is best done with a 4xy SMTP 1915 reply code. 1917 10.4. Identifier Alignment Considerations 1919 The DMARC mechanism allows both DKIM and SPF-authenticated 1920 identifiers to authenticate email on behalf of a Domain Owner and, 1921 possibly, on behalf of different subdomains. If malicious or unaware 1922 users can gain control of the SPF record or DKIM selector records for 1923 a subdomain, the subdomain can be used to generate DMARC-passing 1924 email on behalf of the Organizational Domain. 1926 For example, an attacker who controls the SPF record for 1927 "evil.example.com" can send mail with an RFC5322.From field 1928 containing "foo@example.com" that can pass both authentication and 1929 the DMARC check against "example.com". 1931 The Organizational Domain administrator should be careful not to 1932 delegate control of subdomains if this is an issue, and to consider 1933 using the "strict" Identifier Alignment option if appropriate. 1935 10.5. Interoperability Issues 1937 DMARC limits which end-to-end scenarios can achieve a "pass" result. 1939 Because DMARC relies on [RFC7208] and/or [RFC6376] to achieve a 1940 "pass", their limitations also apply. 1942 Additional DMARC constraints occur when a message is processed by 1943 some Mediators, such as mailing lists. Transiting a Mediator often 1944 causes either the authentication to fail or Identifier Alignment to 1945 be lost. These transformations may conform to standards but will 1946 still prevent a DMARC "pass". 1948 In addition to Mediators, mail that is sent by authorized, 1949 independent third parties might not be sent with Identifier 1950 Alignment, also preventing a "pass" result. 1952 Issues specific to the use of policy mechanisms alongside DKIM are 1953 further discussed in [RFC6377], particularly Section 5.2. 1955 11. IANA Considerations 1957 This section describes actions completed by IANA. 1959 11.1. Authentication-Results Method Registry Update 1961 IANA has added the following to the "Email Authentication Methods" 1962 registry: 1964 Method: dmarc 1966 Defined: RFC 7489 1968 ptype: header 1970 Property: from 1972 Value: the domain portion of the RFC5322.From field 1974 Status: active 1976 Version: 1 1978 11.2. Authentication-Results Result Registry Update 1980 IANA has added the following in the "Email Authentication Result 1981 Names" registry: 1983 Code: none 1985 Existing/New Code: existing 1987 Defined: [RFC8601] 1989 Auth Method: dmarc (added) 1990 Meaning: No DMARC policy record was published for the aligned 1991 identifier, or no aligned identifier could be extracted. 1993 Status: active 1995 Code: pass 1997 Existing/New Code: existing 1999 Defined: [RFC8601] 2001 Auth Method: dmarc (added) 2003 Meaning: A DMARC policy record was published for the aligned 2004 identifier, and at least one of the authentication mechanisms 2005 passed. 2007 Status: active 2009 Code: fail 2011 Existing/New Code: existing 2013 Defined: [RFC8601] 2015 Auth Method: dmarc (added) 2017 Meaning: A DMARC policy record was published for the aligned 2018 identifier, and none of the authentication mechanisms passed. 2020 Status: active 2022 Code: temperror 2024 Existing/New Code: existing 2026 Defined: [RFC8601] 2028 Auth Method: dmarc (added) 2030 Meaning: A temporary error occurred during DMARC evaluation. A 2031 later attempt might produce a final result. 2033 Status: active 2035 Code: permerror 2037 Existing/New Code: existing 2038 Defined: [RFC8601] 2040 Auth Method: dmarc (added) 2042 Meaning: A permanent error occurred during DMARC evaluation, such as 2043 encountering a syntactically incorrect DMARC record. A later 2044 attempt is unlikely to produce a final result. 2046 Status: active 2048 11.3. Feedback Report Header Fields Registry Update 2050 The following has been added to the "Feedback Report Header Fields" 2051 registry: 2053 Field Name: Identity-Alignment 2055 Description: indicates whether the message about which a report is 2056 being generated had any identifiers in alignment as defined in RFC 2057 7489 2059 Multiple Appearances: No 2061 Related "Feedback-Type": auth-failure 2063 Reference: RFC 7489 2065 Status: current 2067 11.4. DMARC Tag Registry 2069 A new registry tree called "Domain-based Message Authentication, 2070 Reporting, and Conformance (DMARC) Parameters" has been created. 2071 Within it, a new sub-registry called the "DMARC Tag Registry" has 2072 been created. 2074 Names of DMARC tags must be registered with IANA in this new sub- 2075 registry. New entries are assigned only for values that have been 2076 documented in a manner that satisfies the terms of Specification 2077 Required, per [RFC8126]. Each registration must include the tag 2078 name; the specification that defines it; a brief description; and its 2079 status, which must be one of "current", "experimental", or 2080 "historic". The Designated Expert needs to confirm that the provided 2081 specification adequately describes the new tag and clearly presents 2082 how it would be used within the DMARC context by Domain Owners and 2083 Mail Receivers. 2085 To avoid version compatibility issues, tags added to the DMARC 2086 specification are to avoid changing the semantics of existing records 2087 when processed by implementations conforming to prior specifications. 2089 The initial set of entries in this registry is as follows: 2091 +----------+-----------+---------+------------------------------+ 2092 | Tag Name | Reference | Status | Description | 2093 +==========+===========+=========+==============================+ 2094 | adkim | RFC 7489 | current | DKIM alignment mode | 2095 +----------+-----------+---------+------------------------------+ 2096 | aspf | RFC 7489 | current | SPF alignment mode | 2097 +----------+-----------+---------+------------------------------+ 2098 | fo | RFC 7489 | current | Failure reporting options | 2099 +----------+-----------+---------+------------------------------+ 2100 | p | RFC 7489 | current | Requested handling policy | 2101 +----------+-----------+---------+------------------------------+ 2102 | pct | RFC 7489 | current | Sampling rate | 2103 +----------+-----------+---------+------------------------------+ 2104 | rf | RFC 7489 | current | Failure reporting format(s) | 2105 +----------+-----------+---------+------------------------------+ 2106 | ri | RFC 7489 | current | Aggregate Reporting interval | 2107 +----------+-----------+---------+------------------------------+ 2108 | rua | RFC 7489 | current | Reporting URI(s) for | 2109 | | | | aggregate data | 2110 +----------+-----------+---------+------------------------------+ 2111 | ruf | RFC 7489 | current | Reporting URI(s) for failure | 2112 | | | | data | 2113 +----------+-----------+---------+------------------------------+ 2114 | sp | RFC 7489 | current | Requested handling policy | 2115 | | | | for subdomains | 2116 +----------+-----------+---------+------------------------------+ 2117 | v | RFC 7489 | current | Specification version | 2118 +----------+-----------+---------+------------------------------+ 2120 Table 1: "DMARC Tag Registry" 2122 11.5. DMARC Report Format Registry 2124 Also within "Domain-based Message Authentication, Reporting, and 2125 Conformance (DMARC) Parameters", a new sub-registry called "DMARC 2126 Report Format Registry" has been created. 2128 Names of DMARC failure reporting formats must be registered with IANA 2129 in this registry. New entries are assigned only for values that 2130 satisfy the definition of Specification Required, per [RFC8126]. In 2131 addition to a reference to a permanent specification, each 2132 registration must include the format name; a brief description; and 2133 its status, which must be one of "current", "experimental", or 2134 "historic". The Designated Expert needs to confirm that the provided 2135 specification adequately describes the report format and clearly 2136 presents how it would be used within the DMARC context by Domain 2137 Owners and Mail Receivers. 2139 The initial entry in this registry is as follows: 2141 +--------+-----------+---------+----------------------------------+ 2142 | Format | Reference | Status | Description | 2143 | Name | | | | 2144 +========+===========+=========+==================================+ 2145 | afrf | RFC 7489 | current | Authentication Failure Reporting | 2146 | | | | Format (see [RFC6591]) | 2147 +--------+-----------+---------+----------------------------------+ 2149 Table 2: "DMARC Report Format Registry" 2151 11.6. Underscored and Globally Scoped DNS Node Names Registry 2153 Per [!@RFC8552], please add the following entry to the "Underscored 2154 and Globally Scoped DNS Node Names" registry: 2156 +---------+------------+-----------+ 2157 | RR Type | _NODE NAME | Reference | 2158 +=========+============+===========+ 2159 | TXT | _dmarc | RFC 7489 | 2160 +---------+------------+-----------+ 2162 Table 3: "Underscored and 2163 Globally Scoped DNS Node Names" 2164 registry 2166 12. Security Considerations 2168 This section discusses security issues and possible remediations 2169 (where available) for DMARC. 2171 12.1. Authentication Methods 2173 Security considerations from the authentication methods used by DMARC 2174 are incorporated here by reference. 2176 12.2. Attacks on Reporting URIs 2178 URIs published in DNS TXT records are well-understood possible 2179 targets for attack. Specifications such as [RFC1035] and [RFC2142] 2180 either expose or cause the exposure of email addresses that could be 2181 flooded by an attacker, for example; MX, NS, and other records found 2182 in the DNS advertise potential attack destinations; common DNS names 2183 such as "www" plainly identify the locations at which particular 2184 services can be found, providing destinations for targeted denial-of- 2185 service or penetration attacks. 2187 Thus, Domain Owners will need to harden these addresses against 2188 various attacks, including but not limited to: 2190 * high-volume denial-of-service attacks; 2192 * deliberate construction of malformed reports intended to identify 2193 or exploit parsing or processing vulnerabilities; 2195 * deliberate construction of reports containing false claims for the 2196 Submitter or Reported-Domain fields, including the possibility of 2197 false data from compromised but known Mail Receivers. 2199 12.3. DNS Security 2201 The DMARC mechanism and its underlying technologies (SPF, DKIM) 2202 depend on the security of the DNS. To reduce the risk of subversion 2203 of the DMARC mechanism due to DNS-based exploits, serious 2204 consideration should be given to the deployment of DNSSEC in parallel 2205 with the deployment of DMARC by both Domain Owners and Mail 2206 Receivers. 2208 Publication of data using DNSSEC is relevant to Domain Owners and 2209 third-party Report Receivers. DNSSEC-aware resolution is relevant to 2210 Mail Receivers and Report Receivers. 2212 12.4. Display Name Attacks 2214 A common attack in messaging abuse is the presentation of false 2215 information in the display-name portion of the RFC5322.From field. 2216 For example, it is possible for the email address in that field to be 2217 an arbitrary address or domain name, while containing a well-known 2218 name (a person, brand, role, etc.) in the display name, intending to 2219 fool the end user into believing that the name is used legitimately. 2220 The attack is predicated on the notion that most common MUAs will 2221 show the display name and not the email address when both are 2222 available. 2224 Generally, display name attacks are out of scope for DMARC, as 2225 further exploration of possible defenses against these attacks needs 2226 to be undertaken. 2228 There are a few possible mechanisms that attempt mitigation of these 2229 attacks, such as the following: 2231 * If the display name is found to include an email address (as 2232 specified in [RFC5322]), execute the DMARC mechanism on the domain 2233 name found there rather than the domain name discovered 2234 originally. However, this addresses only a very specific attack 2235 space, and spoofers can easily circumvent it by simply not using 2236 an email address in the display name. There are also known cases 2237 of legitimate uses of an email address in the display name with a 2238 domain different from the one in the address portion, e.g., 2240 From: "user@example.org via Bug Tracker" support@example.com 2241 (mailto:support@example.com) 2243 * In the MUA, only show the display name if the DMARC mechanism 2244 succeeds. This too is easily defeated, as an attacker could 2245 arrange to pass the DMARC tests while fraudulently using another 2246 domain name in the display name. 2248 * In the MUA, only show the display name if the DMARC mechanism 2249 passes and the email address thus validated matches one found in 2250 the receiving user's list of known addresses. 2252 12.5. External Reporting Addresses 2254 To avoid abuse by bad actors, reporting addresses generally have to 2255 be inside the domains about which reports are requested. In order to 2256 accommodate special cases such as a need to get reports about domains 2257 that cannot actually receive mail, Section 7.1 describes a DNS-based 2258 mechanism for verifying approved external reporting. 2260 The obvious consideration here is an increased DNS load against 2261 domains that are claimed as external recipients. Negative caching 2262 will mitigate this problem, but only to a limited extent, mostly 2263 dependent on the default TTL in the domain's SOA record. 2265 Where possible, external reporting is best achieved by having the 2266 report be directed to domains that can receive mail and simply having 2267 it automatically forwarded to the desired external destination. 2269 Note that the addresses shown in the "ruf" tag receive more 2270 information that might be considered private data, since it is 2271 possible for actual email content to appear in the failure reports. 2273 The URIs identified there are thus more attractive targets for 2274 intrusion attempts than those found in the "rua" tag. Moreover, 2275 attacking the DNS of the subject domain to cause failure data to be 2276 routed fraudulently to an attacker's systems may be an attractive 2277 prospect. Deployment of [RFC4033] is advisable if this is a concern. 2279 The verification mechanism presented in Section 7.1 is currently not 2280 mandatory ("MUST") but strongly recommended ("SHOULD"). It is 2281 possible that it would be elevated to a "MUST" by later security 2282 review. 2284 12.6. Secure Protocols 2286 This document encourages use of secure transport mechanisms to 2287 prevent loss of private data to third parties that may be able to 2288 monitor such transmissions. Unencrypted mechanisms should be 2289 avoided. 2291 In particular, a message that was originally encrypted or otherwise 2292 secured might appear in a report that is not sent securely, which 2293 could reveal private information. 2295 13. Normative References 2297 [RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for 2298 Authorizing Use of Domains in Email, Version 1", RFC 7208, 2299 DOI 10.17487/RFC7208, April 2014, 2300 . 2302 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 2303 Specifications: ABNF", STD 68, RFC 5234, 2304 DOI 10.17487/RFC5234, January 2008, 2305 . 2307 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 2308 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 2309 . 2311 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2312 Requirement Levels", BCP 14, RFC 2119, 2313 DOI 10.17487/RFC2119, March 1997, 2314 . 2316 [RFC6713] Levine, J., "The 'application/zlib' and 'application/gzip' 2317 Media Types", RFC 6713, DOI 10.17487/RFC6713, August 2012, 2318 . 2320 [RFC6651] Kucherawy, M., "Extensions to DomainKeys Identified Mail 2321 (DKIM) for Failure Reporting", RFC 6651, 2322 DOI 10.17487/RFC6651, June 2012, 2323 . 2325 [RFC6652] Kitterman, S., "Sender Policy Framework (SPF) 2326 Authentication Failure Reporting Using the Abuse Reporting 2327 Format", RFC 6652, DOI 10.17487/RFC6652, June 2012, 2328 . 2330 [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, 2331 DOI 10.17487/RFC5321, October 2008, 2332 . 2334 [RFC4343] Eastlake 3rd, D., "Domain Name System (DNS) Case 2335 Insensitivity Clarification", RFC 4343, 2336 DOI 10.17487/RFC4343, January 2006, 2337 . 2339 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 2340 Resource Identifier (URI): Generic Syntax", STD 66, 2341 RFC 3986, DOI 10.17487/RFC3986, January 2005, 2342 . 2344 [RFC5890] Klensin, J., "Internationalized Domain Names for 2345 Applications (IDNA): Definitions and Document Framework", 2346 RFC 5890, DOI 10.17487/RFC5890, August 2010, 2347 . 2349 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 2350 Extensions (MIME) Part One: Format of Internet Message 2351 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 2352 . 2354 [RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed., 2355 "DomainKeys Identified Mail (DKIM) Signatures", STD 76, 2356 RFC 6376, DOI 10.17487/RFC6376, September 2011, 2357 . 2359 [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, 2360 DOI 10.17487/RFC5322, October 2008, 2361 . 2363 [RFC6591] Fontana, H., "Authentication Failure Reporting Using the 2364 Abuse Reporting Format", RFC 6591, DOI 10.17487/RFC6591, 2365 April 2012, . 2367 [RFC1035] Mockapetris, P., "Domain names - implementation and 2368 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 2369 November 1987, . 2371 14. Informative References 2373 [RFC5863] Hansen, T., Siegel, E., Hallam-Baker, P., and D. Crocker, 2374 "DomainKeys Identified Mail (DKIM) Development, 2375 Deployment, and Operations", RFC 5863, 2376 DOI 10.17487/RFC5863, May 2010, 2377 . 2379 [Best-Guess-SPF] 2380 Kitterman, S., "Sender Policy Framework: Best guess record 2381 (FAQ entry)", May 2010, 2382 . 2384 [RFC4686] Fenton, J., "Analysis of Threats Motivating DomainKeys 2385 Identified Mail (DKIM)", RFC 4686, DOI 10.17487/RFC4686, 2386 September 2006, . 2388 [RFC5965] Shafranovich, Y., Levine, J., and M. Kucherawy, "An 2389 Extensible Format for Email Feedback Reports", RFC 5965, 2390 DOI 10.17487/RFC5965, August 2010, 2391 . 2393 [RFC6377] Kucherawy, M., "DomainKeys Identified Mail (DKIM) and 2394 Mailing Lists", BCP 167, RFC 6377, DOI 10.17487/RFC6377, 2395 September 2011, . 2397 [RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format 2398 for Delivery Status Notifications", RFC 3464, 2399 DOI 10.17487/RFC3464, January 2003, 2400 . 2402 [RFC2142] Crocker, D., "Mailbox Names for Common Services, Roles and 2403 Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997, 2404 . 2406 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2407 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2408 May 2017, . 2410 [RFC5617] Allman, E., Fenton, J., Delany, M., and J. Levine, 2411 "DomainKeys Identified Mail (DKIM) Author Domain Signing 2412 Practices (ADSP)", RFC 5617, DOI 10.17487/RFC5617, August 2413 2009, . 2415 [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, 2416 DOI 10.17487/RFC5598, July 2009, 2417 . 2419 [RFC5585] Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys 2420 Identified Mail (DKIM) Service Overview", RFC 5585, 2421 DOI 10.17487/RFC5585, July 2009, 2422 . 2424 [RFC8601] Kucherawy, M., "Message Header Field for Indicating 2425 Message Authentication Status", RFC 8601, 2426 DOI 10.17487/RFC8601, May 2019, 2427 . 2429 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 2430 Writing an IANA Considerations Section in RFCs", BCP 26, 2431 RFC 8126, DOI 10.17487/RFC8126, June 2017, 2432 . 2434 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 2435 Rose, "DNS Security Introduction and Requirements", 2436 RFC 4033, DOI 10.17487/RFC4033, March 2005, 2437 . 2439 Appendix A. Technology Considerations 2441 This section documents some design decisions that were made in the 2442 development of DMARC. Specifically, addressed here are some 2443 suggestions that were considered but not included in the design. 2444 This text is included to explain why they were considered and not 2445 included in this version. 2447 A.1. S/MIME 2449 S/MIME, or Secure Multipurpose Internet Mail Extensions, is a 2450 standard for encryption and signing of MIME data in a message. This 2451 was suggested and considered as a third security protocol for 2452 authenticating the source of a message. 2454 DMARC is focused on authentication at the domain level (i.e., the 2455 Domain Owner taking responsibility for the message), while S/MIME is 2456 really intended for user-to-user authentication and encryption. This 2457 alone appears to make it a bad fit for DMARC's goals. 2459 S/MIME also suffers from the heavyweight problem of Public Key 2460 Infrastructure, which means that distribution of keys used to verify 2461 signatures needs to be incorporated. In many instances, this alone 2462 is a showstopper. There have been consistent promises that PKI 2463 usability and deployment will improve, but these have yet to 2464 materialize. DMARC can revisit this choice after those barriers are 2465 addressed. 2467 S/MIME has extensive deployment in specific market segments 2468 (government, for example) but does not enjoy similar widespread 2469 deployment over the general Internet, and this shows no signs of 2470 changing. DKIM and SPF both are deployed widely over the general 2471 Internet, and their adoption rates continue to be positive. 2473 Finally, experiments have shown that including S/MIME support in the 2474 initial version of DMARC would neither cause nor enable a substantial 2475 increase in the accuracy of the overall mechanism. 2477 A.2. Method Exclusion 2479 It was suggested that DMARC include a mechanism by which a Domain 2480 Owner could tell Message Receivers not to attempt validation by one 2481 of the supported methods (e.g., "check DKIM, but not SPF"). 2483 Specifically, consider a Domain Owner that has deployed one of the 2484 technologies, and that technology fails for some messages, but such 2485 failures don't cause enforcement action. Deploying DMARC would cause 2486 enforcement action for policies other than "none", which would appear 2487 to exclude participation by that Domain Owner. 2489 The DMARC development team evaluated the idea of policy exception 2490 mechanisms on several occasions and invariably concluded that there 2491 was not a strong enough use case to include them. The specific 2492 target audience for DMARC does not appear to have concerns about the 2493 failure modes of one or the other being a barrier to DMARC's 2494 adoption. 2496 In the scenario described above, the Domain Owner has a few options: 2498 1. Tighten up its infrastructure to minimize the failure modes of 2499 the single deployed technology. 2501 2. Deploy the other supported authentication mechanism, to offset 2502 the failure modes of the first. 2504 3. Deploy DMARC in a reporting-only mode. 2506 A.3. Sender Header Field 2508 It has been suggested in several message authentication efforts that 2509 the Sender header field be checked for an identifier of interest, as 2510 the standards indicate this as the proper way to indicate a re- 2511 mailing of content such as through a mailing list. Most recently, it 2512 was a protocol-level option for DomainKeys, but on evolution to DKIM, 2513 this property was removed. 2515 The DMARC development team considered this and decided not to include 2516 support for doing so, for the following reasons: 2518 1. The main user protection approach is to be concerned with what 2519 the user sees when a message is rendered. There is no consistent 2520 behavior among MUAs regarding what to do with the content of the 2521 Sender field, if present. Accordingly, supporting checking of 2522 the Sender identifier would mean applying policy to an identifier 2523 the end user might never actually see, which can create a vector 2524 for attack against end users by simply forging a Sender field 2525 containing some identifier that DMARC will like. 2527 2. Although it is certainly true that this is what the Sender field 2528 is for, its use in this way is also unreliable, making it a poor 2529 candidate for inclusion in the DMARC evaluation algorithm. 2531 3. Allowing multiple ways to discover policy introduces unacceptable 2532 ambiguity into the DMARC evaluation algorithm in terms of which 2533 policy is to be applied and when. 2535 A.4. Domain Existence Test 2537 A common practice among MTA operators, and indeed one documented in 2538 [RFC5617], is a test to determine domain existence prior to any more 2539 expensive processing. This is typically done by querying the DNS for 2540 MX, A, or AAAA resource records for the name being evaluated and 2541 assuming that the domain is nonexistent if it could be determined 2542 that no such records were published for that domain name. 2544 The original pre-standardization version of this protocol included a 2545 mandatory check of this nature. It was ultimately removed, as the 2546 method's error rate was too high without substantial manual tuning 2547 and heuristic work. There are indeed use cases this work needs to 2548 address where such a method would return a negative result about a 2549 domain for which reporting is desired, such as a registered domain 2550 name that never sends legitimate mail and thus has none of these 2551 records present in the DNS. 2553 A.5. Issues with ADSP in Operation 2555 DMARC has been characterized as a "super-ADSP" of sorts. 2557 Contributors to DMARC have compiled a list of issues associated with 2558 ADSP, gained from operational experience, that have influenced the 2559 direction of DMARC: 2561 1. ADSP has no support for subdomains, i.e., the ADSP record for 2562 example.com does not explicitly or implicitly apply to 2563 subdomain.example.com. If wildcarding is not applied, then 2564 spammers can trivially bypass ADSP by sending from a subdomain 2565 with no ADSP record. 2567 2. Nonexistent subdomains are explicitly out of scope in ADSP. 2568 There is nothing in ADSP that states receivers should simply 2569 reject mail from NXDOMAINs regardless of ADSP policy (which of 2570 course allows spammers to trivially bypass ADSP by sending email 2571 from nonexistent subdomains). 2573 3. ADSP has no operational advice on when to look up the ADSP 2574 record. 2576 4. ADSP has no support for using SPF as an auxiliary mechanism to 2577 DKIM. 2579 5. ADSP has no support for a slow rollout, i.e., no way to configure 2580 a percentage of email on which the receiver should apply the 2581 policy. This is important for large-volume senders. 2583 6. ADSP has no explicit support for an intermediate phase where the 2584 receiver quarantines (e.g., sends to the recipient's "spam" 2585 folder) rather than rejects the email. 2587 7. The binding between the "From" header domain and DKIM is too 2588 tight for ADSP; they must match exactly. 2590 A.6. Organizational Domain Discovery Issues 2592 Although protocols like ADSP are useful for "protecting" a specific 2593 domain name, they are not helpful at protecting subdomains. If one 2594 wished to protect "example.com" by requiring via ADSP that all mail 2595 bearing an RFC5322.From domain of "example.com" be signed, this would 2596 "protect" that domain; however, one could then craft an email whose 2597 RFC5322.From domain is "security.example.com", and ADSP would not 2598 provide any protection. One could use a DNS wildcard, but this can 2599 undesirably interfere with other DNS activity; one could add ADSP 2600 records as fraudulent domains are discovered, but this solution does 2601 not scale and is a purely reactive measure against abuse. 2603 The DNS does not provide a method by which the "domain of record", or 2604 the domain that was actually registered with a domain registrar, can 2605 be determined given an arbitrary domain name. Suggestions have been 2606 made that attempt to glean such information from SOA or NS resource 2607 records, but these too are not fully reliable, as the partitioning of 2608 the DNS is not always done at administrative boundaries. 2610 When seeking domain-specific policy based on an arbitrary domain 2611 name, one could "climb the tree", dropping labels off the left end of 2612 the name until the root is reached or a policy is discovered, but 2613 then one could craft a name that has a large number of nonsense 2614 labels; this would cause a Mail Receiver to attempt a large number of 2615 queries in search of a policy record. Sending many such messages 2616 constitutes an amplified denial-of-service attack. 2618 The Organizational Domain mechanism is a necessary component to the 2619 goals of DMARC. The method described in Section 3.2 is far from 2620 perfect but serves this purpose reasonably well without adding undue 2621 burden or semantics to the DNS. If a method is created to do so that 2622 is more reliable and secure than the use of a public suffix list, 2623 DMARC should be amended to use that method as soon as it is generally 2624 available. 2626 A.6.1. Public Suffix Lists 2628 A public suffix list for the purposes of determining the 2629 Organizational Domain can be obtained from various sources. The most 2630 common one is maintained by the Mozilla Foundation and made public at 2631 http://publicsuffix.org (http://publicsuffix.org). License terms 2632 governing the use of that list are available at that URI. 2634 Note that if operators use a variety of public suffix lists, 2635 interoperability will be difficult or impossible to guarantee. 2637 Appendix B. Examples 2639 This section illustrates both the Domain Owner side and the Mail 2640 Receiver side of a DMARC exchange. 2642 B.1. Identifier Alignment Examples 2644 The following examples illustrate the DMARC mechanism's use of 2645 Identifier Alignment. For brevity's sake, only message headers are 2646 shown, as message bodies are not considered when conducting DMARC 2647 checks. 2649 B.1.1. SPF 2651 The following SPF examples assume that SPF produces a passing result. 2653 Example 1: SPF in alignment: 2655 MAIL FROM: 2657 From: sender@example.com 2658 Date: Fri, Feb 15 2002 16:54:30 -0800 2659 To: receiver@example.org 2660 Subject: here's a sample 2662 In this case, the RFC5321.MailFrom parameter and the RFC5322.From 2663 field have identical DNS domains. Thus, the identifiers are in 2664 alignment. 2666 Example 2: SPF in alignment (parent): 2668 MAIL FROM: 2670 From: sender@example.com 2671 Date: Fri, Feb 15 2002 16:54:30 -0800 2672 To: receiver@example.org 2673 Subject: here's a sample 2675 In this case, the RFC5322.From parameter includes a DNS domain that 2676 is a parent of the RFC5321.MailFrom domain. Thus, the identifiers 2677 are in alignment if relaxed SPF mode is requested by the Domain 2678 Owner, and not in alignment if strict SPF mode is requested. 2680 Example 3: SPF not in alignment: 2682 MAIL FROM: 2684 From: sender@child.example.com 2685 Date: Fri, Feb 15 2002 16:54:30 -0800 2686 To: receiver@example.org 2687 Subject: here's a sample 2689 In this case, the RFC5321.MailFrom parameter includes a DNS domain 2690 that is neither the same as nor a parent of the RFC5322.From domain. 2691 Thus, the identifiers are not in alignment. 2693 B.1.2. DKIM 2695 The examples below assume that the DKIM signatures pass verification. 2696 Alignment cannot exist with a DKIM signature that does not verify. 2698 Example 1: DKIM in alignment: 2700 DKIM-Signature: v=1; ...; d=example.com; ... 2701 From: sender@example.com 2702 Date: Fri, Feb 15 2002 16:54:30 -0800 2703 To: receiver@example.org 2704 Subject: here's a sample 2706 In this case, the DKIM "d=" parameter and the RFC5322.From field have 2707 identical DNS domains. Thus, the identifiers are in alignment. 2709 Example 2: DKIM in alignment (parent): 2711 DKIM-Signature: v=1; ...; d=example.com; ... 2712 From: sender@child.example.com 2713 Date: Fri, Feb 15 2002 16:54:30 -0800 2714 To: receiver@example.org 2715 Subject: here's a sample 2717 In this case, the DKIM signature's "d=" parameter includes a DNS 2718 domain that is a parent of the RFC5322.From domain. Thus, the 2719 identifiers are in alignment for relaxed mode, but not for strict 2720 mode. 2722 Example 3: DKIM not in alignment: 2724 DKIM-Signature: v=1; ...; d=sample.net; ... 2725 From: sender@child.example.com 2726 Date: Fri, Feb 15 2002 16:54:30 -0800 2727 To: receiver@example.org 2728 Subject: here's a sample 2730 In this case, the DKIM signature's "d=" parameter includes a DNS 2731 domain that is neither the same as nor a parent of the RFC5322.From 2732 domain. Thus, the identifiers are not in alignment. 2734 B.2. Domain Owner Example 2736 A Domain Owner that wants to use DMARC should have already deployed 2737 and tested SPF and DKIM. The next step is to publish a DNS record 2738 that advertises a DMARC policy for the Domain Owner's Organizational 2739 Domain. 2741 B.2.1. Entire Domain, Monitoring Only 2743 The owner of the domain "example.com" has deployed SPF and DKIM on 2744 its messaging infrastructure. The owner wishes to begin using DMARC 2745 with a policy that will solicit aggregate feedback from receivers 2746 without affecting how the messages are processed, in order to: 2748 * Confirm that its legitimate messages are authenticating correctly 2750 * Verify that all authorized message sources have implemented 2751 authentication measures 2753 * Determine how many messages from other sources would be affected 2754 by a blocking policy 2756 The Domain Owner accomplishes this by constructing a policy record 2757 indicating that: 2759 * The version of DMARC being used is "DMARC1" ("v=DMARC1;") 2761 * Receivers should not alter how they treat these messages because 2762 of this DMARC policy record ("p=none") 2764 * Aggregate feedback reports should be sent via email to the address 2765 "dmarc-feedback@example.com" ("rua=mailto:dmarc- 2766 feedback@example.com") 2768 * All messages from this Organizational Domain are subject to this 2769 policy (no "pct" tag present, so the default of 100% applies) 2771 The DMARC policy record might look like this when retrieved using a 2772 common command-line tool: 2774 % dig +short TXT _dmarc.example.com. 2775 "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com" 2777 To publish such a record, the DNS administrator for the Domain Owner 2778 creates an entry like the following in the appropriate zone file 2779 (following the conventional zone file format): 2781 ; DMARC record for the domain example.com 2783 _dmarc IN TXT ( "v=DMARC1; p=none; " 2784 "rua=mailto:dmarc-feedback@example.com" ) 2786 B.2.2. Entire Domain, Monitoring Only, Per-Message Reports 2788 The Domain Owner from the previous example has used the aggregate 2789 reporting to discover some messaging systems that had not yet 2790 implemented DKIM correctly, but they are still seeing periodic 2791 authentication failures. In order to diagnose these intermittent 2792 problems, they wish to request per-message failure reports when 2793 authentication failures occur. 2795 Not all Receivers will honor such a request, but the Domain Owner 2796 feels that any reports it does receive will be helpful enough to 2797 justify publishing this record. The default per-message report 2798 format ([RFC6591]) meets the Domain Owner's needs in this scenario. 2800 The Domain Owner accomplishes this by adding the following to its 2801 policy record from Appendix B.2: 2803 * Per-message failure reports should be sent via email to the 2804 address "auth-reports@example.com" ("ruf=mailto:auth- 2805 reports@example.com") 2807 The DMARC policy record might look like this when retrieved using a 2808 common command-line tool (the output shown would appear on a single 2809 line but is wrapped here for publication): 2811 % dig +short TXT _dmarc.example.com. 2812 "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com; 2813 ruf=mailto:auth-reports@example.com" 2815 To publish such a record, the DNS administrator for the Domain Owner 2816 might create an entry like the following in the appropriate zone file 2817 (following the conventional zone file format): 2819 ; DMARC record for the domain example.com 2821 _dmarc IN TXT ( "v=DMARC1; p=none; " 2822 "rua=mailto:dmarc-feedback@example.com; " 2823 "ruf=mailto:auth-reports@example.com" ) 2825 B.2.3. Per-Message Failure Reports Directed to Third Party 2827 The Domain Owner from the previous example is maintaining the same 2828 policy but now wishes to have a third party receive and process the 2829 per-message failure reports. Again, not all Receivers will honor 2830 this request, but those that do may implement additional checks to 2831 validate that the third party wishes to receive the failure reports 2832 for this domain. 2834 The Domain Owner needs to alter its policy record from Appendix B.2.2 2835 as follows: 2837 * Per-message failure reports should be sent via email to the 2838 address "auth-reports@thirdparty.example.net" ("ruf=mailto:auth- 2839 reports@thirdparty.example.net") 2841 The DMARC policy record might look like this when retrieved using a 2842 common command-line tool (the output shown would appear on a single 2843 line but is wrapped here for publication): 2845 % dig +short TXT _dmarc.example.com. 2846 "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com; 2847 ruf=mailto:auth-reports@thirdparty.example.net" 2849 To publish such a record, the DNS administrator for the Domain Owner 2850 might create an entry like the following in the appropriate zone file 2851 (following the conventional zone file format): 2853 ; DMARC record for the domain example.com 2855 _dmarc IN TXT ( "v=DMARC1; p=none; " 2856 "rua=mailto:dmarc-feedback@example.com; " 2857 "ruf=mailto:auth-reports@thirdparty.example.net" ) 2859 Because the address used in the "ruf" tag is outside the 2860 Organizational Domain in which this record is published, conforming 2861 Receivers will implement additional checks as described in 2862 Section 7.1 of this document. In order to pass these additional 2863 checks, the third party will need to publish an additional DNS record 2864 as follows: 2866 * Given the DMARC record published by the Domain Owner at 2867 "_dmarc.example.com", the DNS administrator for the third party 2868 will need to publish a TXT resource record at 2869 "example.com._report._dmarc.thirdparty.example.net" with the value 2870 "v=DMARC1;". 2872 The resulting DNS record might look like this when retrieved using a 2873 common command-line tool (the output shown would appear on a single 2874 line but is wrapped here for publication): 2876 % dig +short TXT example.com._report._dmarc.thirdparty.example.net 2877 "v=DMARC1;" 2879 To publish such a record, the DNS administrator for example.net might 2880 create an entry like the following in the appropriate zone file 2881 (following the conventional zone file format): 2883 ; zone file for thirdparty.example.net 2884 ; Accept DMARC failure reports on behalf of example.com 2886 example.com._report._dmarc IN TXT "v=DMARC1;" 2888 Intermediaries and other third parties should refer to Section 7.1 2889 for the full details of this mechanism. 2891 B.2.4. Subdomain, Sampling, and Multiple Aggregate Report URIs 2893 The Domain Owner has implemented SPF and DKIM in a subdomain used for 2894 pre-production testing of messaging services. It now wishes to 2895 request that participating receivers act to reject messages from this 2896 subdomain that fail to authenticate. 2898 As a first step, it will ask that a portion (1/4 in this example) of 2899 failing messages be quarantined, enabling examination of messages 2900 sent to mailboxes hosted by participating receivers. Aggregate 2901 feedback reports will be sent to a mailbox within the Organizational 2902 Domain, and to a mailbox at a third party selected and authorized to 2903 receive same by the Domain Owner. Aggregate reports sent to the 2904 third party are limited to a maximum size of ten megabytes. 2906 The Domain Owner will accomplish this by constructing a policy record 2907 indicating that: 2909 * The version of DMARC being used is "DMARC1" ("v=DMARC1;") 2911 * It is applied only to this subdomain (record is published at 2912 "_dmarc.test.example.com" and not "_dmarc.example.com") 2914 * Receivers should quarantine messages from this Organizational 2915 Domain that fail to authenticate ("p=quarantine") 2917 * Aggregate feedback reports should be sent via email to the 2918 addresses "dmarc-feedback@example.com" and "example-tld- 2919 test@thirdparty.example.net", with the latter subjected to a 2920 maximum size limit ("rua=mailto:dmarc-feedback@ 2921 example.com,mailto:tld-test@thirdparty.example.net!10m") 2923 * 25% of messages from this Organizational Domain are subject to 2924 action based on this policy ("pct=25") 2926 The DMARC policy record might look like this when retrieved using a 2927 common command-line tool (the output shown would appear on a single 2928 line but is wrapped here for publication): 2930 % dig +short TXT _dmarc.test.example.com 2931 "v=DMARC1; p=quarantine; rua=mailto:dmarc-feedback@example.com, 2932 mailto:tld-test@thirdparty.example.net!10m; pct=25" 2934 To publish such a record, the DNS administrator for the Domain Owner 2935 might create an entry like the following in the appropriate zone 2936 file: 2938 ; DMARC record for the domain example.com 2940 _dmarc IN TXT ( "v=DMARC1; p=quarantine; " 2941 "rua=mailto:dmarc-feedback@example.com," 2942 "mailto:tld-test@thirdparty.example.net!10m; " 2943 "pct=25" ) 2945 B.3. Mail Receiver Example 2947 A Mail Receiver that wants to use DMARC should already be checking 2948 SPF and DKIM, and possess the ability to collect relevant information 2949 from various email-processing stages to provide feedback to Domain 2950 Owners (possibly via Report Receivers). 2952 B.4. Processing of SMTP Time 2954 An optimal DMARC-enabled Mail Receiver performs authentication and 2955 Identifier Alignment checking during the [RFC5322] conversation. 2957 Prior to returning a final reply to the DATA command, the Mail 2958 Receiver's MTA has performed: 2960 1. An SPF check to determine an SPF-authenticated Identifier. 2962 2. DKIM checks that yield one or more DKIM-authenticated 2963 Identifiers. 2965 3. A DMARC policy lookup. 2967 The presence of an Author Domain DMARC record indicates that the Mail 2968 Receiver should continue with DMARC-specific processing before 2969 returning a reply to the DATA command. 2971 Given a DMARC record and the set of Authenticated Identifiers, the 2972 Mail Receiver checks to see if the Authenticated Identifiers align 2973 with the Author Domain (taking into consideration any strict versus 2974 relaxed options found in the DMARC record). 2976 For example, the following sample data is considered to be from a 2977 piece of email originating from the Domain Owner of "example.com": 2979 Author Domain: example.com 2980 SPF-authenticated Identifier: mail.example.com 2981 DKIM-authenticated Identifier: example.com 2982 DMARC record: 2983 "v=DMARC1; p=reject; aspf=r; 2984 rua=mailto:dmarc-feedback@example.com" 2986 In the above sample, both the SPF-authenticated Identifier and the 2987 DKIM-authenticated Identifier align with the Author Domain. The Mail 2988 Receiver considers the above email to pass the DMARC check, avoiding 2989 the "reject" policy that is to be applied to email that fails to pass 2990 the DMARC check. 2992 If no Authenticated Identifiers align with the Author Domain, then 2993 the Mail Receiver applies the DMARC-record-specified policy. 2994 However, before this action is taken, the Mail Receiver can consult 2995 external information to override the Domain Owner's policy. For 2996 example, if the Mail Receiver knows that this particular email came 2997 from a known and trusted forwarder (that happens to break both SPF 2998 and DKIM), then the Mail Receiver may choose to ignore the Domain 2999 Owner's policy. 3001 The Mail Receiver is now ready to reply to the DATA command. If the 3002 DMARC check yields that the message is to be rejected, then the Mail 3003 Receiver replies with a 5xy code to inform the sender of failure. If 3004 the DMARC check cannot be resolved due to transient network errors, 3005 then the Mail Receiver replies with a 4xy code to inform the sender 3006 as to the need to reattempt delivery later. If the DMARC check 3007 yields a passing message, then the Mail Receiver continues on with 3008 email processing, perhaps using the result of the DMARC check as an 3009 input to additional processing modules such as a domain reputation 3010 query. 3012 Before exiting DMARC-specific processing, the Mail Receiver checks to 3013 see if the Author Domain DMARC record requests AFRF-based reporting. 3015 If so, then the Mail Receiver can emit an AFRF to the reporting 3016 address supplied in the DMARC record. 3018 At the exit of DMARC-specific processing, the Mail Receiver captures 3019 (through logging or direct insertion into a data store) the result of 3020 DMARC processing. Captured information is used to build feedback for 3021 Domain Owner consumption. This is not necessary if the Domain Owner 3022 has not requested aggregate reports, i.e., no "rua" tag was found in 3023 the policy record. 3025 B.5. Utilization of Aggregate Feedback: Example 3027 Aggregate feedback is consumed by Domain Owners to verify a Domain 3028 Owner's understanding of how the Domain Owner's domain is being 3029 processed by the Mail Receiver. Aggregate reporting data on emails 3030 that pass all DMARC-supporting authentication checks is used by 3031 Domain Owners to verify that authentication practices remain 3032 accurate. For example, if a third party is sending on behalf of a 3033 Domain Owner, the Domain Owner can use aggregate report data to 3034 verify ongoing authentication practices of the third party. 3036 Data on email that only partially passes underlying authentication 3037 checks provides visibility into problems that need to be addressed by 3038 the Domain Owner. For example, if either SPF or DKIM fails to pass, 3039 the Domain Owner is provided with enough information to either 3040 directly correct the problem or understand where authentication- 3041 breaking changes are being introduced in the email transmission path. 3042 If authentication-breaking changes due to email transmission path 3043 cannot be directly corrected, then the Domain Owner at least 3044 maintains an understanding of the effect of DMARC-based policies upon 3045 the Domain Owner's email. 3047 Data on email that fails all underlying authentication checks 3048 provides baseline visibility on how the Domain Owner's domain is 3049 being received at the Mail Receiver. Based on this visibility, the 3050 Domain Owner can begin deployment of authentication technologies 3051 across uncovered email sources. Additionally, the Domain Owner may 3052 come to an understanding of how its domain is being misused. 3054 B.6. mailto Transport Example 3056 A DMARC record can contain a "mailto" reporting address, such as: 3058 mailto:dmarc-feedback@example.com 3060 A sample aggregate report from the Mail Receiver at 3061 mail.receiver.example follows: 3063 DKIM-Signature: v=1; ...; d=mail.receiver.example; ... 3064 From: dmarc-reporting@mail.receiver.example 3065 Date: Fri, Feb 15 2002 16:54:30 -0800 3066 To: dmarc-feedback@example.com 3067 Subject: Report Domain: example.com 3068 Submitter: mail.receiver.example 3069 Report-ID: <2002.02.15.1> 3070 MIME-Version: 1.0 3071 Content-Type: multipart/alternative; 3072 boundary="----=_NextPart_000_024E_01CC9B0A.AFE54C00" 3073 Content-Language: en-us 3075 This is a multipart message in MIME format. 3077 ------=_NextPart_000_024E_01CC9B0A.AFE54C00 3078 Content-Type: text/plain; charset="us-ascii" 3079 Content-Transfer-Encoding: 7bit 3081 This is an aggregate report from mail.receiver.example. 3083 ------=_NextPart_000_024E_01CC9B0A.AFE54C00 3084 Content-Type: application/gzip 3085 Content-Transfer-Encoding: base64 3086 Content-Disposition: attachment; 3087 filename="mail.receiver.example!example.com! 3088 1013662812!1013749130.gz" 3090 3092 ------=_NextPart_000_024E_01CC9B0A.AFE54C00-- 3094 Not shown in the above example is that the Mail Receiver's feedback 3095 should be authenticated using SPF. Also, the value of the "filename" 3096 MIME parameter is wrapped for printing in this specification but 3097 would normally appear as one continuous string. 3099 Appendix C. DMARC XML Schema 3101 The following is the proposed initial schema for producing XML- 3102 formatted aggregate reports as described in this document. 3104 NOTE: Per the definition of XML, unless otherwise specified in the 3105 schema below, the minOccurs and maxOccurs values for each element are 3106 set to 1. 3108 3109 3112 3114 3115 3116 3117 3118 3119 3121 3122 3123 3124 3125 3126 3128 3129 3130 3132 3133 3135 3136 3137 3138 3139 3140 3141 3143 3145 3146 3147 3148 3149 3150 3151 3153 3155 3156 3157 3158 3159 3160 3162 3163 3165 3166 3167 3168 3169 3170 3171 3172 3173 3174 3176 3177 3178 3179 3180 3181 3182 3184 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3197 3200 3201 3202 3203 3205 3206 3208 3210 3211 3212 3213 3214 3215 3217 3218 3220 3223 3226 3227 3228 3231 3232 3234 3235 3236 3237 3238 3239 3240 3242 3245 3246 3248 3249 3250 3251 3253 3254 3256 3257 3259 3260 3262 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273 3274 3276 3277 3278 3279 3281 3282 3284 3285 3287 3289 3291 3292 3294 3295 3296 3297 3298 3299 3301 3303 3304 3305 3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3318 3319 3320 3321 3322 3323 3324 3325 3327 3328 3330 3332 3333 3334 3336 3338 3339 3341 3342 3344 3347 3348 3349 3350 3351 3352 3353 3355 3356 3357 3358 3359 3361 3363 3365 3367 3368 3369 3370 3372 Descriptions of the PolicyOverrideTypes: 3374 forwarded: The message was relayed via a known forwarder, or local 3375 heuristics identified the message as likely having been forwarded. 3376 There is no expectation that authentication would pass. 3378 local_policy: The Mail Receiver's local policy exempted the message 3379 from being subjected to the Domain Owner's requested policy 3380 action. 3382 mailing_list: Local heuristics determined that the message arrived 3383 via a mailing list, and thus authentication of the original 3384 message was not expected to succeed. 3386 other: Some policy exception not covered by the other entries in 3387 this list occurred. Additional detail can be found in the 3388 PolicyOverrideReason's "comment" field. 3390 sampled_out: The message was exempted from application of policy by 3391 the "pct" setting in the DMARC policy record. 3393 trusted_forwarder: Message authentication failure was anticipated by 3394 other evidence linking the message to a locally maintained list of 3395 known and trusted forwarders. 3397 The "version" for reports generated per this specification MUST be 3398 the value 1.0. 3400 Acknowledgements 3402 DMARC and the draft version of this document submitted to the 3403 Independent Submission Editor were the result of lengthy efforts by 3404 an informal industry consortium: DMARC.org (see http://dmarc.org 3405 (http://dmarc.org)). Participating companies included Agari, 3406 American Greetings, AOL, Bank of America, Cloudmark, Comcast, 3407 Facebook, Fidelity Investments, Google, JPMorgan Chase & Company, 3408 LinkedIn, Microsoft, Netease, PayPal, ReturnPath, The Trusted Domain 3409 Project, and Yahoo!. Although the contributors and supporters are 3410 too numerous to mention, notable individual contributions were made 3411 by J. Trent Adams, Michael Adkins, Monica Chew, Dave Crocker, Tim 3412 Draegen, Steve Jones, Franck Martin, Brett McDowell, and Paul Midgen. 3413 The contributors would also like to recognize the invaluable input 3414 and guidance that was provided early on by J.D. Falk. 3416 Additional contributions within the IETF context were made by Kurt 3417 Anderson, Michael Jack Assels, Les Barstow, Anne Bennett, Jim Fenton, 3418 J. Gomez, Mike Jones, Scott Kitterman, Eliot Lear, John Levine, S. 3419 Moonesamy, Rolf Sonneveld, Henry Timmes, and Stephen J. Turnbull. 3421 Authors' Addresses 3423 Murray S. Kucherawy 3425 Email: superuser@gmail.com 3427 Elizabeth Zwicky 3429 Email: zwicky@verizonmedia.com 3431 Tim Wicinski 3433 Email: tjw.ietf@gmail.com