1
2
3
4
5
6
7Independent Submission M. Kucherawy, Ed.
8Request for Comments: 7489
9Category: Informational E. Zwicky, Ed.
10ISSN: 2070-1721 Yahoo!
11 March 2015
12
13
14Domain-based Message Authentication, Reporting, and Conformance (DMARC)
15
16Abstract
17
18 Domain-based Message Authentication, Reporting, and Conformance
19 (DMARC) is a scalable mechanism by which a mail-originating
20 organization can express domain-level policies and preferences for
21 message validation, disposition, and reporting, that a mail-receiving
22 organization can use to improve mail handling.
23
24 Originators of Internet Mail need to be able to associate reliable
25 and authenticated domain identifiers with messages, communicate
26 policies about messages that use those identifiers, and report about
27 mail using those identifiers. These abilities have several benefits:
28 Receivers can provide feedback to Domain Owners about the use of
29 their domains; this feedback can provide valuable insight about the
30 management of internal operations and the presence of external domain
31 name abuse.
32
33 DMARC does not produce or encourage elevated delivery privilege of
34 authenticated email. DMARC is a mechanism for policy distribution
35 that enables increasingly strict handling of messages that fail
36 authentication checks, ranging from no action, through altered
37 delivery, up to message rejection.
38
39Status of This Memo
40
41 This document is not an Internet Standards Track specification; it is
42 published for informational purposes.
43
44 This is a contribution to the RFC Series, independently of any other
45 RFC stream. The RFC Editor has chosen to publish this document at
46 its discretion and makes no statement about its value for
47 implementation or deployment. Documents approved for publication by
48 the RFC Editor are not a candidate for any level of Internet
49 Standard; see Section 2 of RFC 5741.
50
51 Information about the current status of this document, any errata,
52 and how to provide feedback on it may be obtained at
53 http://www.rfc-editor.org/info/rfc7489.
54
55
56
57
58Kucherawy & Zwicky Informational [Page 1]
59
60RFC 7489 DMARC March 2015
61
62
63Copyright Notice
64
65 Copyright (c) 2015 IETF Trust and the persons identified as the
66 document authors. All rights reserved.
67
68 This document is subject to BCP 78 and the IETF Trust's Legal
69 Provisions Relating to IETF Documents
70 (http://trustee.ietf.org/license-info) in effect on the date of
71 publication of this document. Please review these documents
72 carefully, as they describe your rights and restrictions with respect
73 to this document.
74
75Table of Contents
76
77 1. Introduction ....................................................3
78 2. Requirements ....................................................5
79 2.1. High-Level Goals ...........................................5
80 2.2. Out of Scope ...............................................6
81 2.3. Scalability ................................................6
82 2.4. Anti-Phishing ..............................................7
83 3. Terminology and Definitions .....................................7
84 3.1. Identifier Alignment .......................................8
85 3.2. Organizational Domain .....................................11
86 4. Overview .......................................................12
87 4.1. Authentication Mechanisms .................................12
88 4.2. Key Concepts ..............................................12
89 4.3. Flow Diagram ..............................................13
90 5. Use of RFC5322.From ............................................15
91 6. Policy .........................................................15
92 6.1. DMARC Policy Record .......................................16
93 6.2. DMARC URIs ................................................16
94 6.3. General Record Format .....................................17
95 6.4. Formal Definition .........................................21
96 6.5. Domain Owner Actions ......................................22
97 6.6. Mail Receiver Actions .....................................23
98 6.7. Policy Enforcement Considerations .........................27
99 7. DMARC Feedback .................................................28
100 7.1. Verifying External Destinations ...........................28
101 7.2. Aggregate Reports .........................................30
102 7.3. Failure Reports ...........................................36
103 8. Minimum Implementations ........................................37
104 9. Privacy Considerations .........................................38
105 9.1. Data Exposure Considerations ..............................38
106 9.2. Report Recipients .........................................39
107
108
109
110
111
112
113
114Kucherawy & Zwicky Informational [Page 2]
115
116RFC 7489 DMARC March 2015
117
118
119 10. Other Topics ..................................................39
120 10.1. Issues Specific to SPF ...................................39
121 10.2. DNS Load and Caching .....................................40
122 10.3. Rejecting Messages .......................................40
123 10.4. Identifier Alignment Considerations ......................41
124 10.5. Interoperability Issues ..................................41
125 11. IANA Considerations ...........................................42
126 11.1. Authentication-Results Method Registry Update ............42
127 11.2. Authentication-Results Result Registry Update ............42
128 11.3. Feedback Report Header Fields Registry Update ............44
129 11.4. DMARC Tag Registry .......................................44
130 11.5. DMARC Report Format Registry .............................45
131 12. Security Considerations .......................................46
132 12.1. Authentication Methods ...................................46
133 12.2. Attacks on Reporting URIs ................................46
134 12.3. DNS Security .............................................47
135 12.4. Display Name Attacks .....................................47
136 12.5. External Reporting Addresses .............................48
137 12.6. Secure Protocols .........................................48
138 13. References ....................................................49
139 13.1. Normative References .....................................49
140 13.2. Informative References ...................................50
141 Appendix A. Technology Considerations .............................52
142 A.1. S/MIME .....................................................52
143 A.2. Method Exclusion ...........................................53
144 A.3. Sender Header Field ........................................53
145 A.4. Domain Existence Test ......................................54
146 A.5. Issues with ADSP in Operation ..............................54
147 A.6. Organizational Domain Discovery Issues .....................55
148 Appendix B. Examples ..............................................56
149 B.1. Identifier Alignment Examples ..............................56
150 B.2. Domain Owner Example .......................................58
151 B.3. Mail Receiver Example .....................................63
152 B.4. Utilization of Aggregate Feedback: Example .................64
153 B.5. mailto Transport Example ...................................65
154 Appendix C. DMARC XML Schema ......................................66
155 Acknowledgements ..................................................73
156 Authors' Addresses ................................................73
157
1581. Introduction
159
160 The Sender Policy Framework ([SPF]) and DomainKeys Identified Mail
161 ([DKIM]) provide domain-level authentication. They enable
162 cooperating email receivers to detect mail authorized to use the
163 domain name, which can permit differential handling. (A detailed
164 discussion of the threats these systems attempt to address can be
165 found in [DKIM-THREATS].) However, there has been no single widely
166 accepted or publicly available mechanism to communication of
167
168
169
170Kucherawy & Zwicky Informational [Page 3]
171
172RFC 7489 DMARC March 2015
173
174
175 domain-specific message-handling policies for receivers, or to
176 request reporting of authentication and disposition of received mail.
177 Absent the ability to obtain feedback reports, originators who have
178 implemented email authentication have difficulty determining how
179 effective their authentication is. As a consequence, use of
180 authentication failures to filter mail typically does not succeed.
181
182 Over time, one-on-one relationships were established between select
183 senders and receivers with privately communicated means to assert
184 policy and receive message traffic and authentication disposition
185 reporting. Although these ad hoc practices have been generally
186 successful, they require significant manual coordination between
187 parties, and this model does not scale for general use on the
188 Internet.
189
190 This document defines Domain-based Message Authentication, Reporting,
191 and Conformance (DMARC), a mechanism by which email operators
192 leverage existing authentication and policy advertisement
193 technologies to enable both message-stream feedback and enforcement
194 of policies against unauthenticated email.
195
196 DMARC allows Domain Owners and receivers to collaborate by:
197
198 1. Providing receivers with assertions about Domain Owners' policies
199
200 2. Providing feedback to senders so they can monitor authentication
201 and judge threats
202
203 The basic outline of DMARC is as follows:
204
205 1. Domain Owners publish policy assertions about domains via the
206 DNS.
207
208 2. Receivers compare the RFC5322.From address in the mail to the SPF
209 and DKIM results, if present, and the DMARC policy in DNS.
210
211 3. These receivers can use these results to determine how the mail
212 should be handled.
213
214 4. The receiver sends reports to the Domain Owner or its designee
215 about mail claiming to be from their domain.
216
217 Security terms used in this document are defined in [SEC-TERMS].
218
219
220
221
222
223
224
225
226Kucherawy & Zwicky Informational [Page 4]
227
228RFC 7489 DMARC March 2015
229
230
231 DMARC differs from previous approaches to policy advertisement (e.g.,
232 [SPF] and [ADSP]) in that:
233
234 o Authentication technologies are:
235
236 1. decoupled from any technology-specific policy mechanisms, and
237
238 2. used solely to establish reliable per-message domain-level
239 identifiers.
240
241 o Multiple authentication technologies are used to:
242
243 1. reduce the impact of transient authentication errors
244
245 2. reduce the impact of site-specific configuration errors and
246 deployment gaps
247
248 3. enable more use cases than any individual technology supports
249 alone
250
251 o Receiver-generated feedback is supported, allowing senders to
252 establish confidence in authentication practices.
253
254 o The domain name extracted from a message's RFC5322.From field is
255 the primary identifier in the DMARC mechanism. This identifier is
256 used in conjunction with the results of the underlying
257 authentication technologies to evaluate results under DMARC.
258
259 Experience with DMARC has revealed some issues of interoperability
260 with email in general that require due consideration before
261 deployment, particularly with configurations that can cause mail to
262 be rejected. These are discussed in Section 10.
263
2642. Requirements
265
266 Specification of DMARC is guided by the following high-level goals,
267 security dependencies, detailed requirements, and items that are
268 documented as out of scope.
269
2702.1. High-Level Goals
271
272 DMARC has the following high-level goals:
273
274 o Allow Domain Owners to assert the preferred handling of
275 authentication failures, for messages purporting to have
276 authorship within the domain.
277
278 o Allow Domain Owners to verify their authentication deployment.
279
280
281
282Kucherawy & Zwicky Informational [Page 5]
283
284RFC 7489 DMARC March 2015
285
286
287 o Minimize implementation complexity for both senders and receivers,
288 as well as the impact on handling and delivery of legitimate
289 messages.
290
291 o Reduce the amount of successfully delivered spoofed email.
292
293 o Work at Internet scale.
294
2952.2. Out of Scope
296
297 Several topics and issues are specifically out of scope for the
298 initial version of this work. These include the following:
299
300 o different treatment of messages that are not authenticated versus
301 those that fail authentication;
302
303 o evaluation of anything other than RFC5322.From;
304
305 o multiple reporting formats;
306
307 o publishing policy other than via the DNS;
308
309 o reporting or otherwise evaluating other than the last-hop IP
310 address;
311
312 o attacks in the RFC5322.From field, also known as "display name"
313 attacks;
314
315 o authentication of entities other than domains, since DMARC is
316 built upon SPF and DKIM, which authenticate domains; and
317
318 o content analysis.
319
3202.3. Scalability
321
322 Scalability is a major issue for systems that need to operate in a
323 system as widely deployed as current SMTP email. For this reason,
324 DMARC seeks to avoid the need for third parties or pre-sending
325 agreements between senders and receivers. This preserves the
326 positive aspects of the current email infrastructure.
327
328 Although DMARC does not introduce third-party senders (namely
329 external agents authorized to send on behalf of an operator) to the
330 email-handling flow, it also does not preclude them. Such third
331 parties are free to provide services in conjunction with DMARC.
332
333
334
335
336
337
338Kucherawy & Zwicky Informational [Page 6]
339
340RFC 7489 DMARC March 2015
341
342
3432.4. Anti-Phishing
344
345 DMARC is designed to prevent bad actors from sending mail that claims
346 to come from legitimate senders, particularly senders of
347 transactional email (official mail that is about business
348 transactions). One of the primary uses of this kind of spoofed mail
349 is phishing (enticing users to provide information by pretending to
350 be the legitimate service requesting the information). Thus, DMARC
351 is significantly informed by ongoing efforts to enact large-scale,
352 Internet-wide anti-phishing measures.
353
354 Although DMARC can only be used to combat specific forms of exact-
355 domain spoofing directly, the DMARC mechanism has been found to be
356 useful in the creation of reliable and defensible message streams.
357
358 DMARC does not attempt to solve all problems with spoofed or
359 otherwise fraudulent email. In particular, it does not address the
360 use of visually similar domain names ("cousin domains") or abuse of
361 the RFC5322.From human-readable <display-name>.
362
3633. Terminology and Definitions
364
365 This section defines terms used in the rest of the document.
366
367 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
368 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
369 document are to be interpreted as described in [KEYWORDS].
370
371 Readers are encouraged to be familiar with the contents of
372 [EMAIL-ARCH]. In particular, that document defines various roles in
373 the messaging infrastructure that can appear the same or separate in
374 various contexts. For example, a Domain Owner could, via the
375 messaging security mechanisms on which DMARC is based, delegate the
376 ability to send mail as the Domain Owner to a third party with
377 another role. This document does not address the distinctions among
378 such roles; the reader is encouraged to become familiar with that
379 material before continuing.
380
381 The following terms are also used:
382
383 Authenticated Identifiers: Domain-level identifiers that are
384 validated using authentication technologies are referred to as
385 "Authenticated Identifiers". See Section 4.1 for details about
386 the supported mechanisms.
387
388 Author Domain: The domain name of the apparent author, as extracted
389 from the RFC5322.From field.
390
391
392
393
394Kucherawy & Zwicky Informational [Page 7]
395
396RFC 7489 DMARC March 2015
397
398
399 Domain Owner: An entity or organization that owns a DNS domain. The
400 term "owns" here indicates that the entity or organization being
401 referenced holds the registration of that DNS domain. Domain
402 Owners range from complex, globally distributed organizations, to
403 service providers working on behalf of non-technical clients, to
404 individuals responsible for maintaining personal domains. This
405 specification uses this term as analogous to an Administrative
406 Management Domain as defined in [EMAIL-ARCH]. It can also refer
407 to delegates, such as Report Receivers, when those are outside of
408 their immediate management domain.
409
410 Identifier Alignment: When the domain in the RFC5322.From address
411 matches a domain validated by SPF or DKIM (or both), it has
412 Identifier Alignment.
413
414 Mail Receiver: The entity or organization that receives and
415 processes email. Mail Receivers operate one or more Internet-
416 facing Mail Transport Agents (MTAs).
417
418 Organizational Domain: The domain that was registered with a domain
419 name registrar. In the absence of more accurate methods,
420 heuristics are used to determine this, since it is not always the
421 case that the registered domain name is simply a top-level DNS
422 domain plus one component (e.g., "example.com", where "com" is a
423 top-level domain). The Organizational Domain is determined by
424 applying the algorithm found in Section 3.2.
425
426 Report Receiver: An operator that receives reports from another
427 operator implementing the reporting mechanism described in this
428 document. Such an operator might be receiving reports about its
429 own messages, or reports about messages related to another
430 operator. This term applies collectively to the system components
431 that receive and process these reports and the organizations that
432 operate them.
433
4343.1. Identifier Alignment
435
436 Email authentication technologies authenticate various (and
437 disparate) aspects of an individual message. For example, [DKIM]
438 authenticates the domain that affixed a signature to the message,
439 while [SPF] can authenticate either the domain that appears in the
440 RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
441 HELO domain, or both. These may be different domains, and they are
442 typically not visible to the end user.
443
444 DMARC authenticates use of the RFC5322.From domain by requiring that
445 it match (be aligned with) an Authenticated Identifier. The
446 RFC5322.From domain was selected as the central identity of the DMARC
447
448
449
450Kucherawy & Zwicky Informational [Page 8]
451
452RFC 7489 DMARC March 2015
453
454
455 mechanism because it is a required message header field and therefore
456 guaranteed to be present in compliant messages, and most Mail User
457 Agents (MUAs) represent the RFC5322.From field as the originator of
458 the message and render some or all of this header field's content to
459 end users.
460
461 Thus, this field is the one used by end users to identify the source
462 of the message and therefore is a prime target for abuse. Many
463 high-profile email sources, such as email service providers, require
464 that the sending agent have authenticated before email can be
465 generated. Thus, for these mailboxes, the mechanism described in
466 this document provides recipient end users with strong evidence that
467 the message was indeed originated by the agent they associate with
468 that mailbox, if the end user knows that these various protections
469 have been provided.
470
471 Domain names in this context are to be compared in a case-insensitive
472 manner, per [DNS-CASE].
473
474 It is important to note that Identifier Alignment cannot occur with a
475 message that is not valid per [MAIL], particularly one with a
476 malformed, absent, or repeated RFC5322.From field, since in that case
477 there is no reliable way to determine a DMARC policy that applies to
478 the message. Accordingly, DMARC operation is predicated on the input
479 being a valid RFC5322 message object, and handling of such
480 non-compliant cases is outside of the scope of this specification.
481 Further discussion of this can be found in Section 6.6.1.
482
483 Each of the underlying authentication technologies that DMARC takes
484 as input yields authenticated domains as their outputs when they
485 succeed. From the perspective of DMARC, each can be operated in a
486 "strict" mode or a "relaxed" mode. A Domain Owner would normally
487 select strict mode if it wanted Mail Receivers to apply DMARC
488 processing only to messages bearing an RFC5322.From domain exactly
489 matching the domains those mechanisms will verify. Relaxed mode can
490 be used when the operator also wishes to affect message flows bearing
491 subdomains of the verified domains.
492
4933.1.1. DKIM-Authenticated Identifiers
494
495 DMARC permits Identifier Alignment, based on the result of a DKIM
496 authentication, to be strict or relaxed. (Note that these are not
497 related to DKIM's "simple" and "relaxed" canonicalization modes.)
498
499
500
501
502
503
504
505
506Kucherawy & Zwicky Informational [Page 9]
507
508RFC 7489 DMARC March 2015
509
510
511 In relaxed mode, the Organizational Domains of both the [DKIM]- ../dmarc/dmarc.go:303
512 authenticated signing domain (taken from the value of the "d=" tag in
513 the signature) and that of the RFC5322.From domain must be equal if
514 the identifiers are to be considered aligned. In strict mode, only
515 an exact match between both of the Fully Qualified Domain Names
516 (FQDNs) is considered to produce Identifier Alignment.
517
518 To illustrate, in relaxed mode, if a validated DKIM signature
519 successfully verifies with a "d=" domain of "example.com", and the
520 RFC5322.From address is "alerts@news.example.com", the DKIM "d="
521 domain and the RFC5322.From domain are considered to be "in
522 alignment". In strict mode, this test would fail, since the "d="
523 domain does not exactly match the FQDN of the address.
524
525 However, a DKIM signature bearing a value of "d=com" would never ../dmarc/dmarc_test.go:302
526 allow an "in alignment" result, as "com" should appear on all public
527 suffix lists (see Appendix A.6.1) and therefore cannot be an
528 Organizational Domain.
529
530 Identifier Alignment is required because a message can bear a valid
531 signature from any domain, including domains used by a mailing list
532 or even a bad actor. Therefore, merely bearing a valid signature is
533 not enough to infer authenticity of the Author Domain.
534
535 Note that a single email can contain multiple DKIM signatures, and it ../dmarc/dmarc.go:305
536 is considered to be a DMARC "pass" if any DKIM signature is aligned
537 and verifies.
538
5393.1.2. SPF-Authenticated Identifiers
540
541 DMARC permits Identifier Alignment, based on the result of an SPF
542 authentication, to be strict or relaxed.
543
544 In relaxed mode, the [SPF]-authenticated domain and RFC5322.From ../dmarc/dmarc.go:292
545 domain must have the same Organizational Domain. In strict mode,
546 only an exact DNS domain match is considered to produce Identifier
547 Alignment.
548
549 Note that the RFC5321.HELO identity is not typically used in the
550 context of DMARC (except when required to "fake" an otherwise null
551 reverse-path), even though a "pure SPF" implementation according to
552 [SPF] would check that identifier.
553
554
555
556
557
558
559
560
561
562Kucherawy & Zwicky Informational [Page 10]
563
564RFC 7489 DMARC March 2015
565
566
567 For example, if a message passes an SPF check with an
568 RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address
569 portion of the RFC5322.From field contains "payments@example.com",
570 the Authenticated RFC5321.MailFrom domain identifier and the
571 RFC5322.From domain are considered to be "in alignment" in relaxed
572 mode, but not in strict mode.
573
5743.1.3. Alignment and Extension Technologies
575
576 If in the future DMARC is extended to include the use of other
577 authentication mechanisms, the extensions will need to allow for
578 domain identifier extraction so that alignment with the RFC5322.From
579 domain can be verified.
580
5813.2. Organizational Domain
582
583 The Organizational Domain is determined using the following
584 algorithm:
585
586 1. Acquire a "public suffix" list, i.e., a list of DNS domain names
587 reserved for registrations. Some country Top-Level Domains
588 (TLDs) make specific registration requirements, e.g., the United
589 Kingdom places company registrations under ".co.uk"; other TLDs
590 such as ".com" appear in the IANA registry of top-level DNS
591 domains. A public suffix list is the union of all of these.
592 Appendix A.6.1 contains some discussion about obtaining a public
593 suffix list.
594
595 2. Break the subject DNS domain name into a set of "n" ordered
596 labels. Number these labels from right to left; e.g., for
597 "example.com", "com" would be label 1 and "example" would be
598 label 2.
599
600 3. Search the public suffix list for the name that matches the
601 largest number of labels found in the subject DNS domain. Let
602 that number be "x".
603
604 4. Construct a new DNS domain name using the name that matched from
605 the public suffix list and prefixing to it the "x+1"th label from
606 the subject domain. This new name is the Organizational Domain.
607
608 Thus, since "com" is an IANA-registered TLD, a subject domain of
609 "a.b.c.d.example.com" would have an Organizational Domain of
610 "example.com".
611
612 The process of determining a suffix is currently a heuristic one. No
613 list is guaranteed to be accurate or current.
614
615
616
617
618Kucherawy & Zwicky Informational [Page 11]
619
620RFC 7489 DMARC March 2015
621
622
6234. Overview
624
625 This section provides a general overview of the design and operation
626 of the DMARC environment.
627
6284.1. Authentication Mechanisms
629
630 The following mechanisms for determining Authenticated Identifiers
631 are supported in this version of DMARC:
632
633 o [DKIM], which provides a domain-level identifier in the content of
634 the "d=" tag of a validated DKIM-Signature header field.
635
636 o [SPF], which can authenticate both the domain found in an [SMTP]
637 HELO/EHLO command (the HELO identity) and the domain found in an
638 SMTP MAIL command (the MAIL FROM identity). DMARC uses the result
639 of SPF authentication of the MAIL FROM identity. Section 2.4 of
640 [SPF] describes MAIL FROM processing for cases in which the MAIL
641 command has a null path.
642
6434.2. Key Concepts
644
645 DMARC policies are published by the Domain Owner, and retrieved by
646 the Mail Receiver during the SMTP session, via the DNS.
647
648 DMARC's filtering function is based on whether the RFC5322.From field
649 domain is aligned with (matches) an authenticated domain name from
650 SPF or DKIM. When a DMARC policy is published for the domain name
651 found in the RFC5322.From field, and that domain name is not
652 validated through SPF or DKIM, the disposition of that message can be
653 affected by that DMARC policy when delivered to a participating
654 receiver.
655
656 It is important to note that the authentication mechanisms employed
657 by DMARC authenticate only a DNS domain and do not authenticate the
658 local-part of any email address identifier found in a message, nor do
659 they validate the legitimacy of message content.
660
661 DMARC's feedback component involves the collection of information
662 about received messages claiming to be from the Organizational Domain
663 for periodic aggregate reports to the Domain Owner. The parameters
664 and format for such reports are discussed in later sections of this
665 document.
666
667 A DMARC-enabled Mail Receiver might also generate per-message reports
668 that contain information related to individual messages that fail SPF
669 and/or DKIM. Per-message failure reports are a useful source of
670 information when debugging deployments (if messages can be determined
671
672
673
674Kucherawy & Zwicky Informational [Page 12]
675
676RFC 7489 DMARC March 2015
677
678
679 to be legitimate even though failing authentication) or in analyzing
680 attacks. The capability for such services is enabled by DMARC but
681 defined in other referenced material such as [AFRF].
682
683 A message satisfies the DMARC checks if at least one of the supported
684 authentication mechanisms:
685
686 1. produces a "pass" result, and
687
688 2. produces that result based on an identifier that is in alignment,
689 as defined in Section 3.
690
6914.3. Flow Diagram
692
693 +---------------+
694 | Author Domain |< . . . . . . . . . . . . . . . . . . . . . . .
695 +---------------+ . . .
696 | . . .
697 V V V .
698 +-----------+ +--------+ +----------+ +----------+ .
699 | MSA |<***>| DKIM | | DKIM | | SPF | .
700 | Service | | Signer | | Verifier | | Verifier | .
701 +-----------+ +--------+ +----------+ +----------+ .
702 | ^ ^ .
703 | ************** .
704 V * .
705 +------+ (~~~~~~~~~~~~) +------+ * .
706 | sMTA |------->( other MTAs )----->| rMTA | * .
707 +------+ (~~~~~~~~~~~~) +------+ * .
708 | * ........
709 | * .
710 V * .
711 +-----------+ V V
712 +---------+ | MDA | +----------+
713 | User |<--| Filtering |<***>| DMARC |
714 | Mailbox | | Engine | | Verifier |
715 +---------+ +-----------+ +----------+
716
717 MSA = Mail Submission Agent
718 MDA = Mail Delivery Agent
719
720 The above diagram shows a simple flow of messages through a DMARC-
721 aware system. Solid lines denote the actual message flow, dotted
722 lines involve DNS queries used to retrieve message policy related to
723 the supported message authentication schemes, and asterisk lines
724 indicate data exchange between message-handling modules and message
725 authentication modules. "sMTA" is the sending MTA, and "rMTA" is the
726 receiving MTA.
727
728
729
730Kucherawy & Zwicky Informational [Page 13]
731
732RFC 7489 DMARC March 2015
733
734
735 In essence, the steps are as follows:
736
737 1. Domain Owner constructs an SPF policy and publishes it in its
738 DNS database as per [SPF]. Domain Owner also configures its
739 system for DKIM signing as described in [DKIM]. Finally, Domain
740 Owner publishes via the DNS a DMARC message-handling policy.
741
742 2. Author generates a message and hands the message to Domain
743 Owner's designated mail submission service.
744
745 3. Submission service passes relevant details to the DKIM signing
746 module in order to generate a DKIM signature to be applied to
747 the message.
748
749 4. Submission service relays the now-signed message to its
750 designated transport service for routing to its intended
751 recipient(s).
752
753 5. Message may pass through other relays but eventually arrives at
754 a recipient's transport service.
755
756 6. Recipient delivery service conducts SPF and DKIM authentication
757 checks by passing the necessary data to their respective
758 modules, each of which requires queries to the Author Domain's
759 DNS data (when identifiers are aligned; see below).
760
761 7. The results of these are passed to the DMARC module along with 7489:1377 ../dmarc/dmarc.go:109
762 the Author's domain. The DMARC module attempts to retrieve a
763 policy from the DNS for that domain. If none is found, the
764 DMARC module determines the Organizational Domain and repeats
765 the attempt to retrieve a policy from the DNS. (This is
766 described in further detail in Section 6.6.3.)
767
768 8. If a policy is found, it is combined with the Author's domain
769 and the SPF and DKIM results to produce a DMARC policy result (a
770 "pass" or "fail") and can optionally cause one of two kinds of
771 reports to be generated (not shown).
772
773 9. Recipient transport service either delivers the message to the
774 recipient inbox or takes other local policy action based on the
775 DMARC result (not shown).
776
777 10. When requested, Recipient transport service collects data from
778 the message delivery session to be used in providing feedback
779 (see Section 7).
780
781
782
783
784
785
786Kucherawy & Zwicky Informational [Page 14]
787
788RFC 7489 DMARC March 2015
789
790
7915. Use of RFC5322.From
792
793 One of the most obvious points of security scrutiny for DMARC is the
794 choice to focus on an identifier, namely the RFC5322.From address,
795 which is part of a body of data that has been trivially forged
796 throughout the history of email.
797
798 Several points suggest that it is the most correct and safest thing
799 to do in this context:
800
801 o Of all the identifiers that are part of the message itself, this
802 is the only one guaranteed to be present.
803
804 o It seems the best choice of an identifier on which to focus, as
805 most MUAs display some or all of the contents of that field in a
806 manner strongly suggesting those data as reflective of the true
807 originator of the message.
808
809 The absence of a single, properly formed RFC5322.From field renders
810 the message invalid. Handling of such a message is outside of the
811 scope of this specification.
812
813 Since the sorts of mail typically protected by DMARC participants
814 tend to only have single Authors, DMARC participants generally
815 operate under a slightly restricted profile of RFC5322 with respect
816 to the expected syntax of this field. See Section 6.6 for details.
817
8186. Policy
819
820 DMARC policies are published by Domain Owners and applied by Mail
821 Receivers.
822
823 A Domain Owner advertises DMARC participation of one or more of its
824 domains by adding a DNS TXT record (described in Section 6.1) to
825 those domains. In doing so, Domain Owners make specific requests of
826 Mail Receivers regarding the disposition of messages purporting to be
827 from one of the Domain Owner's domains and the provision of feedback
828 about those messages.
829
830 A Domain Owner may choose not to participate in DMARC evaluation by
831 Mail Receivers. In this case, the Domain Owner simply declines to
832 advertise participation in those schemes. For example, if the
833 results of path authorization checks ought not be considered as part
834 of the overall DMARC result for a given Author Domain, then the
835 Domain Owner does not publish an SPF policy record that can produce
836 an SPF pass result.
837
838
839
840
841
842Kucherawy & Zwicky Informational [Page 15]
843
844RFC 7489 DMARC March 2015
845
846
847 A Mail Receiver implementing the DMARC mechanism SHOULD make a
848 best-effort attempt to adhere to the Domain Owner's published DMARC
849 policy when a message fails the DMARC test. Since email streams can
850 be complicated (due to forwarding, existing RFC5322.From
851 domain-spoofing services, etc.), Mail Receivers MAY deviate from a
852 Domain Owner's published policy during message processing and SHOULD
853 make available the fact of and reason for the deviation to the Domain
854 Owner via feedback reporting, specifically using the "PolicyOverride"
855 feature of the aggregate report (see Section 7.2).
856
8576.1. DMARC Policy Record
858
859 Domain Owner DMARC preferences are stored as DNS TXT records in 7489:1370 ../dmarc/dmarc.go:102
860 subdomains named "_dmarc". For example, the Domain Owner of
861 "example.com" would post DMARC preferences in a TXT record at
862 "_dmarc.example.com". Similarly, a Mail Receiver wishing to query
863 for DMARC preferences regarding mail with an RFC5322.From domain of
864 "example.com" would issue a TXT query to the DNS for the subdomain of
865 "_dmarc.example.com". The DNS-located DMARC preference data will
866 hereafter be called the "DMARC record".
867
868 DMARC's use of the Domain Name Service is driven by DMARC's use of
869 domain names and the nature of the query it performs. The query
870 requirement matches with the DNS, for obtaining simple parametric
871 information. It uses an established method of storing the
872 information, associated with the target domain name, namely an
873 isolated TXT record that is restricted to the DMARC context. Use of
874 the DNS as the query service has the benefit of reusing an extremely
875 well-established operations, administration, and management
876 infrastructure, rather than creating a new one.
877
878 Per [DNS], a TXT record can comprise several "character-string"
879 objects. Where this is the case, the module performing DMARC
880 evaluation MUST concatenate these strings by joining together the
881 objects in order and parsing the result as a single string.
882
8836.2. DMARC URIs ../dmarc/parse.go:290
884
885 [URI] defines a generic syntax for identifying a resource. The DMARC
886 mechanism uses this as the format by which a Domain Owner specifies
887 the destination for the two report types that are supported.
888
889 The place such URIs are specified (see Section 6.3) allows a list of
890 these to be provided. A report is normally sent to each listed URI
891 in the order provided by the Domain Owner. Receivers MAY impose a
892 limit on the number of URIs to which they will send reports but MUST
893 support the ability to send to at least two. The list of URIs is
894 separated by commas (ASCII 0x2C).
895
896
897
898Kucherawy & Zwicky Informational [Page 16]
899
900RFC 7489 DMARC March 2015
901
902
903 Each URI can have associated with it a maximum report size that may
904 be sent to it. This is accomplished by appending an exclamation
905 point (ASCII 0x21), followed by a maximum-size indication, before a
906 separating comma or terminating semicolon.
907
908 Thus, a DMARC URI is a URI within which any commas or exclamation
909 points are percent-encoded per [URI], followed by an OPTIONAL
910 exclamation point and a maximum-size specification, and, if there are
911 additional reporting URIs in the list, a comma and the next URI.
912
913 For example, the URI "mailto:reports@example.com!50m" would request
914 that a report be sent via email to "reports@example.com" so long as
915 the report payload does not exceed 50 megabytes.
916
917 A formal definition is provided in Section 6.4.
918
9196.3. General Record Format
920
921 DMARC records follow the extensible "tag-value" syntax for DNS-based
922 key records defined in DKIM [DKIM].
923
924 Section 11 creates a registry for known DMARC tags and registers the ../dmarc/parse.go:81
925 initial set defined in this document. Only tags defined in this
926 document or in later extensions, and thus added to that registry, are
927 to be processed; unknown tags MUST be ignored.
928
929 The following tags are introduced as the initial valid DMARC tags:
930
931 adkim: (plain-text; OPTIONAL; default is "r".) Indicates whether
932 strict or relaxed DKIM Identifier Alignment mode is required by
933 the Domain Owner. See Section 3.1.1 for details. Valid values
934 are as follows:
935
936 r: relaxed mode
937
938 s: strict mode
939
940 aspf: (plain-text; OPTIONAL; default is "r".) Indicates whether
941 strict or relaxed SPF Identifier Alignment mode is required by the
942 Domain Owner. See Section 3.1.2 for details. Valid values are as
943 follows:
944
945 r: relaxed mode
946
947 s: strict mode
948
949
950
951
952
953
954Kucherawy & Zwicky Informational [Page 17]
955
956RFC 7489 DMARC March 2015
957
958
959 fo: Failure reporting options (plain-text; OPTIONAL; default is "0")
960 Provides requested options for generation of failure reports.
961 Report generators MAY choose to adhere to the requested options.
962 This tag's content MUST be ignored if a "ruf" tag (below) is not
963 also specified. The value of this tag is a colon-separated list
964 of characters that indicate failure reporting options as follows:
965
966 0: Generate a DMARC failure report if all underlying
967 authentication mechanisms fail to produce an aligned "pass"
968 result.
969
970 1: Generate a DMARC failure report if any underlying
971 authentication mechanism produced something other than an
972 aligned "pass" result.
973
974 d: Generate a DKIM failure report if the message had a signature
975 that failed evaluation, regardless of its alignment. DKIM-
976 specific reporting is described in [AFRF-DKIM].
977
978 s: Generate an SPF failure report if the message failed SPF
979 evaluation, regardless of its alignment. SPF-specific
980 reporting is described in [AFRF-SPF].
981
982 p: Requested Mail Receiver policy (plain-text; REQUIRED for policy
983 records). Indicates the policy to be enacted by the Receiver at
984 the request of the Domain Owner. Policy applies to the domain
985 queried and to subdomains, unless subdomain policy is explicitly
986 described using the "sp" tag. This tag is mandatory for policy
987 records only, but not for third-party reporting records (see
988 Section 7.1). Possible values are as follows:
989
990 none: The Domain Owner requests no specific action be taken
991 regarding delivery of messages.
992
993 quarantine: The Domain Owner wishes to have email that fails the
994 DMARC mechanism check be treated by Mail Receivers as
995 suspicious. Depending on the capabilities of the Mail
996 Receiver, this can mean "place into spam folder", "scrutinize
997 with additional intensity", and/or "flag as suspicious".
998
999 reject: The Domain Owner wishes for Mail Receivers to reject
1000 email that fails the DMARC mechanism check. Rejection SHOULD
1001 occur during the SMTP transaction. See Section 10.3 for some
1002 discussion of SMTP rejection methods and their implications.
1003
1004 pct: (plain-text integer between 0 and 100, inclusive; OPTIONAL;
1005 default is 100). Percentage of messages from the Domain Owner's
1006 mail stream to which the DMARC policy is to be applied. However,
1007
1008
1009
1010Kucherawy & Zwicky Informational [Page 18]
1011
1012RFC 7489 DMARC March 2015
1013
1014
1015 this MUST NOT be applied to the DMARC-generated reports, all of
1016 which must be sent and received unhindered. The purpose of the
1017 "pct" tag is to allow Domain Owners to enact a slow rollout
1018 enforcement of the DMARC mechanism. The prospect of "all or
1019 nothing" is recognized as preventing many organizations from
1020 experimenting with strong authentication-based mechanisms. See
1021 Section 6.6.4 for details. Note that random selection based on
1022 this percentage, such as the following pseudocode, is adequate:
1023
1024 if (random mod 100) < pct then 7489:1446 ../dmarc/dmarc.go:265
1025 selected = true
1026 else
1027 selected = false
1028
1029 rf: Format to be used for message-specific failure reports (colon-
1030 separated plain-text list of values; OPTIONAL; default is "afrf").
1031 The value of this tag is a list of one or more report formats as
1032 requested by the Domain Owner to be used when a message fails both
1033 [SPF] and [DKIM] tests to report details of the individual
1034 failure. The values MUST be present in the registry of reporting
1035 formats defined in Section 11; a Mail Receiver observing a
1036 different value SHOULD ignore it or MAY ignore the entire DMARC
1037 record. For this version, only "afrf" (the auth-failure report
1038 type defined in [AFRF]) is presently supported. See Section 7.3
1039 for details. For interoperability, the Authentication Failure
1040 Reporting Format (AFRF) MUST be supported.
1041
1042 ri: Interval requested between aggregate reports (plain-text 32-bit
1043 unsigned integer; OPTIONAL; default is 86400). Indicates a
1044 request to Receivers to generate aggregate reports separated by no
1045 more than the requested number of seconds. DMARC implementations
1046 MUST be able to provide daily reports and SHOULD be able to
1047 provide hourly reports when requested. However, anything other
1048 than a daily report is understood to be accommodated on a best-
1049 effort basis.
1050
1051 rua: Addresses to which aggregate feedback is to be sent (comma-
1052 separated plain-text list of DMARC URIs; OPTIONAL). A comma or
1053 exclamation point that is part of such a DMARC URI MUST be encoded
1054 per Section 2.1 of [URI] so as to distinguish it from the list
1055 delimiter or an OPTIONAL size limit. Section 7.1 discusses
1056 considerations that apply when the domain name of a URI differs
1057 from that of the domain advertising the policy. See Section 12.5
1058 for additional considerations. Any valid URI can be specified. A
1059 Mail Receiver MUST implement support for a "mailto:" URI, i.e.,
1060 the ability to send a DMARC report via electronic mail. If not
1061
1062
1063
1064
1065
1066Kucherawy & Zwicky Informational [Page 19]
1067
1068RFC 7489 DMARC March 2015
1069
1070
1071 provided, Mail Receivers MUST NOT generate aggregate feedback
1072 reports. URIs not supported by Mail Receivers MUST be ignored.
1073 The aggregate feedback report format is described in Section 7.2.
1074
1075 ruf: Addresses to which message-specific failure information is to
1076 be reported (comma-separated plain-text list of DMARC URIs;
1077 OPTIONAL). If present, the Domain Owner is requesting Mail
1078 Receivers to send detailed failure reports about messages that
1079 fail the DMARC evaluation in specific ways (see the "fo" tag
1080 above). The format of the message to be generated MUST follow the
1081 format specified for the "rf" tag. Section 7.1 discusses
1082 considerations that apply when the domain name of a URI differs
1083 from that of the domain advertising the policy. A Mail Receiver
1084 MUST implement support for a "mailto:" URI, i.e., the ability to
1085 send a DMARC report via electronic mail. If not provided, Mail
1086 Receivers MUST NOT generate failure reports. See Section 12.5 for
1087 additional considerations.
1088
1089 sp: Requested Mail Receiver policy for all subdomains (plain-text;
1090 OPTIONAL). Indicates the policy to be enacted by the Receiver at
1091 the request of the Domain Owner. It applies only to subdomains of
1092 the domain queried and not to the domain itself. Its syntax is
1093 identical to that of the "p" tag defined above. If absent, the
1094 policy specified by the "p" tag MUST be applied for subdomains.
1095 Note that "sp" will be ignored for DMARC records published on
1096 subdomains of Organizational Domains due to the effect of the
1097 DMARC policy discovery mechanism described in Section 6.6.3.
1098
1099 v: Version (plain-text; REQUIRED). Identifies the record retrieved ../dmarc/parse.go:53
1100 as a DMARC record. It MUST have the value of "DMARC1". The value
1101 of this tag MUST match precisely; if it does not or it is absent,
1102 the entire retrieved record MUST be ignored. It MUST be the first
1103 tag in the list.
1104
1105 A DMARC policy record MUST comply with the formal specification found ../dmarc/parse.go:92
1106 in Section 6.4 in that the "v" and "p" tags MUST be present and MUST 7489:1407 ../dmarc/parse.go:149
1107 appear in that order. Unknown tags MUST be ignored. Syntax errors
1108 in the remainder of the record SHOULD be discarded in favor of
1109 default values (if any) or ignored outright.
1110
1111 Note that given the rules of the previous paragraph, addition of a
1112 new tag into the registered list of tags does not itself require a
1113 new version of DMARC to be generated (with a corresponding change to
1114 the "v" tag's value), but a change to any existing tags does require
1115 a new version of DMARC.
1116
1117
1118
1119
1120
1121
1122Kucherawy & Zwicky Informational [Page 20]
1123
1124RFC 7489 DMARC March 2015
1125
1126
11276.4. Formal Definition ../dmarc/parse.go:82 ../dmarc/txt.go:42
1128
1129 The formal definition of the DMARC format, using [ABNF], is as
1130 follows:
1131
1132 dmarc-uri = URI [ "!" 1*DIGIT [ "k" / "m" / "g" / "t" ] ] ../dmarc/parse.go:291
1133 ; "URI" is imported from [URI]; commas (ASCII
1134 ; 0x2C) and exclamation points (ASCII 0x21)
1135 ; MUST be encoded; the numeric portion MUST fit
1136 ; within an unsigned 64-bit integer
1137
1138 dmarc-record = dmarc-version dmarc-sep
1139 [dmarc-request]
1140 [dmarc-sep dmarc-srequest]
1141 [dmarc-sep dmarc-auri]
1142 [dmarc-sep dmarc-furi]
1143 [dmarc-sep dmarc-adkim]
1144 [dmarc-sep dmarc-aspf]
1145 [dmarc-sep dmarc-ainterval]
1146 [dmarc-sep dmarc-fo]
1147 [dmarc-sep dmarc-rfmt]
1148 [dmarc-sep dmarc-percent]
1149 [dmarc-sep]
1150 ; components other than dmarc-version and
1151 ; dmarc-request may appear in any order
1152
1153 dmarc-version = "v" *WSP "=" *WSP %x44 %x4d %x41 %x52 %x43 %x31
1154
1155 dmarc-sep = *WSP %x3b *WSP
1156
1157 dmarc-request = "p" *WSP "=" *WSP ../dmarc/txt.go:13
1158 ( "none" / "quarantine" / "reject" )
1159
1160 dmarc-srequest = "sp" *WSP "=" *WSP
1161 ( "none" / "quarantine" / "reject" )
1162
1163 dmarc-auri = "rua" *WSP "=" *WSP
1164 dmarc-uri *(*WSP "," *WSP dmarc-uri)
1165
1166 dmarc-furi = "ruf" *WSP "=" *WSP
1167 dmarc-uri *(*WSP "," *WSP dmarc-uri)
1168
1169 dmarc-adkim = "adkim" *WSP "=" *WSP
1170 ( "r" / "s" )
1171
1172 dmarc-aspf = "aspf" *WSP "=" *WSP
1173 ( "r" / "s" )
1174
1175
1176
1177
1178Kucherawy & Zwicky Informational [Page 21]
1179
1180RFC 7489 DMARC March 2015
1181
1182
1183 dmarc-ainterval = "ri" *WSP "=" *WSP 1*DIGIT
1184
1185 dmarc-fo = "fo" *WSP "=" *WSP
1186 ( "0" / "1" / "d" / "s" )
1187 *(*WSP ":" *WSP ( "0" / "1" / "d" / "s" ))
1188
1189 dmarc-rfmt = "rf" *WSP "=" *WSP Keyword *(*WSP ":" Keyword)
1190 ; registered reporting formats only
1191
1192 dmarc-percent = "pct" *WSP "=" *WSP
1193 1*3DIGIT
1194
1195 "Keyword" is imported from Section 4.1.2 of [SMTP]. ../dmarc/parse.go:340
1196
1197 A size limitation in a dmarc-uri, if provided, is interpreted as a ../dmarcdb/eval.go:501
1198 count of units followed by an OPTIONAL unit size ("k" for kilobytes,
1199 "m" for megabytes, "g" for gigabytes, "t" for terabytes). Without a
1200 unit, the number is presumed to be a basic byte count. Note that the
1201 units are considered to be powers of two; a kilobyte is 2^10, a
1202 megabyte is 2^20, etc.
1203
12046.5. Domain Owner Actions
1205
1206 To implement the DMARC mechanism, the only action required of a
1207 Domain Owner is the creation of the DMARC policy record in the DNS.
1208 However, in order to make meaningful use of DMARC, a Domain Owner
1209 must at minimum either establish an address to receive reports, or
1210 deploy authentication technologies and ensure Identifier Alignment.
1211 Most Domain Owners will want to do both.
1212
1213 DMARC reports will be of significant size, and the addresses that
1214 receive them are publicly visible, so we encourage Domain Owners to
1215 set up dedicated email addresses to receive and process reports, and
1216 to deploy abuse countermeasures on those email addresses as
1217 appropriate.
1218
1219 Authentication technologies are discussed in [DKIM] (see also
1220 [DKIM-OVERVIEW] and [DKIM-DEPLOYMENT]) and [SPF].
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234Kucherawy & Zwicky Informational [Page 22]
1235
1236RFC 7489 DMARC March 2015
1237
1238
12396.6. Mail Receiver Actions
1240
1241 This section describes receiver actions in the DMARC environment.
1242
12436.6.1. Extract Author Domain ../message/from.go:25
1244
1245 The domain in the RFC5322.From field is extracted as the domain to be
1246 evaluated by DMARC. If the domain is encoded with UTF-8, the domain
1247 name must be converted to an A-label, as described in Section 2.3 of
1248 [IDNA], for further processing.
1249
1250 In order to be processed by DMARC, a message typically needs to
1251 contain exactly one RFC5322.From domain (a single From: field with a
1252 single domain in it). Not all messages meet this requirement, and
1253 handling of them is outside of the scope of this document. Typical
1254 exceptions, and the way they have been historically handled by DMARC
1255 participants, are as follows:
1256
1257 o Messages with multiple RFC5322.From fields are typically rejected,
1258 since that form is forbidden under RFC 5322 [MAIL];
1259
1260 o Messages bearing a single RFC5322.From field containing multiple
1261 addresses (and, thus, multiple domain names to be evaluated) are
1262 typically rejected because the sorts of mail normally protected by
1263 DMARC do not use this format;
1264
1265 o Messages that have no RFC5322.From field at all are typically
1266 rejected, since that form is forbidden under RFC 5322 [MAIL];
1267
1268 o Messages with an RFC5322.From field that contains no meaningful
1269 domains, such as RFC 5322 [MAIL]'s "group" syntax, are typically
1270 ignored.
1271
1272 The case of a syntactically valid multi-valued RFC5322.From field
1273 presents a particular challenge. The process in this case is to
1274 apply the DMARC check using each of those domains found in the
1275 RFC5322.From field as the Author Domain and apply the most strict
1276 policy selected among the checks that fail.
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290Kucherawy & Zwicky Informational [Page 23]
1291
1292RFC 7489 DMARC March 2015
1293
1294
12956.6.2. Determine Handling Policy
1296
1297 To arrive at a policy for an individual message, Mail Receivers MUST
1298 perform the following actions or their semantic equivalents.
1299 Steps 2-4 MAY be done in parallel, whereas steps 5 and 6 require
1300 input from previous steps.
1301
1302 The steps are as follows:
1303
1304 1. Extract the RFC5322.From domain from the message (as above).
1305
1306 2. Query the DNS for a DMARC policy record. Continue if one is
1307 found, or terminate DMARC evaluation otherwise. See
1308 Section 6.6.3 for details.
1309
1310 3. Perform DKIM signature verification checks. A single email could
1311 contain multiple DKIM signatures. The results of this step are
1312 passed to the remainder of the algorithm and MUST include the
1313 value of the "d=" tag from each checked DKIM signature.
1314
1315 4. Perform SPF validation checks. The results of this step are
1316 passed to the remainder of the algorithm and MUST include the
1317 domain name used to complete the SPF check.
1318
1319 5. Conduct Identifier Alignment checks. With authentication checks ../dmarc/dmarc.go:291
1320 and policy discovery performed, the Mail Receiver checks to see
1321 if Authenticated Identifiers fall into alignment as described in
1322 Section 3. If one or more of the Authenticated Identifiers align
1323 with the RFC5322.From domain, the message is considered to pass
1324 the DMARC mechanism check. All other conditions (authentication
1325 failures, identifier mismatches) are considered to be DMARC
1326 mechanism check failures.
1327
1328 6. Apply policy. Emails that fail the DMARC mechanism check are
1329 disposed of in accordance with the discovered DMARC policy of the
1330 Domain Owner. See Section 6.3 for details.
1331
1332 Heuristics applied in the absence of use by a Domain Owner of either
1333 SPF or DKIM (e.g., [Best-Guess-SPF]) SHOULD NOT be used, as it may be
1334 the case that the Domain Owner wishes a Message Receiver not to
1335 consider the results of that underlying authentication protocol at
1336 all.
1337
1338 DMARC evaluation can only yield a "pass" result after one of the ../dmarc/dmarc.go:272
1339 underlying authentication mechanisms passes for an aligned
1340 identifier. If neither passes and one or both of them fail due to a
1341 temporary error, the Receiver evaluating the message is unable to
1342 conclude that the DMARC mechanism had a permanent failure; they
1343
1344
1345
1346Kucherawy & Zwicky Informational [Page 24]
1347
1348RFC 7489 DMARC March 2015
1349
1350
1351 therefore cannot apply the advertised DMARC policy. When otherwise
1352 appropriate, Receivers MAY send feedback reports regarding temporary
1353 errors.
1354
1355 Handling of messages for which SPF and/or DKIM evaluation encounter a
1356 permanent DNS error is left to the discretion of the Mail Receiver.
1357
13586.6.3. Policy Discovery
1359
1360 As stated above, the DMARC mechanism uses DNS TXT records to
1361 advertise policy. Policy discovery is accomplished via a method
1362 similar to the method used for SPF records. This method, and the
1363 important differences between DMARC and SPF mechanisms, are discussed
1364 below.
1365
1366 To balance the conflicting requirements of supporting wildcarding,
1367 allowing subdomain policy overrides, and limiting DNS query load, the
1368 following DNS lookup scheme is employed:
1369
1370 1. Mail Receivers MUST query the DNS for a DMARC TXT record at the 7489:859 ../dmarc/dmarc.go:102
1371 DNS domain matching the one found in the RFC5322.From domain in
1372 the message. A possibly empty set of records is returned.
1373
1374 2. Records that do not start with a "v=" tag that identifies the ../dmarc/dmarc.go:134
1375 current version of DMARC are discarded.
1376
1377 3. If the set is now empty, the Mail Receiver MUST query the DNS for 7489:761 ../dmarc/dmarc.go:109
1378 a DMARC TXT record at the DNS domain matching the Organizational
1379 Domain in place of the RFC5322.From domain in the message (if
1380 different). This record can contain policy to be asserted for
1381 subdomains of the Organizational Domain. A possibly empty set of
1382 records is returned.
1383
1384 4. Records that do not start with a "v=" tag that identifies the
1385 current version of DMARC are discarded.
1386
1387 5. If the remaining set contains multiple records or no records,
1388 policy discovery terminates and DMARC processing is not applied ../dmarc/dmarc.go:140
1389 to this message.
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402Kucherawy & Zwicky Informational [Page 25]
1403
1404RFC 7489 DMARC March 2015
1405
1406
1407 6. If a retrieved policy record does not contain a valid "p" tag, or 7489:1106 ../dmarc/parse.go:149 ../dmarc/parse_test.go:90 ../dmarc/parse_test.go:96
1408 contains an "sp" tag that is not valid, then:
1409
1410 1. if a "rua" tag is present and contains at least one
1411 syntactically valid reporting URI, the Mail Receiver SHOULD
1412 act as if a record containing a valid "v" tag and "p=none"
1413 was retrieved, and continue processing;
1414
1415 2. otherwise, the Mail Receiver applies no DMARC processing to
1416 this message.
1417
1418 If the set produced by the mechanism above contains no DMARC policy
1419 record (i.e., any indication that there is no such record as opposed
1420 to a transient DNS error), Mail Receivers SHOULD NOT apply the DMARC
1421 mechanism to the message.
1422
1423 Handling of DNS errors when querying for the DMARC policy record is
1424 left to the discretion of the Mail Receiver. For example, to ensure
1425 minimal disruption of mail flow, transient errors could result in
1426 delivery of the message ("fail open"), or they could result in the
1427 message being temporarily rejected (i.e., an SMTP 4yx reply), which
1428 invites the sending MTA to try again after the condition has possibly
1429 cleared, allowing a definite DMARC conclusion to be reached ("fail
1430 closed").
1431
14326.6.4. Message Sampling ../dmarc/dmarc.go:260
1433
1434 If the "pct" tag is present in the policy record, the Mail Receiver
1435 MUST NOT enact the requested policy ("p" tag or "sp" tag") on more
1436 than the stated percent of the totality of affected messages.
1437 However, regardless of whether or not the "pct" tag is present, the
1438 Mail Receiver MUST include all relevant message data in any reports
1439 produced.
1440
1441 If email is subject to the DMARC policy of "quarantine", the Mail
1442 Receiver SHOULD quarantine the message. If the email is not subject
1443 to the "quarantine" policy (due to the "pct" tag), the Mail Receiver
1444 SHOULD apply local message classification as normal.
1445
1446 If email is subject to the DMARC policy of "reject", the Mail 7489:1024 ../dmarc/dmarc.go:265
1447 Receiver SHOULD reject the message (see Section 10.3). If the email
1448 is not subject to the "reject" policy (due to the "pct" tag), the
1449 Mail Receiver SHOULD treat the email as though the "quarantine"
1450 policy applies. This behavior allows Domain Owners to experiment
1451 with progressively stronger policies without relaxing existing
1452 policy.
1453
1454
1455
1456
1457
1458Kucherawy & Zwicky Informational [Page 26]
1459
1460RFC 7489 DMARC March 2015
1461
1462
1463 Mail Receivers implement "pct" via statistical mechanisms that
1464 achieve a close approximation to the requested percentage and provide
1465 a representative sample across a reporting period.
1466
14676.6.5. Store Results of DMARC Processing
1468
1469 The results of Mail Receiver-based DMARC processing should be stored
1470 for eventual presentation back to the Domain Owner in the form of
1471 aggregate feedback reports. Sections 6.3 and 7.2 discuss aggregate
1472 feedback.
1473
14746.7. Policy Enforcement Considerations
1475
1476 Mail Receivers MAY choose to reject or quarantine email even if email
1477 passes the DMARC mechanism check. The DMARC mechanism does not
1478 inform Mail Receivers whether an email stream is "good". Mail
1479 Receivers are encouraged to maintain anti-abuse technologies to
1480 combat the possibility of DMARC-enabled criminal campaigns.
1481
1482 Mail Receivers MAY choose to accept email that fails the DMARC
1483 mechanism check even if the Domain Owner has published a "reject"
1484 policy. Mail Receivers need to make a best effort not to increase
1485 the likelihood of accepting abusive mail if they choose not to comply
1486 with a Domain Owner's reject, against policy. At a minimum, addition ../smtpserver/server.go:2554
1487 of the Authentication-Results header field (see [AUTH-RESULTS]) is
1488 RECOMMENDED when delivery of failing mail is done. When this is
1489 done, the DNS domain name thus recorded MUST be encoded as an ../smtpserver/server.go:2319
1490 A-label.
1491
1492 Mail Receivers are only obligated to report reject or quarantine ../smtpserver/server.go:2591
1493 policy actions in aggregate feedback reports that are due to DMARC
1494 policy. They are not required to report reject or quarantine actions
1495 that are the result of local policy. If local policy information is
1496 exposed, abusers can gain insight into the effectiveness and delivery
1497 rates of spam campaigns.
1498
1499 Final disposition of a message is always a matter of local policy.
1500 An operator that wishes to favor DMARC policy over SPF policy, for
1501 example, will disregard the SPF policy, since enacting an
1502 SPF-determined rejection prevents evaluation of DKIM; DKIM might
1503 otherwise pass, satisfying the DMARC evaluation. There is a
1504 trade-off to doing so, namely acceptance and processing of the entire
1505 message body in exchange for the enhanced protection DMARC provides.
1506
1507 DMARC-compliant Mail Receivers typically disregard any mail-handling todo future: ../smtpserver/server.go:2328
1508 directive discovered as part of an authentication mechanism (e.g.,
1509 Author Domain Signing Practices (ADSP), SPF) where a DMARC record is
1510 also discovered that specifies a policy other than "none". Deviating
1511
1512
1513
1514Kucherawy & Zwicky Informational [Page 27]
1515
1516RFC 7489 DMARC March 2015
1517
1518
1519 from this practice introduces inconsistency among DMARC operators in
1520 terms of handling of the message. However, such deviation is not
1521 proscribed.
1522
1523 To enable Domain Owners to receive DMARC feedback without impacting
1524 existing mail processing, discovered policies of "p=none" SHOULD NOT
1525 modify existing mail disposition processing.
1526
1527 Mail Receivers SHOULD also implement reporting instructions of DMARC,
1528 even in the absence of a request for DKIM reporting [AFRF-DKIM] or
1529 SPF reporting [AFRF-SPF]. Furthermore, the presence of such requests
1530 SHOULD NOT affect DMARC reporting.
1531
15327. DMARC Feedback
1533
1534 Providing Domain Owners with visibility into how Mail Receivers
1535 implement and enforce the DMARC mechanism in the form of feedback is
1536 critical to establishing and maintaining accurate authentication
1537 deployments. When Domain Owners can see what effect their policies
1538 and practices are having, they are better willing and able to use
1539 quarantine and reject policies.
1540
15417.1. Verifying External Destinations ../webadmin/admin.go:1126
1542
1543 It is possible to specify destinations for the different reports that
1544 are outside the authority of the Domain Owner making the request.
1545 This allows domains that do not operate mail servers to request
1546 reports and have them go someplace that is able to receive and
1547 process them.
1548
1549 Without checks, this would allow a bad actor to publish a DMARC
1550 policy record that requests that reports be sent to a victim address,
1551 and then send a large volume of mail that will fail both DKIM and SPF
1552 checks to a wide variety of destinations; the victim will in turn be
1553 flooded with unwanted reports. Therefore, a verification mechanism
1554 is included.
1555
1556 When a Mail Receiver discovers a DMARC policy in the DNS, and the ../dmarcdb/eval.go:602
1557 Organizational Domain at which that record was discovered is not
1558 identical to the Organizational Domain of the host part of the
1559 authority component of a [URI] specified in the "rua" or "ruf" tag,
1560 the following verification steps are to be taken:
1561
1562 1. Extract the host portion of the authority component of the URI.
1563 Call this the "destination host", as it refers to a Report
1564 Receiver.
1565
1566 2. Prepend the string "_report._dmarc". ../dmarc/dmarc.go:151
1567
1568
1569
1570Kucherawy & Zwicky Informational [Page 28]
1571
1572RFC 7489 DMARC March 2015
1573
1574
1575 3. Prepend the domain name from which the policy was retrieved,
1576 after conversion to an A-label if needed.
1577
1578 4. Query the DNS for a TXT record at the constructed name. If the ../dmarcdb/eval.go:612
1579 result of this request is a temporary DNS error of some kind
1580 (e.g., a timeout), the Mail Receiver MAY elect to temporarily
1581 fail the delivery so the verification test can be repeated later.
1582
1583 5. For each record returned, parse the result as a series of
1584 "tag=value" pairs, i.e., the same overall format as the policy
1585 record (see Section 6.4). In particular, the "v=DMARC1" tag is 7489-eid5440:1 ../dmarc/dmarc.go:35
1586 mandatory and MUST appear first in the list. Discard any that do ../dmarc/dmarc.go:170
1587 not pass this test.
1588
1589 6. If the result includes no TXT resource records that pass basic
1590 parsing, a positive determination of the external reporting
1591 relationship cannot be made; stop.
1592
1593 7. If at least one TXT resource record remains in the set after ../dmarc/dmarc.go:178
1594 parsing, then the external reporting arrangement was authorized
1595 by the Report Receiver.
1596
1597 8. If a "rua" or "ruf" tag is thus discovered, replace the
1598 corresponding value extracted from the domain's DMARC policy
1599 record with the one found in this record. This permits the
1600 Report Receiver to override the report destination. However, to ../dmarcdb/eval.go:628
1601 prevent loops or indirect abuse, the overriding URI MUST use the
1602 same destination host from the first step.
1603
1604 For example, if a DMARC policy query for "blue.example.com" contained
1605 "rua=mailto:reports@red.example.net", the host extracted from the
1606 latter ("red.example.net") does not match "blue.example.com", so this
1607 procedure is enacted. A TXT query for
1608 "blue.example.com._report._dmarc.red.example.net" is issued. If a
1609 single reply comes back containing a tag of "v=DMARC1", then the
1610 relationship between the two is confirmed. Moreover,
1611 "red.example.net" has the opportunity to override the report
1612 destination requested by "blue.example.com" if needed.
1613
1614 Where the above algorithm fails to confirm that the external
1615 reporting was authorized by the Report Receiver, the URI MUST be
1616 ignored by the Mail Receiver generating the report. Further, if the
1617 confirming record includes a URI whose host is again different than
1618 the domain publishing that override, the Mail Receiver generating the
1619 report MUST NOT generate a report to either the original or the
1620 override URI.
1621
1622
1623
1624
1625
1626Kucherawy & Zwicky Informational [Page 29]
1627
1628RFC 7489 DMARC March 2015
1629
1630
1631 A Report Receiver publishes such a record in its DNS if it wishes to
1632 receive reports for other domains.
1633
1634 A Report Receiver that is willing to receive reports for any domain
1635 can use a wildcard DNS record. For example, a TXT resource record at
1636 "*._report._dmarc.example.com" containing at least "v=DMARC1"
1637 confirms that example.com is willing to receive DMARC reports for any
1638 domain.
1639
1640 If the Report Receiver is overcome by volume, it can simply remove
1641 the confirming DNS record. However, due to positive caching, the
1642 change could take as long as the time-to-live (TTL) on the record to
1643 go into effect.
1644
1645 A Mail Receiver might decide not to enact this procedure if, for
1646 example, it relies on a local list of domains for which external
1647 reporting addresses are permitted.
1648
16497.2. Aggregate Reports
1650
1651 The DMARC aggregate feedback report is designed to provide Domain
1652 Owners with precise insight into:
1653
1654 o authentication results,
1655
1656 o corrective action that needs to be taken by Domain Owners, and
1657
1658 o the effect of Domain Owner DMARC policy on email streams processed
1659 by Mail Receivers.
1660
1661 Aggregate DMARC feedback provides visibility into real-world email
1662 streams that Domain Owners need to make informed decisions regarding
1663 the publication of DMARC policy. When Domain Owners know what
1664 legitimate mail they are sending, what the authentication results are
1665 on that mail, and what forged mail receivers are getting, they can
1666 make better decisions about the policies they need and the steps they
1667 need to take to enable those policies. When Domain Owners set
1668 policies appropriately and understand their effects, Mail Receivers
1669 can act on them confidently.
1670
1671 Visibility comes in the form of daily (or more frequent) Mail
1672 Receiver-originated feedback reports that contain aggregate data on
1673 message streams relevant to the Domain Owner. This information
1674 includes data about messages that passed DMARC authentication as well
1675 as those that did not.
1676
1677 The format for these reports is defined in Appendix C.
1678
1679
1680
1681
1682Kucherawy & Zwicky Informational [Page 30]
1683
1684RFC 7489 DMARC March 2015
1685
1686
1687 The report SHOULD include the following data:
1688
1689 o The DMARC policy discovered and applied, if any
1690
1691 o The selected message disposition ../smtpserver/server.go:2597
1692
1693 o The identifier evaluated by SPF and the SPF result, if any
1694
1695 o The identifier evaluated by DKIM and the DKIM result, if any
1696
1697 o For both DKIM and SPF, an indication of whether the identifier was
1698 in alignment
1699
1700 o Data for each Domain Owner's subdomain separately from mail from
1701 the sender's Organizational Domain, even if there is no explicit
1702 subdomain policy
1703
1704 o Sending and receiving domains
1705
1706 o The policy requested by the Domain Owner and the policy actually
1707 applied (if different)
1708
1709 o The number of successful authentications
1710
1711 o The counts of messages based on all messages received, even if
1712 their delivery is ultimately blocked by other filtering agents
1713
1714 Note that Domain Owners or their agents may change the published ../dmarcdb/eval.go:570
1715 DMARC policy for a domain or subdomain at any time. From a Mail
1716 Receiver's perspective, this will occur during a reporting period and
1717 may be noticed during that period, at the end of that period when
1718 reports are generated, or during a subsequent reporting period, all
1719 depending on the Mail Receiver's implementation. Under these
1720 conditions, it is possible that a Mail Receiver could do any of the
1721 following:
1722
1723 o generate for such a reporting period a single aggregate report
1724 that includes message dispositions based on the old policy, or a
1725 mix of the two policies, even though the report only contains a
1726 single "policy_published" element;
1727
1728 o generate multiple reports for the same period, one for each
1729 published policy occurring during the reporting period;
1730
1731 o generate a report whose end time occurs when the updated policy
1732 was detected, regardless of any requested report interval.
1733
1734
1735
1736
1737
1738Kucherawy & Zwicky Informational [Page 31]
1739
1740RFC 7489 DMARC March 2015
1741
1742
1743 Such policy changes are expected to be infrequent for any given
1744 domain, whereas more stringent policy monitoring requirements on the
1745 Mail Receiver would produce a very large burden at Internet scale.
1746 Therefore, it is the responsibility of report consumers and Domain
1747 Owners to be aware of this situation and allow for such mixed reports
1748 during the propagation of the new policy to Mail Receivers.
1749
1750 Aggregate reports are most useful when they all cover a common time ../dmarcdb/eval.go:341
1751 period. By contrast, correlation of these reports from multiple
1752 generators when they cover incongruent time periods is difficult or
1753 impossible. Report generators SHOULD, wherever possible, adhere to
1754 hour boundaries for the reporting period they are using. For
1755 example, starting a per-day report at 00:00; starting per-hour
1756 reports at 00:00, 01:00, 02:00; etc. Report generators using a
1757 24-hour report period are strongly encouraged to begin that period at
1758 00:00 UTC, regardless of local timezone or time of report production,
1759 in order to facilitate correlation.
1760
1761 A Mail Receiver discovers reporting requests when it looks up a DMARC
1762 policy record that corresponds to an RFC5322.From domain on received
1763 mail. The presence of the "rua" tag specifies where to send
1764 feedback.
1765
17667.2.1. Transport
1767
1768 Where the URI specified in a "rua" tag does not specify otherwise, a 7489:2683 ../queue/direct.go:286
1769 Mail Receiver generating a feedback report SHOULD employ a secure
1770 transport mechanism.
1771
1772 The Mail Receiver, after preparing a report, MUST evaluate the
1773 provided reporting URIs in the order given. Any reporting URI that ../dmarcdb/eval.go:840
1774 includes a size limitation exceeded by the generated report (after
1775 compression and after any encoding required by the particular
1776 transport mechanism) MUST NOT be used. An attempt MUST be made to
1777 deliver an aggregate report to every remaining URI, up to the
1778 Receiver's limits on supported URIs.
1779
1780 If transport is not possible because the services advertised by the
1781 published URIs are not able to accept reports (e.g., the URI refers
1782 to a service that is unreachable, or all provided URIs specify size
1783 limits exceeded by the generated record), the Mail Receiver SHOULD
1784 send a short report (see Section 7.2.2) indicating that a report is
1785 available but could not be sent. The Mail Receiver MAY cache that ../dmarcdb/eval.go:872 ../tlsrptsend/send.go:614
1786 data and try again later, or MAY discard data that could not be sent.
1787
1788
1789
1790
1791
1792
1793
1794Kucherawy & Zwicky Informational [Page 32]
1795
1796RFC 7489 DMARC March 2015
1797
1798
17997.2.1.1. Email
1800
1801 The message generated by the Mail Receiver MUST be a [MAIL] message ../dmarcrpt/parse.go:41
1802 formatted per [MIME]. The aggregate report itself MUST be included
1803 in one of the parts of the message. A human-readable portion MAY be ../dmarcdb/eval.go:787
1804 included as a MIME part (such as a text/plain part).
1805
1806 The aggregate data MUST be an XML file that SHOULD be subjected to
1807 GZIP compression. Declining to apply compression can cause the
1808 report to be too large for a receiver to process (a commonly observed
1809 receiver limit is ten megabytes); doing the compression increases the
1810 chances of acceptance of the report at some compute cost. The
1811 aggregate data SHOULD be present using the media type "application/
1812 gzip" if compressed (see [GZIP]), and "text/xml" otherwise. The ../dmarcdb/eval.go:799
1813 filename is typically constructed using the following ABNF:
1814
1815 filename = receiver "!" policy-domain "!" begin-timestamp
1816 "!" end-timestamp [ "!" unique-id ] "." extension
1817
1818 unique-id = 1*(ALPHA / DIGIT)
1819
1820 receiver = domain
1821 ; imported from [MAIL]
1822
1823 policy-domain = domain
1824
1825 begin-timestamp = 1*DIGIT
1826 ; seconds since 00:00:00 UTC January 1, 1970
1827 ; indicating start of the time range contained
1828 ; in the report
1829
1830 end-timestamp = 1*DIGIT
1831 ; seconds since 00:00:00 UTC January 1, 1970
1832 ; indicating end of the time range contained
1833 ; in the report
1834
1835 extension = "xml" / "xml.gz"
1836
1837 The extension MUST be "xml" for a plain XML file, or "xml.gz" for an
1838 XML file compressed using GZIP.
1839
1840 "unique-id" allows an optional unique ID generated by the Mail
1841 Receiver to distinguish among multiple reports generated
1842 simultaneously by different sources within the same Domain Owner.
1843
1844
1845
1846
1847
1848
1849
1850Kucherawy & Zwicky Informational [Page 33]
1851
1852RFC 7489 DMARC March 2015
1853
1854
1855 For example, this is a possible filename for the gzip file of a
1856 report to the Domain Owner "example.com" from the Mail Receiver
1857 "mail.receiver.example":
1858
1859 mail.receiver.example!example.com!1013662812!1013749130.gz
1860
1861 No specific MIME message structure is required. It is presumed that ../dmarcrpt/parse.go:51
1862 the aggregate reporting address will be equipped to extract MIME
1863 parts with the prescribed media type and filename and ignore the
1864 rest.
1865
1866 Email streams carrying DMARC feedback data MUST conform to the DMARC ../smtpserver/analyze.go:207
1867 mechanism, thereby resulting in an aligned "pass" (see Section 3.1).
1868 This practice minimizes the risk of report consumers processing
1869 fraudulent reports.
1870
1871 The RFC5322.Subject field for individual report submissions SHOULD ../dmarcdb/eval.go:784
1872 conform to the following ABNF:
1873
1874 dmarc-subject = %x52.65.70.6f.72.74 1*FWS ; "Report"
1875 %x44.6f.6d.61.69.6e.3a 1*FWS ; "Domain:"
1876 domain-name 1*FWS ; from RFC 6376
1877 %x53.75.62.6d.69.74.74.65.72.3a ; "Submitter:"
1878 1*FWS domain-name 1*FWS
1879 %x52.65.70.6f.72.74.2d.49.44.3a ; "Report-ID:"
1880 msg-id ; from RFC 5322
1881
1882 The first domain-name indicates the DNS domain name about which the
1883 report was generated. The second domain-name indicates the DNS
1884 domain name representing the Mail Receiver generating the report.
1885 The purpose of the Report-ID: portion of the field is to enable the
1886 Domain Owner to identify and ignore duplicate reports that might be
1887 sent by a Mail Receiver.
1888
1889 For instance, this is a possible Subject field for a report to the
1890 Domain Owner "example.com" from the Mail Receiver
1891 "mail.receiver.example". It is line-wrapped as allowed by [MAIL]:
1892
1893 Subject: Report Domain: example.com
1894 Submitter: mail.receiver.example
1895 Report-ID: <2002.02.15.1>
1896
1897 This transport mechanism potentially encounters a problem when
1898 feedback data size exceeds maximum allowable attachment sizes for
1899 either the generator or the consumer. See Section 7.2.2 for further
1900 discussion.
1901
1902
1903
1904
1905
1906Kucherawy & Zwicky Informational [Page 34]
1907
1908RFC 7489 DMARC March 2015
1909
1910
19117.2.1.2. Other Methods
1912
1913 The specification as written allows for the addition of other
1914 registered URI schemes to be supported in later versions.
1915
19167.2.2. Error Reports
1917
1918 When a Mail Receiver is unable to complete delivery of a report via ../dmarcdb/eval.go:949
1919 any of the URIs listed by the Domain Owner, the Mail Receiver SHOULD
1920 generate an error message. An attempt MUST be made to send this
1921 report to all listed "mailto" URIs, and it MAY also be sent to any or
1922 all other listed URIs.
1923
1924 The error report MUST be formatted per [MIME]. A text/plain part
1925 MUST be included that contains field-value pairs such as those found
1926 in Section 2 of [DSN]. The fields required, which may appear in any ../dmarcdb/eval.go:965
1927 order, are as follows:
1928
1929 Report-Date: A [MAIL]-formatted date expression indicating when the
1930 transport failure occurred.
1931
1932 Report-Domain: The domain-name about which the failed report was
1933 generated.
1934
1935 Report-ID: The Report-ID: that the report tried to use.
1936
1937 Report-Size: The size, in bytes, of the report that was unable to be
1938 sent. This MUST represent the number of bytes that the Mail
1939 Receiver attempted to send. Where more than one transport system
1940 was attempted, the sizes may be different; in such cases, separate
1941 error reports MUST be generated so that this value matches the
1942 actual attempt that was made.
1943
1944 Submitter: The domain-name representing the Mail Receiver that
1945 generated, but was unable to submit, the report.
1946
1947 Submitting-URI: The URI(s) to which the Mail Receiver tried, but
1948 failed, to submit the report.
1949
1950 An additional text/plain part MAY be included that gives a human-
1951 readable explanation of the above and MAY also include a URI that can
1952 be used to seek assistance.
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962Kucherawy & Zwicky Informational [Page 35]
1963
1964RFC 7489 DMARC March 2015
1965
1966
19677.3. Failure Reports
1968
1969 Failure reports are normally generated and sent almost immediately
1970 after the Mail Receiver detects a DMARC failure. Rather than waiting
1971 for an aggregate report, these reports are useful for quickly
1972 notifying the Domain Owners when there is an authentication failure.
1973 Whether the failure is due to an infrastructure problem or the
1974 message is inauthentic, failure reports also provide more information
1975 about the failed message than is available in an aggregate report.
1976
1977 These reports SHOULD include any URI(s) from the message that failed
1978 authentication. These reports SHOULD include as much of the message
1979 and message header as is reasonable to support the Domain Owner's
1980 investigation into what caused the message to fail authentication and
1981 track down the sender.
1982
1983 When a Domain Owner requests failure reports for the purpose of
1984 forensic analysis, and the Mail Receiver is willing to provide such
1985 reports, the Mail Receiver generates and sends a message using the
1986 format described in [AFRF]; this document updates that reporting
1987 format, as described in Section 7.3.1.
1988
1989 The destination(s) and nature of the reports are defined by the "ruf"
1990 and "fo" tags as defined in Section 6.3.
1991
1992 Where multiple URIs are selected to receive failure reports, the
1993 report generator MUST make an attempt to deliver to each of them.
1994
1995 An obvious consideration is the denial-of-service attack that can be
1996 perpetrated by an attacker who sends numerous messages purporting to
1997 be from the intended victim Domain Owner but that fail both SPF and
1998 DKIM; this would cause participating Mail Receivers to send failure
1999 reports to the Domain Owner or its delegate in potentially huge
2000 volumes. Accordingly, participating Mail Receivers are encouraged to
2001 aggregate these reports as much as is practical, using the Incidents
2002 field of the Abuse Reporting Format ([ARF]). Various aggregation
2003 techniques are possible, including the following:
2004
2005 o only send a report to the first recipient of multi-recipient
2006 messages;
2007
2008 o store reports for a period of time before sending them, allowing
2009 detection, collection, and reporting of like incidents;
2010
2011 o apply rate limiting, such as a maximum number of reports per
2012 minute that will be generated (and the remainder discarded).
2013
2014
2015
2016
2017
2018Kucherawy & Zwicky Informational [Page 36]
2019
2020RFC 7489 DMARC March 2015
2021
2022
20237.3.1. Reporting Format Update
2024
2025 Operators implementing this specification also implement an augmented
2026 version of [AFRF] as follows:
2027
2028 1. A DMARC failure report includes the following ARF header fields,
2029 with the indicated normative requirement levels:
2030
2031 * Identity-Alignment (REQUIRED; defined below)
2032
2033 * Delivery-Result (OPTIONAL)
2034
2035 * DKIM-Domain, DKIM-Identity, DKIM-Selector (REQUIRED if the
2036 message was signed by DKIM)
2037
2038 * DKIM-Canonicalized-Header, DKIM-Canonicalized-Body (OPTIONAL
2039 if the message was signed by DKIM)
2040
2041 * SPF-DNS (REQUIRED)
2042
2043 2. The "Identity-Alignment" field is defined to contain a comma-
2044 separated list of authentication mechanism names that produced an
2045 aligned identity, or the keyword "none" if none did. ABNF:
2046
2047 id-align = "Identity-Alignment:" [CFWS]
2048 ( "none" /
2049 dmarc-method *( [CFWS] "," [CFWS] dmarc-method ) )
2050 [CFWS]
2051
2052 dmarc-method = ( "dkim" / "spf" )
2053 ; each may appear at most once in an id-align
2054
2055 3. Authentication Failure Type "dmarc" is defined, which is to be
2056 used when a failure report is generated because some or all of
2057 the authentication mechanisms failed to produce aligned
2058 identifiers. Note that a failure report generator MAY also
2059 independently produce an AFRF message for any or all of the
2060 underlying authentication methods.
2061
20628. Minimum Implementations
2063
2064 A minimum implementation of DMARC has the following characteristics:
2065
2066 o Is able to send and/or receive reports at least daily;
2067
2068 o Is able to send and/or receive reports using "mailto" URIs;
2069
2070
2071
2072
2073
2074Kucherawy & Zwicky Informational [Page 37]
2075
2076RFC 7489 DMARC March 2015
2077
2078
2079 o Other than in exceptional circumstances such as resource
2080 exhaustion, can generate or accept a report up to ten megabytes in
2081 size;
2082
2083 o If acting as a Mail Receiver, fully implements the provisions of
2084 Section 6.6.
2085
20869. Privacy Considerations
2087
2088 This section discusses security issues specific to private data that
2089 may be included in the interactions that are part of DMARC.
2090
20919.1. Data Exposure Considerations
2092
2093 Aggregate reports are limited in scope to DMARC policy and
2094 disposition results, to information pertaining to the underlying
2095 authentication mechanisms, and to the identifiers involved in DMARC
2096 validation.
2097
2098 Failed-message reporting provides message-specific details pertaining
2099 to authentication failures. Individual reports can contain message
2100 content as well as trace header fields. Domain Owners are able to
2101 analyze individual reports and attempt to determine root causes of
2102 authentication mechanism failures, gain insight into
2103 misconfigurations or other problems with email and network
2104 infrastructure, or inspect messages for insight into abusive
2105 practices.
2106
2107 Both report types may expose sender and recipient identifiers (e.g.,
2108 RFC5322.From addresses), and although the [AFRF] format used for
2109 failed-message reporting supports redaction, failed-message reporting
2110 is capable of exposing the entire message to the report recipient.
2111
2112 Domain Owners requesting reports will receive information about mail
2113 claiming to be from them, which includes mail that was not, in fact,
2114 from them. Information about the final destination of mail where it
2115 might otherwise be obscured by intermediate systems will therefore be
2116 exposed.
2117
2118 When message-forwarding arrangements exist, Domain Owners requesting
2119 reports will also receive information about mail forwarded to domains
2120 that were not originally part of their messages' recipient lists.
2121 This means that destination domains previously unknown to the Domain
2122 Owner may now become visible.
2123
2124 Disclosure of information about the messages is being requested by
2125 the entity generating the email in the first place, i.e., the Domain
2126 Owner and not the Mail Receiver, so this may not fit squarely within
2127
2128
2129
2130Kucherawy & Zwicky Informational [Page 38]
2131
2132RFC 7489 DMARC March 2015
2133
2134
2135 existing privacy policy provisions. For some providers, aggregate
2136 reporting and failed-message reporting are viewed as a function
2137 similar to complaint reporting about spamming or phishing and are
2138 treated similarly under the privacy policy. Report generators (i.e.,
2139 Mail Receivers) are encouraged to review their reporting limitations
2140 under such policies before enabling DMARC reporting.
2141
21429.2. Report Recipients
2143
2144 A DMARC record can specify that reports should be sent to an
2145 intermediary operating on behalf of the Domain Owner. This is done
2146 when the Domain Owner contracts with an entity to monitor mail
2147 streams for abuse and performance issues. Receipt by third parties
2148 of such data may or may not be permitted by the Mail Receiver's
2149 privacy policy, terms of use, or other similar governing document.
2150 Domain Owners and Mail Receivers should both review and understand if
2151 their own internal policies constrain the use and transmission of
2152 DMARC reporting.
2153
2154 Some potential exists for report recipients to perform traffic
2155 analysis, making it possible to obtain metadata about the Receiver's
2156 traffic. In addition to verifying compliance with policies,
2157 Receivers need to consider that before sending reports to a third
2158 party.
2159
216010. Other Topics
2161
2162 This section discusses some topics regarding choices made in the
2163 development of DMARC, largely to commit the history to record.
2164
216510.1. Issues Specific to SPF
2166
2167 Though DMARC does not inherently change the semantics of an SPF
2168 policy record, historically lax enforcement of such policies has led
2169 many to publish extremely broad records containing many large network
2170 ranges. Domain Owners are strongly encouraged to carefully review
2171 their SPF records to understand which networks are authorized to send
2172 on behalf of the Domain Owner before publishing a DMARC record.
2173
2174 Some receiver architectures might implement SPF in advance of any
2175 DMARC operations. This means that a "-" prefix on a sender's SPF
2176 mechanism, such as "-all", could cause that rejection to go into
2177 effect early in handling, causing message rejection before any DMARC
2178 processing takes place. Operators choosing to use "-all" should be
2179 aware of this.
2180
2181
2182
2183
2184
2185
2186Kucherawy & Zwicky Informational [Page 39]
2187
2188RFC 7489 DMARC March 2015
2189
2190
219110.2. DNS Load and Caching
2192
2193 DMARC policies are communicated using the DNS and therefore inherit a
2194 number of considerations related to DNS caching. The inherent
2195 conflict between freshness and the impact of caching on the reduction
2196 of DNS-lookup overhead should be considered from the Mail Receiver's
2197 point of view. Should Domain Owners publish a DNS record with a very
2198 short TTL, Mail Receivers can be provoked through the injection of
2199 large volumes of messages to overwhelm the Domain Owner's DNS.
2200 Although this is not a concern specific to DMARC, the implications of
2201 a very short TTL should be considered when publishing DMARC policies.
2202
2203 Conversely, long TTLs will cause records to be cached for long
2204 periods of time. This can cause a critical change to DMARC
2205 parameters advertised by a Domain Owner to go unnoticed for the
2206 length of the TTL (while waiting for DNS caches to expire). Avoiding
2207 this problem can mean shorter TTLs, with the potential problems
2208 described above. A balance should be sought to maintain
2209 responsiveness of DMARC preference changes while preserving the
2210 benefits of DNS caching.
2211
221210.3. Rejecting Messages
2213
2214 This proposal calls for rejection of a message during the SMTP ../smtpserver/server.go:1526
2215 session under certain circumstances. This is preferable to
2216 generation of a Delivery Status Notification ([DSN]), since
2217 fraudulent messages caught and rejected using DMARC would then result
2218 in annoying generation of such failure reports that go back to the
2219 RFC5321.MailFrom address.
2220
2221 This synchronous rejection is typically done in one of two ways:
2222
2223 o Full rejection, wherein the SMTP server issues a 5xy reply code as
2224 an indication to the SMTP client that the transaction failed; the
2225 SMTP client is then responsible for generating notification that
2226 delivery failed (see Section 4.2.5 of [SMTP]).
2227
2228 o A "silent discard", wherein the SMTP server returns a 2xy reply
2229 code implying to the client that delivery (or, at least, relay)
2230 was successfully completed, but then simply discarding the message
2231 with no further action.
2232
2233 Each of these has a cost. For instance, a silent discard can help to
2234 prevent backscatter, but it also effectively means that the SMTP
2235 server has to be programmed to give a false result, which can
2236 confound external debugging efforts.
2237
2238
2239
2240
2241
2242Kucherawy & Zwicky Informational [Page 40]
2243
2244RFC 7489 DMARC March 2015
2245
2246
2247 Similarly, the text portion of the SMTP reply may be important to
2248 consider. For example, when rejecting a message, revealing the
2249 reason for the rejection might give an attacker enough information to
2250 bypass those efforts on a later attempt, though it might also assist
2251 a legitimate client to determine the source of some local issue that
2252 caused the rejection.
2253
2254 In the latter case, when doing an SMTP rejection, providing a clear
2255 hint can be useful in resolving issues. A receiver might indicate in
2256 plain text the reason for the rejection by using the word "DMARC"
2257 somewhere in the reply text. Many systems are able to scan the SMTP
2258 reply text to determine the nature of the rejection. Thus, providing
2259 a machine-detectable reason for rejection allows the problems causing
2260 rejections to be properly addressed by automated systems. For
2261 example:
2262
2263 550 5.7.1 Email rejected per DMARC policy for example.com
2264
2265 If a Mail Receiver elects to defer delivery due to inability to
2266 retrieve or apply DMARC policy, this is best done with a 4xy SMTP
2267 reply code.
2268
226910.4. Identifier Alignment Considerations
2270
2271 The DMARC mechanism allows both DKIM and SPF-authenticated
2272 identifiers to authenticate email on behalf of a Domain Owner and,
2273 possibly, on behalf of different subdomains. If malicious or unaware
2274 users can gain control of the SPF record or DKIM selector records for
2275 a subdomain, the subdomain can be used to generate DMARC-passing
2276 email on behalf of the Organizational Domain.
2277
2278 For example, an attacker who controls the SPF record for
2279 "evil.example.com" can send mail with an RFC5322.From field
2280 containing "foo@example.com" that can pass both authentication and
2281 the DMARC check against "example.com".
2282
2283 The Organizational Domain administrator should be careful not to
2284 delegate control of subdomains if this is an issue, and to consider
2285 using the "strict" Identifier Alignment option if appropriate.
2286
228710.5. Interoperability Issues
2288
2289 DMARC limits which end-to-end scenarios can achieve a "pass" result.
2290
2291 Because DMARC relies on [SPF] and/or [DKIM] to achieve a "pass",
2292 their limitations also apply.
2293
2294
2295
2296
2297
2298Kucherawy & Zwicky Informational [Page 41]
2299
2300RFC 7489 DMARC March 2015
2301
2302
2303 Additional DMARC constraints occur when a message is processed by
2304 some Mediators, such as mailing lists. Transiting a Mediator often
2305 causes either the authentication to fail or Identifier Alignment to
2306 be lost. These transformations may conform to standards but will
2307 still prevent a DMARC "pass".
2308
2309 In addition to Mediators, mail that is sent by authorized,
2310 independent third parties might not be sent with Identifier
2311 Alignment, also preventing a "pass" result.
2312
2313 Issues specific to the use of policy mechanisms alongside DKIM are
2314 further discussed in [DKIM-LISTS], particularly Section 5.2.
2315
231611. IANA Considerations
2317
2318 This section describes actions completed by IANA.
2319
232011.1. Authentication-Results Method Registry Update
2321
2322 IANA has added the following to the "Email Authentication Methods"
2323 registry:
2324
2325 Method: dmarc
2326
2327 Defined: RFC 7489
2328
2329 ptype: header
2330
2331 Property: from
2332
2333 Value: the domain portion of the RFC5322.From field
2334
2335 Status: active
2336
2337 Version: 1
2338
233911.2. Authentication-Results Result Registry Update ../dmarc/dmarc.go:48
2340
2341 IANA has added the following in the "Email Authentication Result
2342 Names" registry:
2343
2344 Code: none
2345
2346 Existing/New Code: existing
2347
2348 Defined: [AUTH-RESULTS]
2349
2350 Auth Method: dmarc (added)
2351
2352
2353
2354Kucherawy & Zwicky Informational [Page 42]
2355
2356RFC 7489 DMARC March 2015
2357
2358
2359 Meaning: No DMARC policy record was published for the aligned
2360 identifier, or no aligned identifier could be extracted.
2361
2362 Status: active
2363
2364
2365 Code: pass
2366
2367 Existing/New Code: existing
2368
2369 Defined: [AUTH-RESULTS]
2370
2371 Auth Method: dmarc (added)
2372
2373 Meaning: A DMARC policy record was published for the aligned
2374 identifier, and at least one of the authentication mechanisms
2375 passed.
2376
2377 Status: active
2378
2379
2380 Code: fail
2381
2382 Existing/New Code: existing
2383
2384 Defined: [AUTH-RESULTS]
2385
2386 Auth Method: dmarc (added)
2387
2388 Meaning: A DMARC policy record was published for the aligned
2389 identifier, and none of the authentication mechanisms passed.
2390
2391 Status: active
2392
2393
2394 Code: temperror
2395
2396 Existing/New Code: existing
2397
2398 Defined: [AUTH-RESULTS]
2399
2400 Auth Method: dmarc (added)
2401
2402 Meaning: A temporary error occurred during DMARC evaluation. A
2403 later attempt might produce a final result.
2404
2405 Status: active
2406
2407
2408
2409
2410Kucherawy & Zwicky Informational [Page 43]
2411
2412RFC 7489 DMARC March 2015
2413
2414
2415 Code: permerror
2416
2417 Existing/New Code: existing
2418
2419 Defined: [AUTH-RESULTS]
2420
2421 Auth Method: dmarc (added)
2422
2423 Meaning: A permanent error occurred during DMARC evaluation, such as
2424 encountering a syntactically incorrect DMARC record. A later
2425 attempt is unlikely to produce a final result.
2426
2427 Status: active
2428
242911.3. Feedback Report Header Fields Registry Update
2430
2431 The following has been added to the "Feedback Report Header Fields"
2432 registry:
2433
2434 Field Name: Identity-Alignment
2435
2436 Description: indicates whether the message about which a report is
2437 being generated had any identifiers in alignment as defined in
2438 RFC 7489
2439
2440 Multiple Appearances: No
2441
2442 Related "Feedback-Type": auth-failure
2443
2444 Reference: RFC 7489
2445
2446 Status: current
2447
244811.4. DMARC Tag Registry
2449
2450 A new registry tree called "Domain-based Message Authentication,
2451 Reporting, and Conformance (DMARC) Parameters" has been created.
2452 Within it, a new sub-registry called the "DMARC Tag Registry" has
2453 been created.
2454
2455 Names of DMARC tags must be registered with IANA in this new
2456 sub-registry. New entries are assigned only for values that have
2457 been documented in a manner that satisfies the terms of Specification
2458 Required, per [IANA-CONSIDERATIONS]. Each registration must include
2459 the tag name; the specification that defines it; a brief description;
2460 and its status, which must be one of "current", "experimental", or
2461 "historic". The Designated Expert needs to confirm that the provided
2462
2463
2464
2465
2466Kucherawy & Zwicky Informational [Page 44]
2467
2468RFC 7489 DMARC March 2015
2469
2470
2471 specification adequately describes the new tag and clearly presents
2472 how it would be used within the DMARC context by Domain Owners and
2473 Mail Receivers.
2474
2475 To avoid version compatibility issues, tags added to the DMARC
2476 specification are to avoid changing the semantics of existing records
2477 when processed by implementations conforming to prior specifications.
2478
2479 The initial set of entries in this registry is as follows:
2480
2481 +----------+-------------+---------+------------------------------+
2482 | Tag Name | Reference | Status | Description |
2483 +----------+-------------+---------+------------------------------+
2484 | adkim | RFC 7489 | current | DKIM alignment mode |
2485 +----------+-------------+---------+------------------------------+
2486 | aspf | RFC 7489 | current | SPF alignment mode |
2487 +----------+-------------+---------+------------------------------+
2488 | fo | RFC 7489 | current | Failure reporting options |
2489 +----------+-------------+---------+------------------------------+
2490 | p | RFC 7489 | current | Requested handling policy |
2491 +----------+-------------+---------+------------------------------+
2492 | pct | RFC 7489 | current | Sampling rate |
2493 +----------+-------------+---------+------------------------------+
2494 | rf | RFC 7489 | current | Failure reporting format(s) |
2495 +----------+-------------+---------+------------------------------+
2496 | ri | RFC 7489 | current | Aggregate Reporting interval |
2497 +----------+-------------+---------+------------------------------+
2498 | rua | RFC 7489 | current | Reporting URI(s) for |
2499 | | | | aggregate data |
2500 +----------+-------------+---------+------------------------------+
2501 | ruf | RFC 7489 | current | Reporting URI(s) for |
2502 | | | | failure data |
2503 +----------+-------------+---------+------------------------------+
2504 | sp | RFC 7489 | current | Requested handling policy |
2505 | | | | for subdomains |
2506 +----------+-------------+---------+------------------------------+
2507 | v | RFC 7489 | current | Specification version |
2508 +----------+-------------+---------+------------------------------+
2509
251011.5. DMARC Report Format Registry
2511
2512 Also within "Domain-based Message Authentication, Reporting, and
2513 Conformance (DMARC) Parameters", a new sub-registry called "DMARC
2514 Report Format Registry" has been created.
2515
2516 Names of DMARC failure reporting formats must be registered with IANA
2517 in this registry. New entries are assigned only for values that
2518 satisfy the definition of Specification Required, per
2519
2520
2521
2522Kucherawy & Zwicky Informational [Page 45]
2523
2524RFC 7489 DMARC March 2015
2525
2526
2527 [IANA-CONSIDERATIONS]. In addition to a reference to a permanent
2528 specification, each registration must include the format name; a
2529 brief description; and its status, which must be one of "current",
2530 "experimental", or "historic". The Designated Expert needs to
2531 confirm that the provided specification adequately describes the
2532 report format and clearly presents how it would be used within the
2533 DMARC context by Domain Owners and Mail Receivers.
2534
2535 The initial entry in this registry is as follows:
2536
2537 +--------+-------------+---------+-----------------------------+
2538 | Format | Reference | Status | Description |
2539 | Name | | | |
2540 +--------+-------------+---------+-----------------------------+
2541 | afrf | RFC 7489 | current | Authentication Failure |
2542 | | | | Reporting Format (see |
2543 | | | | [AFRF]) |
2544 +--------+-------------+---------+-----------------------------+
2545
254612. Security Considerations
2547
2548 This section discusses security issues and possible remediations
2549 (where available) for DMARC.
2550
255112.1. Authentication Methods
2552
2553 Security considerations from the authentication methods used by DMARC
2554 are incorporated here by reference.
2555
255612.2. Attacks on Reporting URIs
2557
2558 URIs published in DNS TXT records are well-understood possible
2559 targets for attack. Specifications such as [DNS] and [ROLES] either
2560 expose or cause the exposure of email addresses that could be flooded
2561 by an attacker, for example; MX, NS, and other records found in the
2562 DNS advertise potential attack destinations; common DNS names such as
2563 "www" plainly identify the locations at which particular services can
2564 be found, providing destinations for targeted denial-of-service or
2565 penetration attacks.
2566
2567 Thus, Domain Owners will need to harden these addresses against
2568 various attacks, including but not limited to:
2569
2570 o high-volume denial-of-service attacks; todo future: ../smtpserver/server.go:2763
2571
2572 o deliberate construction of malformed reports intended to identify
2573 or exploit parsing or processing vulnerabilities;
2574
2575
2576
2577
2578Kucherawy & Zwicky Informational [Page 46]
2579
2580RFC 7489 DMARC March 2015
2581
2582
2583 o deliberate construction of reports containing false claims for the
2584 Submitter or Reported-Domain fields, including the possibility of
2585 false data from compromised but known Mail Receivers.
2586
258712.3. DNS Security
2588
2589 The DMARC mechanism and its underlying technologies (SPF, DKIM)
2590 depend on the security of the DNS. To reduce the risk of subversion
2591 of the DMARC mechanism due to DNS-based exploits, serious
2592 consideration should be given to the deployment of DNSSEC in parallel
2593 with the deployment of DMARC by both Domain Owners and Mail
2594 Receivers.
2595
2596 Publication of data using DNSSEC is relevant to Domain Owners and
2597 third-party Report Receivers. DNSSEC-aware resolution is relevant to
2598 Mail Receivers and Report Receivers.
2599
260012.4. Display Name Attacks
2601
2602 A common attack in messaging abuse is the presentation of false
2603 information in the display-name portion of the RFC5322.From field.
2604 For example, it is possible for the email address in that field to be
2605 an arbitrary address or domain name, while containing a well-known
2606 name (a person, brand, role, etc.) in the display name, intending to
2607 fool the end user into believing that the name is used legitimately.
2608 The attack is predicated on the notion that most common MUAs will
2609 show the display name and not the email address when both are
2610 available.
2611
2612 Generally, display name attacks are out of scope for DMARC, as
2613 further exploration of possible defenses against these attacks needs
2614 to be undertaken.
2615
2616 There are a few possible mechanisms that attempt mitigation of these
2617 attacks, such as the following:
2618
2619 o If the display name is found to include an email address (as
2620 specified in [MAIL]), execute the DMARC mechanism on the domain
2621 name found there rather than the domain name discovered
2622 originally. However, this addresses only a very specific attack
2623 space, and spoofers can easily circumvent it by simply not using
2624 an email address in the display name. There are also known cases
2625 of legitimate uses of an email address in the display name with a
2626 domain different from the one in the address portion, e.g.,
2627
2628 From: "user@example.org via Bug Tracker" <support@example.com>
2629
2630
2631
2632
2633
2634Kucherawy & Zwicky Informational [Page 47]
2635
2636RFC 7489 DMARC March 2015
2637
2638
2639 o In the MUA, only show the display name if the DMARC mechanism
2640 succeeds. This too is easily defeated, as an attacker could
2641 arrange to pass the DMARC tests while fraudulently using another
2642 domain name in the display name.
2643
2644 o In the MUA, only show the display name if the DMARC mechanism
2645 passes and the email address thus validated matches one found in
2646 the receiving user's list of known addresses.
2647
264812.5. External Reporting Addresses
2649
2650 To avoid abuse by bad actors, reporting addresses generally have to
2651 be inside the domains about which reports are requested. In order to
2652 accommodate special cases such as a need to get reports about domains
2653 that cannot actually receive mail, Section 7.1 describes a DNS-based
2654 mechanism for verifying approved external reporting.
2655
2656 The obvious consideration here is an increased DNS load against
2657 domains that are claimed as external recipients. Negative caching
2658 will mitigate this problem, but only to a limited extent, mostly
2659 dependent on the default TTL in the domain's SOA record.
2660
2661 Where possible, external reporting is best achieved by having the
2662 report be directed to domains that can receive mail and simply having
2663 it automatically forwarded to the desired external destination.
2664
2665 Note that the addresses shown in the "ruf" tag receive more
2666 information that might be considered private data, since it is
2667 possible for actual email content to appear in the failure reports.
2668 The URIs identified there are thus more attractive targets for
2669 intrusion attempts than those found in the "rua" tag. Moreover,
2670 attacking the DNS of the subject domain to cause failure data to be
2671 routed fraudulently to an attacker's systems may be an attractive
2672 prospect. Deployment of [DNSSEC] is advisable if this is a concern.
2673
2674 The verification mechanism presented in Section 7.1 is currently not
2675 mandatory ("MUST") but strongly recommended ("SHOULD"). It is
2676 possible that it would be elevated to a "MUST" by later security
2677 review.
2678
267912.6. Secure Protocols
2680
2681 This document encourages use of secure transport mechanisms to
2682 prevent loss of private data to third parties that may be able to
2683 monitor such transmissions. Unencrypted mechanisms should be 7489:1768 ../queue/direct.go:286
2684 avoided.
2685
2686
2687
2688
2689
2690Kucherawy & Zwicky Informational [Page 48]
2691
2692RFC 7489 DMARC March 2015
2693
2694
2695 In particular, a message that was originally encrypted or otherwise
2696 secured might appear in a report that is not sent securely, which
2697 could reveal private information.
2698
269913. References
2700
270113.1. Normative References
2702
2703 [ABNF] Crocker, D., Ed., and P. Overell, "Augmented BNF for
2704 Syntax Specifications: ABNF", STD 68, RFC 5234,
2705 January 2008, <http://www.rfc-editor.org/info/rfc5234>.
2706
2707 [AFRF] Fontana, H., "Authentication Failure Reporting Using the
2708 Abuse Reporting Format", RFC 6591, April 2012,
2709 <http://www.rfc-editor.org/info/rfc6591>.
2710
2711 [AFRF-DKIM]
2712 Kucherawy, M., "Extensions to DomainKeys Identified Mail
2713 (DKIM) for Failure Reporting", RFC 6651, June 2012,
2714 <http://www.rfc-editor.org/info/rfc6651>.
2715
2716 [AFRF-SPF] Kitterman, S., "Sender Policy Framework (SPF)
2717 Authentication Failure Reporting Using the Abuse Reporting
2718 Format", RFC 6652, June 2012,
2719 <http://www.rfc-editor.org/info/rfc6652>.
2720
2721 [DKIM] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
2722 "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
2723 RFC 6376, September 2011, <http://www.rfc-editor.org/
2724 info/rfc6376>.
2725
2726 [DNS] Mockapetris, P., "Domain names - implementation and
2727 specification", STD 13, RFC 1035, November 1987,
2728 <http://www.rfc-editor.org/info/rfc1035>.
2729
2730 [DNS-CASE] Eastlake 3rd, D., "Domain Name System (DNS) Case
2731 Insensitivity Clarification", RFC 4343, January 2006,
2732 <http://www.rfc-editor.org/info/rfc4343>.
2733
2734 [GZIP] Levine, J., "The 'application/zlib' and 'application/gzip'
2735 Media Types", RFC 6713, August 2012,
2736 <http://www.rfc-editor.org/info/rfc6713>.
2737
2738 [IDNA] Klensin, J., "Internationalized Domain Names for
2739 Applications (IDNA): Definitions and Document Framework",
2740 RFC 5890, August 2010,
2741 <http://www.rfc-editor.org/info/rfc5890>.
2742
2743
2744
2745
2746Kucherawy & Zwicky Informational [Page 49]
2747
2748RFC 7489 DMARC March 2015
2749
2750
2751 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
2752 Requirement Levels", BCP 14, RFC 2119, March 1997,
2753 <http://www.rfc-editor.org/info/rfc2119>.
2754
2755 [MAIL] Resnick, P., Ed., "Internet Message Format", RFC 5322,
2756 October 2008, <http://www.rfc-editor.org/info/rfc5322>.
2757
2758 [MIME] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
2759 Extensions (MIME) Part One: Format of Internet Message
2760 Bodies", RFC 2045, November 1996,
2761 <http://www.rfc-editor.org/info/rfc2045>.
2762
2763 [SEC-TERMS]
2764 Shirey, R., "Internet Security Glossary, Version 2",
2765 FYI 36, RFC 4949, August 2007,
2766 <http://www.rfc-editor.org/info/rfc4949>.
2767
2768 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
2769 October 2008, <http://www.rfc-editor.org/info/rfc5321>.
2770
2771 [SPF] Kitterman, S., "Sender Policy Framework (SPF) for
2772 Authorizing Use of Domains in Email, Version 1", RFC 7208,
2773 April 2014, <http://www.rfc-editor.org/info/rfc7208>.
2774
2775 [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
2776 Resource Identifier (URI): Generic Syntax", STD 66,
2777 RFC 3986, January 2005,
2778 <http://www.rfc-editor.org/info/rfc3986>.
2779
278013.2. Informative References
2781
2782 [ADSP] Allman, E., Fenton, J., Delany, M., and J. Levine,
2783 "DomainKeys Identified Mail (DKIM) Author Domain Signing
2784 Practices (ADSP)", RFC 5617, August 2009,
2785 <http://www.rfc-editor.org/info/rfc5617>.
2786
2787 [ARF] Shafranovich, Y., Levine, J., and M. Kucherawy, "An
2788 Extensible Format for Email Feedback Reports", RFC 5965,
2789 August 2010, <http://www.rfc-editor.org/info/rfc5965>.
2790
2791 [AUTH-RESULTS]
2792 Kucherawy, M., "Message Header Field for Indicating
2793 Message Authentication Status", RFC 7001, September 2013,
2794 <http://www.rfc-editor.org/info/rfc7001>.
2795
2796
2797
2798
2799
2800
2801
2802Kucherawy & Zwicky Informational [Page 50]
2803
2804RFC 7489 DMARC March 2015
2805
2806
2807 [Best-Guess-SPF]
2808 Kitterman, S., "Sender Policy Framework: Best guess record
2809 (FAQ entry)", May 2010,
2810 <http://www.openspf.org/FAQ/Best_guess_record>.
2811
2812 [DKIM-DEPLOYMENT]
2813 Hansen, T., Siegel, E., Hallam-Baker, P., and D. Crocker,
2814 "DomainKeys Identified Mail (DKIM) Development,
2815 Deployment, and Operations", RFC 5863, May 2010,
2816 <http://www.rfc-editor.org/info/rfc5863>.
2817
2818 [DKIM-LISTS]
2819 Kucherawy, M., "DomainKeys Identified Mail (DKIM) and
2820 Mailing Lists", BCP 167, RFC 6377, September 2011,
2821 <http://www.rfc-editor.org/info/rfc6377>.
2822
2823 [DKIM-OVERVIEW]
2824 Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys
2825 Identified Mail (DKIM) Service Overview", RFC 5585,
2826 July 2009, <http://www.rfc-editor.org/info/rfc5585>.
2827
2828 [DKIM-THREATS]
2829 Fenton, J., "Analysis of Threats Motivating DomainKeys
2830 Identified Mail (DKIM)", RFC 4686, September 2006,
2831 <http://www.rfc-editor.org/info/rfc4686>.
2832
2833 [DNSSEC] Arends, R., Austein, R., Larson, M., Massey, D., and S.
2834 Rose, "DNS Security Introduction and Requirements",
2835 RFC 4033, March 2005,
2836 <http://www.rfc-editor.org/info/rfc4033>.
2837
2838 [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message Format
2839 for Delivery Status Notifications", RFC 3464,
2840 January 2003, <http://www.rfc-editor.org/info/rfc3464>.
2841
2842 [EMAIL-ARCH]
2843 Crocker, D., "Internet Mail Architecture", RFC 5598,
2844 July 2009, <http://www.rfc-editor.org/info/rfc5598>.
2845
2846 [IANA-CONSIDERATIONS]
2847 Narten, T. and H. Alvestrand, "Guidelines for Writing an
2848 IANA Considerations Section in RFCs", BCP 26, RFC 5226,
2849 May 2008, <http://www.rfc-editor.org/info/rfc5226>.
2850
2851 [ROLES] Crocker, D., "Mailbox Names for Common Services, Roles and
2852 Functions", RFC 2142, May 1997,
2853 <http://www.rfc-editor.org/info/rfc2142>.
2854
2855
2856
2857
2858Kucherawy & Zwicky Informational [Page 51]
2859
2860RFC 7489 DMARC March 2015
2861
2862
2863Appendix A. Technology Considerations
2864
2865 This section documents some design decisions that were made in the
2866 development of DMARC. Specifically, addressed here are some
2867 suggestions that were considered but not included in the design.
2868 This text is included to explain why they were considered and not
2869 included in this version.
2870
2871A.1. S/MIME
2872
2873 S/MIME, or Secure Multipurpose Internet Mail Extensions, is a
2874 standard for encryption and signing of MIME data in a message. This
2875 was suggested and considered as a third security protocol for
2876 authenticating the source of a message.
2877
2878 DMARC is focused on authentication at the domain level (i.e., the
2879 Domain Owner taking responsibility for the message), while S/MIME is
2880 really intended for user-to-user authentication and encryption. This
2881 alone appears to make it a bad fit for DMARC's goals.
2882
2883 S/MIME also suffers from the heavyweight problem of Public Key
2884 Infrastructure, which means that distribution of keys used to verify
2885 signatures needs to be incorporated. In many instances, this alone
2886 is a showstopper. There have been consistent promises that PKI
2887 usability and deployment will improve, but these have yet to
2888 materialize. DMARC can revisit this choice after those barriers are
2889 addressed.
2890
2891 S/MIME has extensive deployment in specific market segments
2892 (government, for example) but does not enjoy similar widespread
2893 deployment over the general Internet, and this shows no signs of
2894 changing. DKIM and SPF both are deployed widely over the general
2895 Internet, and their adoption rates continue to be positive.
2896
2897 Finally, experiments have shown that including S/MIME support in the
2898 initial version of DMARC would neither cause nor enable a substantial
2899 increase in the accuracy of the overall mechanism.
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914Kucherawy & Zwicky Informational [Page 52]
2915
2916RFC 7489 DMARC March 2015
2917
2918
2919A.2. Method Exclusion
2920
2921 It was suggested that DMARC include a mechanism by which a Domain
2922 Owner could tell Message Receivers not to attempt validation by one
2923 of the supported methods (e.g., "check DKIM, but not SPF").
2924
2925 Specifically, consider a Domain Owner that has deployed one of the
2926 technologies, and that technology fails for some messages, but such
2927 failures don't cause enforcement action. Deploying DMARC would cause
2928 enforcement action for policies other than "none", which would appear
2929 to exclude participation by that Domain Owner.
2930
2931 The DMARC development team evaluated the idea of policy exception
2932 mechanisms on several occasions and invariably concluded that there
2933 was not a strong enough use case to include them. The specific
2934 target audience for DMARC does not appear to have concerns about the
2935 failure modes of one or the other being a barrier to DMARC's
2936 adoption.
2937
2938 In the scenario described above, the Domain Owner has a few options:
2939
2940 1. Tighten up its infrastructure to minimize the failure modes of
2941 the single deployed technology.
2942
2943 2. Deploy the other supported authentication mechanism, to offset
2944 the failure modes of the first.
2945
2946 3. Deploy DMARC in a reporting-only mode.
2947
2948A.3. Sender Header Field ../smtpserver/server.go:1818
2949
2950 It has been suggested in several message authentication efforts that
2951 the Sender header field be checked for an identifier of interest, as
2952 the standards indicate this as the proper way to indicate a
2953 re-mailing of content such as through a mailing list. Most recently,
2954 it was a protocol-level option for DomainKeys, but on evolution to
2955 DKIM, this property was removed.
2956
2957 The DMARC development team considered this and decided not to include
2958 support for doing so, for the following reasons:
2959
2960 1. The main user protection approach is to be concerned with what
2961 the user sees when a message is rendered. There is no consistent
2962 behavior among MUAs regarding what to do with the content of the
2963 Sender field, if present. Accordingly, supporting checking of
2964 the Sender identifier would mean applying policy to an identifier
2965
2966
2967
2968
2969
2970Kucherawy & Zwicky Informational [Page 53]
2971
2972RFC 7489 DMARC March 2015
2973
2974
2975 the end user might never actually see, which can create a vector
2976 for attack against end users by simply forging a Sender field
2977 containing some identifier that DMARC will like.
2978
2979 2. Although it is certainly true that this is what the Sender field
2980 is for, its use in this way is also unreliable, making it a poor
2981 candidate for inclusion in the DMARC evaluation algorithm.
2982
2983 3. Allowing multiple ways to discover policy introduces unacceptable
2984 ambiguity into the DMARC evaluation algorithm in terms of which
2985 policy is to be applied and when.
2986
2987A.4. Domain Existence Test
2988
2989 A common practice among MTA operators, and indeed one documented in
2990 [ADSP], is a test to determine domain existence prior to any more
2991 expensive processing. This is typically done by querying the DNS for
2992 MX, A, or AAAA resource records for the name being evaluated and
2993 assuming that the domain is nonexistent if it could be determined
2994 that no such records were published for that domain name.
2995
2996 The original pre-standardization version of this protocol included a
2997 mandatory check of this nature. It was ultimately removed, as the
2998 method's error rate was too high without substantial manual tuning
2999 and heuristic work. There are indeed use cases this work needs to
3000 address where such a method would return a negative result about a
3001 domain for which reporting is desired, such as a registered domain
3002 name that never sends legitimate mail and thus has none of these
3003 records present in the DNS.
3004
3005A.5. Issues with ADSP in Operation
3006
3007 DMARC has been characterized as a "super-ADSP" of sorts.
3008
3009 Contributors to DMARC have compiled a list of issues associated with
3010 ADSP, gained from operational experience, that have influenced the
3011 direction of DMARC:
3012
3013 1. ADSP has no support for subdomains, i.e., the ADSP record for
3014 example.com does not explicitly or implicitly apply to
3015 subdomain.example.com. If wildcarding is not applied, then
3016 spammers can trivially bypass ADSP by sending from a subdomain
3017 with no ADSP record.
3018
3019
3020
3021
3022
3023
3024
3025
3026Kucherawy & Zwicky Informational [Page 54]
3027
3028RFC 7489 DMARC March 2015
3029
3030
3031 2. Nonexistent subdomains are explicitly out of scope in ADSP.
3032 There is nothing in ADSP that states receivers should simply
3033 reject mail from NXDOMAINs regardless of ADSP policy (which of
3034 course allows spammers to trivially bypass ADSP by sending email
3035 from nonexistent subdomains).
3036
3037 3. ADSP has no operational advice on when to look up the ADSP
3038 record.
3039
3040 4. ADSP has no support for using SPF as an auxiliary mechanism to
3041 DKIM.
3042
3043 5. ADSP has no support for a slow rollout, i.e., no way to configure
3044 a percentage of email on which the receiver should apply the
3045 policy. This is important for large-volume senders.
3046
3047 6. ADSP has no explicit support for an intermediate phase where the
3048 receiver quarantines (e.g., sends to the recipient's "spam"
3049 folder) rather than rejects the email.
3050
3051 7. The binding between the "From" header domain and DKIM is too
3052 tight for ADSP; they must match exactly.
3053
3054A.6. Organizational Domain Discovery Issues
3055
3056 Although protocols like ADSP are useful for "protecting" a specific
3057 domain name, they are not helpful at protecting subdomains. If one
3058 wished to protect "example.com" by requiring via ADSP that all mail
3059 bearing an RFC5322.From domain of "example.com" be signed, this would
3060 "protect" that domain; however, one could then craft an email whose
3061 RFC5322.From domain is "security.example.com", and ADSP would not
3062 provide any protection. One could use a DNS wildcard, but this can
3063 undesirably interfere with other DNS activity; one could add ADSP
3064 records as fraudulent domains are discovered, but this solution does
3065 not scale and is a purely reactive measure against abuse.
3066
3067 The DNS does not provide a method by which the "domain of record", or
3068 the domain that was actually registered with a domain registrar, can
3069 be determined given an arbitrary domain name. Suggestions have been
3070 made that attempt to glean such information from SOA or NS resource
3071 records, but these too are not fully reliable, as the partitioning of
3072 the DNS is not always done at administrative boundaries.
3073
3074 When seeking domain-specific policy based on an arbitrary domain
3075 name, one could "climb the tree", dropping labels off the left end of
3076 the name until the root is reached or a policy is discovered, but
3077 then one could craft a name that has a large number of nonsense
3078
3079
3080
3081
3082Kucherawy & Zwicky Informational [Page 55]
3083
3084RFC 7489 DMARC March 2015
3085
3086
3087 labels; this would cause a Mail Receiver to attempt a large number of
3088 queries in search of a policy record. Sending many such messages
3089 constitutes an amplified denial-of-service attack.
3090
3091 The Organizational Domain mechanism is a necessary component to the
3092 goals of DMARC. The method described in Section 3.2 is far from
3093 perfect but serves this purpose reasonably well without adding undue
3094 burden or semantics to the DNS. If a method is created to do so that
3095 is more reliable and secure than the use of a public suffix list,
3096 DMARC should be amended to use that method as soon as it is generally
3097 available.
3098
3099A.6.1. Public Suffix Lists
3100
3101 A public suffix list for the purposes of determining the
3102 Organizational Domain can be obtained from various sources. The most
3103 common one is maintained by the Mozilla Foundation and made public at
3104 <http://publicsuffix.org>. License terms governing the use of that
3105 list are available at that URI.
3106
3107 Note that if operators use a variety of public suffix lists,
3108 interoperability will be difficult or impossible to guarantee.
3109
3110Appendix B. Examples
3111
3112 This section illustrates both the Domain Owner side and the Mail
3113 Receiver side of a DMARC exchange.
3114
3115B.1. Identifier Alignment Examples
3116
3117 The following examples illustrate the DMARC mechanism's use of
3118 Identifier Alignment. For brevity's sake, only message headers are
3119 shown, as message bodies are not considered when conducting DMARC
3120 checks.
3121
3122B.1.1. SPF
3123
3124 The following SPF examples assume that SPF produces a passing result.
3125
3126 Example 1: SPF in alignment:
3127
3128 MAIL FROM: <sender@example.com>
3129
3130 From: sender@example.com
3131 Date: Fri, Feb 15 2002 16:54:30 -0800
3132 To: receiver@example.org
3133 Subject: here's a sample
3134
3135
3136
3137
3138Kucherawy & Zwicky Informational [Page 56]
3139
3140RFC 7489 DMARC March 2015
3141
3142
3143 In this case, the RFC5321.MailFrom parameter and the RFC5322.From
3144 field have identical DNS domains. Thus, the identifiers are in
3145 alignment.
3146
3147 Example 2: SPF in alignment (parent):
3148
3149 MAIL FROM: <sender@child.example.com>
3150
3151 From: sender@example.com
3152 Date: Fri, Feb 15 2002 16:54:30 -0800
3153 To: receiver@example.org
3154 Subject: here's a sample
3155
3156 In this case, the RFC5322.From parameter includes a DNS domain that
3157 is a parent of the RFC5321.MailFrom domain. Thus, the identifiers
3158 are in alignment if relaxed SPF mode is requested by the Domain
3159 Owner, and not in alignment if strict SPF mode is requested.
3160
3161 Example 3: SPF not in alignment:
3162
3163 MAIL FROM: <sender@example.net>
3164
3165 From: sender@child.example.com
3166 Date: Fri, Feb 15 2002 16:54:30 -0800
3167 To: receiver@example.org
3168 Subject: here's a sample
3169
3170 In this case, the RFC5321.MailFrom parameter includes a DNS domain
3171 that is neither the same as nor a parent of the RFC5322.From domain.
3172 Thus, the identifiers are not in alignment.
3173
3174B.1.2. DKIM
3175
3176 The examples below assume that the DKIM signatures pass verification.
3177 Alignment cannot exist with a DKIM signature that does not verify.
3178
3179 Example 1: DKIM in alignment:
3180
3181 DKIM-Signature: v=1; ...; d=example.com; ...
3182 From: sender@example.com
3183 Date: Fri, Feb 15 2002 16:54:30 -0800
3184 To: receiver@example.org
3185 Subject: here's a sample
3186
3187 In this case, the DKIM "d=" parameter and the RFC5322.From field have
3188 identical DNS domains. Thus, the identifiers are in alignment.
3189
3190
3191
3192
3193
3194Kucherawy & Zwicky Informational [Page 57]
3195
3196RFC 7489 DMARC March 2015
3197
3198
3199 Example 2: DKIM in alignment (parent):
3200
3201 DKIM-Signature: v=1; ...; d=example.com; ...
3202 From: sender@child.example.com
3203 Date: Fri, Feb 15 2002 16:54:30 -0800
3204 To: receiver@example.org
3205 Subject: here's a sample
3206
3207 In this case, the DKIM signature's "d=" parameter includes a DNS
3208 domain that is a parent of the RFC5322.From domain. Thus, the
3209 identifiers are in alignment for relaxed mode, but not for strict
3210 mode.
3211
3212 Example 3: DKIM not in alignment:
3213
3214 DKIM-Signature: v=1; ...; d=sample.net; ...
3215 From: sender@child.example.com
3216 Date: Fri, Feb 15 2002 16:54:30 -0800
3217 To: receiver@example.org
3218 Subject: here's a sample
3219
3220 In this case, the DKIM signature's "d=" parameter includes a DNS
3221 domain that is neither the same as nor a parent of the RFC5322.From
3222 domain. Thus, the identifiers are not in alignment.
3223
3224B.2. Domain Owner Example ../dmarc/parse_test.go:9
3225
3226 A Domain Owner that wants to use DMARC should have already deployed
3227 and tested SPF and DKIM. The next step is to publish a DNS record
3228 that advertises a DMARC policy for the Domain Owner's Organizational
3229 Domain.
3230
3231B.2.1. Entire Domain, Monitoring Only
3232
3233 The owner of the domain "example.com" has deployed SPF and DKIM on
3234 its messaging infrastructure. The owner wishes to begin using DMARC
3235 with a policy that will solicit aggregate feedback from receivers
3236 without affecting how the messages are processed, in order to:
3237
3238 o Confirm that its legitimate messages are authenticating correctly
3239
3240 o Verify that all authorized message sources have implemented
3241 authentication measures
3242
3243 o Determine how many messages from other sources would be affected
3244 by a blocking policy
3245
3246
3247
3248
3249
3250Kucherawy & Zwicky Informational [Page 58]
3251
3252RFC 7489 DMARC March 2015
3253
3254
3255 The Domain Owner accomplishes this by constructing a policy record
3256 indicating that:
3257
3258 o The version of DMARC being used is "DMARC1" ("v=DMARC1")
3259
3260 o Receivers should not alter how they treat these messages because
3261 of this DMARC policy record ("p=none")
3262
3263 o Aggregate feedback reports should be sent via email to the address
3264 "dmarc-feedback@example.com"
3265 ("rua=mailto:dmarc-feedback@example.com")
3266
3267 o All messages from this Organizational Domain are subject to this
3268 policy (no "pct" tag present, so the default of 100% applies)
3269
3270 The DMARC policy record might look like this when retrieved using a
3271 common command-line tool:
3272
3273 % dig +short TXT _dmarc.example.com.
3274 "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com"
3275
3276 To publish such a record, the DNS administrator for the Domain Owner
3277 creates an entry like the following in the appropriate zone file
3278 (following the conventional zone file format):
3279
3280 ; DMARC record for the domain example.com
3281
3282 _dmarc IN TXT ( "v=DMARC1; p=none; "
3283 "rua=mailto:dmarc-feedback@example.com" )
3284
3285B.2.2. Entire Domain, Monitoring Only, Per-Message Reports
3286
3287 The Domain Owner from the previous example has used the aggregate
3288 reporting to discover some messaging systems that had not yet
3289 implemented DKIM correctly, but they are still seeing periodic
3290 authentication failures. In order to diagnose these intermittent
3291 problems, they wish to request per-message failure reports when
3292 authentication failures occur.
3293
3294 Not all Receivers will honor such a request, but the Domain Owner
3295 feels that any reports it does receive will be helpful enough to
3296 justify publishing this record. The default per-message report
3297 format ([AFRF]) meets the Domain Owner's needs in this scenario.
3298
3299
3300
3301
3302
3303
3304
3305
3306Kucherawy & Zwicky Informational [Page 59]
3307
3308RFC 7489 DMARC March 2015
3309
3310
3311 The Domain Owner accomplishes this by adding the following to its
3312 policy record from Appendix B.2:
3313
3314 o Per-message failure reports should be sent via email to the
3315 address "auth-reports@example.com"
3316 ("ruf=mailto:auth-reports@example.com")
3317
3318 The DMARC policy record might look like this when retrieved using a
3319 common command-line tool (the output shown would appear on a single
3320 line but is wrapped here for publication):
3321
3322 % dig +short TXT _dmarc.example.com.
3323 "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com;
3324 ruf=mailto:auth-reports@example.com"
3325
3326 To publish such a record, the DNS administrator for the Domain Owner
3327 might create an entry like the following in the appropriate zone file
3328 (following the conventional zone file format):
3329
3330 ; DMARC record for the domain example.com
3331
3332 _dmarc IN TXT ( "v=DMARC1; p=none; "
3333 "rua=mailto:dmarc-feedback@example.com; "
3334 "ruf=mailto:auth-reports@example.com" )
3335
3336B.2.3. Per-Message Failure Reports Directed to Third Party
3337
3338 The Domain Owner from the previous example is maintaining the same
3339 policy but now wishes to have a third party receive and process the
3340 per-message failure reports. Again, not all Receivers will honor
3341 this request, but those that do may implement additional checks to
3342 validate that the third party wishes to receive the failure reports
3343 for this domain.
3344
3345 The Domain Owner needs to alter its policy record from Appendix B.2.2
3346 as follows:
3347
3348 o Per-message failure reports should be sent via email to the
3349 address "auth-reports@thirdparty.example.net"
3350 ("ruf=mailto:auth-reports@thirdparty.example.net")
3351
3352 The DMARC policy record might look like this when retrieved using a
3353 common command-line tool (the output shown would appear on a single
3354 line but is wrapped here for publication):
3355
3356 % dig +short TXT _dmarc.example.com.
3357 "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com;
3358 ruf=mailto:auth-reports@thirdparty.example.net"
3359
3360
3361
3362Kucherawy & Zwicky Informational [Page 60]
3363
3364RFC 7489 DMARC March 2015
3365
3366
3367 To publish such a record, the DNS administrator for the Domain Owner
3368 might create an entry like the following in the appropriate zone file
3369 (following the conventional zone file format):
3370
3371 ; DMARC record for the domain example.com
3372
3373 _dmarc IN TXT ( "v=DMARC1; p=none; "
3374 "rua=mailto:dmarc-feedback@example.com; "
3375 "ruf=mailto:auth-reports@thirdparty.example.net" )
3376
3377 Because the address used in the "ruf" tag is outside the
3378 Organizational Domain in which this record is published, conforming
3379 Receivers will implement additional checks as described in
3380 Section 7.1 of this document. In order to pass these additional
3381 checks, the third party will need to publish an additional DNS record
3382 as follows:
3383
3384 o Given the DMARC record published by the Domain Owner at
3385 "_dmarc.example.com", the DNS administrator for the third party
3386 will need to publish a TXT resource record at
3387 "example.com._report._dmarc.thirdparty.example.net" with the value
3388 "v=DMARC1".
3389
3390 The resulting DNS record might look like this when retrieved using a
3391 common command-line tool (the output shown would appear on a single
3392 line but is wrapped here for publication):
3393
3394 % dig +short TXT example.com._report._dmarc.thirdparty.example.net
3395 "v=DMARC1"
3396
3397 To publish such a record, the DNS administrator for example.net might
3398 create an entry like the following in the appropriate zone file
3399 (following the conventional zone file format):
3400
3401 ; zone file for thirdparty.example.net
3402 ; Accept DMARC failure reports on behalf of example.com
3403
3404 example.com._report._dmarc IN TXT "v=DMARC1"
3405
3406 Intermediaries and other third parties should refer to Section 7.1
3407 for the full details of this mechanism.
3408
3409B.2.4. Subdomain, Sampling, and Multiple Aggregate Report URIs
3410
3411 The Domain Owner has implemented SPF and DKIM in a subdomain used for
3412 pre-production testing of messaging services. It now wishes to
3413 request that participating receivers act to reject messages from this
3414 subdomain that fail to authenticate.
3415
3416
3417
3418Kucherawy & Zwicky Informational [Page 61]
3419
3420RFC 7489 DMARC March 2015
3421
3422
3423 As a first step, it will ask that a portion (1/4 in this example) of
3424 failing messages be quarantined, enabling examination of messages
3425 sent to mailboxes hosted by participating receivers. Aggregate
3426 feedback reports will be sent to a mailbox within the Organizational
3427 Domain, and to a mailbox at a third party selected and authorized to
3428 receive same by the Domain Owner. Aggregate reports sent to the
3429 third party are limited to a maximum size of ten megabytes.
3430
3431 The Domain Owner will accomplish this by constructing a policy record
3432 indicating that:
3433
3434 o The version of DMARC being used is "DMARC1" ("v=DMARC1")
3435
3436 o It is applied only to this subdomain (record is published at
3437 "_dmarc.test.example.com" and not "_dmarc.example.com")
3438
3439 o Receivers should quarantine messages from this Organizational
3440 Domain that fail to authenticate ("p=quarantine")
3441
3442 o Aggregate feedback reports should be sent via email to the
3443 addresses "dmarc-feedback@example.com" and
3444 "example-tld-test@thirdparty.example.net", with the latter
3445 subjected to a maximum size limit ("rua=mailto:dmarc-feedback@
3446 example.com,mailto:tld-test@thirdparty.example.net!10m")
3447
3448 o 25% of messages from this Organizational Domain are subject to
3449 action based on this policy ("pct=25")
3450
3451 The DMARC policy record might look like this when retrieved using a
3452 common command-line tool (the output shown would appear on a single
3453 line but is wrapped here for publication):
3454
3455 % dig +short TXT _dmarc.test.example.com
3456 "v=DMARC1; p=quarantine; rua=mailto:dmarc-feedback@example.com,
3457 mailto:tld-test@thirdparty.example.net!10m; pct=25"
3458
3459 To publish such a record, the DNS administrator for the Domain Owner
3460 might create an entry like the following in the appropriate zone
3461 file:
3462
3463 ; DMARC record for the domain example.com
3464
3465 _dmarc IN TXT ( "v=DMARC1; p=quarantine; "
3466 "rua=mailto:dmarc-feedback@example.com,"
3467 "mailto:tld-test@thirdparty.example.net!10m; "
3468 "pct=25" )
3469
3470
3471
3472
3473
3474Kucherawy & Zwicky Informational [Page 62]
3475
3476RFC 7489 DMARC March 2015
3477
3478
3479B.3. Mail Receiver Example
3480
3481 A Mail Receiver that wants to use DMARC should already be checking
3482 SPF and DKIM, and possess the ability to collect relevant information
3483 from various email-processing stages to provide feedback to Domain
3484 Owners (possibly via Report Receivers).
3485
3486B.3.1. Processing of SMTP Time
3487
3488 An optimal DMARC-enabled Mail Receiver performs authentication and
3489 Identifier Alignment checking during the [SMTP] conversation.
3490
3491 Prior to returning a final reply to the DATA command, the Mail
3492 Receiver's MTA has performed:
3493
3494 1. An SPF check to determine an SPF-authenticated Identifier.
3495
3496 2. DKIM checks that yield one or more DKIM-authenticated
3497 Identifiers.
3498
3499 3. A DMARC policy lookup.
3500
3501 The presence of an Author Domain DMARC record indicates that the Mail
3502 Receiver should continue with DMARC-specific processing before
3503 returning a reply to the DATA command.
3504
3505 Given a DMARC record and the set of Authenticated Identifiers, the
3506 Mail Receiver checks to see if the Authenticated Identifiers align
3507 with the Author Domain (taking into consideration any strict versus
3508 relaxed options found in the DMARC record).
3509
3510 For example, the following sample data is considered to be from a
3511 piece of email originating from the Domain Owner of "example.com":
3512
3513 Author Domain: example.com
3514 SPF-authenticated Identifier: mail.example.com
3515 DKIM-authenticated Identifier: example.com
3516 DMARC record:
3517 "v=DMARC1; p=reject; aspf=r;
3518 rua=mailto:dmarc-feedback@example.com"
3519
3520 In the above sample, both the SPF-authenticated Identifier and the
3521 DKIM-authenticated Identifier align with the Author Domain. The Mail
3522 Receiver considers the above email to pass the DMARC check, avoiding
3523 the "reject" policy that is to be applied to email that fails to pass
3524 the DMARC check.
3525
3526
3527
3528
3529
3530Kucherawy & Zwicky Informational [Page 63]
3531
3532RFC 7489 DMARC March 2015
3533
3534
3535 If no Authenticated Identifiers align with the Author Domain, then
3536 the Mail Receiver applies the DMARC-record-specified policy.
3537 However, before this action is taken, the Mail Receiver can consult
3538 external information to override the Domain Owner's policy. For
3539 example, if the Mail Receiver knows that this particular email came
3540 from a known and trusted forwarder (that happens to break both SPF
3541 and DKIM), then the Mail Receiver may choose to ignore the Domain
3542 Owner's policy.
3543
3544 The Mail Receiver is now ready to reply to the DATA command. If the
3545 DMARC check yields that the message is to be rejected, then the Mail
3546 Receiver replies with a 5xy code to inform the sender of failure. If
3547 the DMARC check cannot be resolved due to transient network errors,
3548 then the Mail Receiver replies with a 4xy code to inform the sender
3549 as to the need to reattempt delivery later. If the DMARC check
3550 yields a passing message, then the Mail Receiver continues on with
3551 email processing, perhaps using the result of the DMARC check as an
3552 input to additional processing modules such as a domain reputation
3553 query.
3554
3555 Before exiting DMARC-specific processing, the Mail Receiver checks to
3556 see if the Author Domain DMARC record requests AFRF-based reporting.
3557 If so, then the Mail Receiver can emit an AFRF to the reporting
3558 address supplied in the DMARC record.
3559
3560 At the exit of DMARC-specific processing, the Mail Receiver captures
3561 (through logging or direct insertion into a data store) the result of
3562 DMARC processing. Captured information is used to build feedback for
3563 Domain Owner consumption. This is not necessary if the Domain Owner
3564 has not requested aggregate reports, i.e., no "rua" tag was found in
3565 the policy record.
3566
3567B.4. Utilization of Aggregate Feedback: Example
3568
3569 Aggregate feedback is consumed by Domain Owners to verify a Domain
3570 Owner's understanding of how the Domain Owner's domain is being
3571 processed by the Mail Receiver. Aggregate reporting data on emails
3572 that pass all DMARC-supporting authentication checks is used by
3573 Domain Owners to verify that authentication practices remain
3574 accurate. For example, if a third party is sending on behalf of a
3575 Domain Owner, the Domain Owner can use aggregate report data to
3576 verify ongoing authentication practices of the third party.
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586Kucherawy & Zwicky Informational [Page 64]
3587
3588RFC 7489 DMARC March 2015
3589
3590
3591 Data on email that only partially passes underlying authentication
3592 checks provides visibility into problems that need to be addressed by
3593 the Domain Owner. For example, if either SPF or DKIM fails to pass,
3594 the Domain Owner is provided with enough information to either
3595 directly correct the problem or understand where authentication-
3596 breaking changes are being introduced in the email transmission path.
3597 If authentication-breaking changes due to email transmission path
3598 cannot be directly corrected, then the Domain Owner at least
3599 maintains an understanding of the effect of DMARC-based policies upon
3600 the Domain Owner's email.
3601
3602 Data on email that fails all underlying authentication checks
3603 provides baseline visibility on how the Domain Owner's domain is
3604 being received at the Mail Receiver. Based on this visibility, the
3605 Domain Owner can begin deployment of authentication technologies
3606 across uncovered email sources. Additionally, the Domain Owner may
3607 come to an understanding of how its domain is being misused.
3608
3609B.5. mailto Transport Example
3610
3611 A DMARC record can contain a "mailto" reporting address, such as:
3612
3613 mailto:dmarc-feedback@example.com
3614
3615 A sample aggregate report from the Mail Receiver at
3616 mail.receiver.example follows:
3617
3618 DKIM-Signature: v=1; ...; d=mail.receiver.example; ...
3619 From: dmarc-reporting@mail.receiver.example
3620 Date: Fri, Feb 15 2002 16:54:30 -0800
3621 To: dmarc-feedback@example.com
3622 Subject: Report Domain: example.com
3623 Submitter: mail.receiver.example
3624 Report-ID: <2002.02.15.1>
3625 MIME-Version: 1.0
3626 Content-Type: multipart/alternative;
3627 boundary="----=_NextPart_000_024E_01CC9B0A.AFE54C00"
3628 Content-Language: en-us
3629
3630 This is a multipart message in MIME format.
3631
3632 ------=_NextPart_000_024E_01CC9B0A.AFE54C00
3633 Content-Type: text/plain; charset="us-ascii"
3634 Content-Transfer-Encoding: 7bit
3635
3636
3637
3638
3639
3640
3641
3642Kucherawy & Zwicky Informational [Page 65]
3643
3644RFC 7489 DMARC March 2015
3645
3646
3647 This is an aggregate report from mail.receiver.example.
3648
3649 ------=_NextPart_000_024E_01CC9B0A.AFE54C00
3650 Content-Type: application/gzip
3651 Content-Transfer-Encoding: base64
3652 Content-Disposition: attachment;
3653 filename="mail.receiver.example!example.com!
3654 1013662812!1013749130.gz"
3655
3656 <gzipped content of report>
3657
3658 ------=_NextPart_000_024E_01CC9B0A.AFE54C00--
3659
3660 Not shown in the above example is that the Mail Receiver's feedback
3661 should be authenticated using SPF. Also, the value of the "filename"
3662 MIME parameter is wrapped for printing in this specification but
3663 would normally appear as one continuous string.
3664
3665Appendix C. DMARC XML Schema
3666
3667 The following is the proposed initial schema for producing
3668 XML-formatted aggregate reports as described in this document.
3669
3670 NOTE: Per the definition of XML, unless otherwise specified in the
3671 schema below, the minOccurs and maxOccurs values for each element are
3672 set to 1.
3673
3674 <?xml version="1.0"?>
3675 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
3676 targetNamespace="http://dmarc.org/dmarc-xml/0.1">
3677
3678 <!-- The time range in UTC covered by messages in this report,
3679 specified in seconds since epoch. -->
3680 <xs:complexType name="DateRangeType">
3681 <xs:all>
3682 <xs:element name="begin" type="xs:integer"/>
3683 <xs:element name="end" type="xs:integer"/>
3684 </xs:all>
3685 </xs:complexType>
3686
3687 <!-- Report generator metadata. -->
3688 <xs:complexType name="ReportMetadataType">
3689 <xs:sequence>
3690 <xs:element name="org_name" type="xs:string"/>
3691 <xs:element name="email" type="xs:string"/>
3692 <xs:element name="extra_contact_info" type="xs:string"
3693 minOccurs="0"/>
3694 <xs:element name="report_id" type="xs:string"/>
3695
3696
3697
3698Kucherawy & Zwicky Informational [Page 66]
3699
3700RFC 7489 DMARC March 2015
3701
3702
3703 <xs:element name="date_range" type="DateRangeType"/>
3704 <xs:element name="error" type="xs:string" minOccurs="0"
3705 maxOccurs="unbounded"/>
3706 </xs:sequence>
3707 </xs:complexType>
3708
3709 <!-- Alignment mode (relaxed or strict) for DKIM and SPF. -->
3710 <xs:simpleType name="AlignmentType">
3711 <xs:restriction base="xs:string">
3712 <xs:enumeration value="r"/>
3713 <xs:enumeration value="s"/>
3714 </xs:restriction>
3715 </xs:simpleType>
3716
3717 <!-- The policy actions specified by p and sp in the
3718 DMARC record. -->
3719 <xs:simpleType name="DispositionType">
3720 <xs:restriction base="xs:string">
3721 <xs:enumeration value="none"/>
3722 <xs:enumeration value="quarantine"/>
3723 <xs:enumeration value="reject"/>
3724 </xs:restriction>
3725 </xs:simpleType>
3726
3727 <!-- The DMARC policy that applied to the messages in
3728 this report. -->
3729 <xs:complexType name="PolicyPublishedType">
3730 <xs:all>
3731 <!-- The domain at which the DMARC record was found. -->
3732 <xs:element name="domain" type="xs:string"/>
3733 <!-- The DKIM alignment mode. -->
3734 <xs:element name="adkim" type="AlignmentType"
3735 minOccurs="0"/>
3736 <!-- The SPF alignment mode. -->
3737 <xs:element name="aspf" type="AlignmentType"
3738 minOccurs="0"/>
3739 <!-- The policy to apply to messages from the domain. -->
3740 <xs:element name="p" type="DispositionType"/>
3741 <!-- The policy to apply to messages from subdomains. -->
3742 <xs:element name="sp" type="DispositionType"/>
3743 <!-- The percent of messages to which policy applies. -->
3744 <xs:element name="pct" type="xs:integer"/>
3745 <!-- Failure reporting options in effect. -->
3746 <xs:element name="fo" type="xs:string"/>
3747 </xs:all>
3748 </xs:complexType>
3749
3750
3751
3752
3753
3754Kucherawy & Zwicky Informational [Page 67]
3755
3756RFC 7489 DMARC March 2015
3757
3758
3759 <!-- The DMARC-aligned authentication result. -->
3760 <xs:simpleType name="DMARCResultType">
3761 <xs:restriction base="xs:string">
3762 <xs:enumeration value="pass"/>
3763 <xs:enumeration value="fail"/>
3764 </xs:restriction>
3765 </xs:simpleType>
3766
3767 <!-- Reasons that may affect DMARC disposition or execution
3768 thereof. -->
3769 <xs:simpleType name="PolicyOverrideType">
3770 <xs:restriction base="xs:string">
3771 <xs:enumeration value="forwarded"/>
3772 <xs:enumeration value="sampled_out"/>
3773 <xs:enumeration value="trusted_forwarder"/>
3774 <xs:enumeration value="mailing_list"/>
3775 <xs:enumeration value="local_policy"/>
3776 <xs:enumeration value="other"/>
3777 </xs:restriction>
3778 </xs:simpleType>
3779
3780 <!-- How do we allow report generators to include new
3781 classes of override reasons if they want to be more
3782 specific than "other"? -->
3783 <xs:complexType name="PolicyOverrideReason">
3784 <xs:all>
3785 <xs:element name="type" type="PolicyOverrideType"/>
3786 <xs:element name="comment" type="xs:string"
3787 minOccurs="0"/>
3788 </xs:all>
3789 </xs:complexType>
3790
3791 <!-- Taking into account everything else in the record,
3792 the results of applying DMARC. -->
3793 <xs:complexType name="PolicyEvaluatedType">
3794 <xs:sequence>
3795 <xs:element name="disposition" type="DispositionType"/>
3796 <xs:element name="dkim" type="DMARCResultType"/>
3797 <xs:element name="spf" type="DMARCResultType"/>
3798 <xs:element name="reason" type="PolicyOverrideReason"
3799 minOccurs="0" maxOccurs="unbounded"/>
3800 </xs:sequence>
3801 </xs:complexType>
3802
3803
3804
3805
3806
3807
3808
3809
3810Kucherawy & Zwicky Informational [Page 68]
3811
3812RFC 7489 DMARC March 2015
3813
3814
3815 <!-- Credit to Roger L. Costello for IPv4 regex
3816 http://mailman.ic.ac.uk/pipermail/xml-dev/1999-December/
3817 018018.html -->
3818 <!-- Credit to java2s.com for IPv6 regex
3819 http://www.java2s.com/Code/XML/XML-Schema/
3820 IPv6addressesareeasiertodescribeusingasimpleregex.htm -->
3821 <xs:simpleType name="IPAddress">
3822 <xs:restriction base="xs:string">
3823 <xs:pattern value="((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]).){3}
3824 (1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])|
3825 ([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}"/>
3826 </xs:restriction>
3827 </xs:simpleType>
3828
3829 <xs:complexType name="RowType">
3830 <xs:all>
3831 <!-- The connecting IP. -->
3832 <xs:element name="source_ip" type="IPAddress"/>
3833 <!-- The number of matching messages. -->
3834 <xs:element name="count" type="xs:integer"/>
3835 <!-- The DMARC disposition applying to matching
3836 messages. -->
3837 <xs:element name="policy_evaluated"
3838 type="PolicyEvaluatedType"
3839 minOccurs="1"/>
3840 </xs:all>
3841 </xs:complexType>
3842
3843 <xs:complexType name="IdentifierType">
3844 <xs:all>
3845 <!-- The envelope recipient domain. -->
3846 <xs:element name="envelope_to" type="xs:string"
3847 minOccurs="0"/>
3848 <!-- The RFC5321.MailFrom domain. -->
3849 <xs:element name="envelope_from" type="xs:string"
3850 minOccurs="1"/>
3851 <!-- The RFC5322.From domain. -->
3852 <xs:element name="header_from" type="xs:string"
3853 minOccurs="1"/>
3854 </xs:all>
3855 </xs:complexType>
3856
3857 <!-- DKIM verification result, according to RFC 7001
3858 Section 2.6.1. -->
3859 <xs:simpleType name="DKIMResultType">
3860 <xs:restriction base="xs:string">
3861 <xs:enumeration value="none"/>
3862 <xs:enumeration value="pass"/>
3863
3864
3865
3866Kucherawy & Zwicky Informational [Page 69]
3867
3868RFC 7489 DMARC March 2015
3869
3870
3871 <xs:enumeration value="fail"/>
3872 <xs:enumeration value="policy"/>
3873 <xs:enumeration value="neutral"/>
3874 <xs:enumeration value="temperror"/>
3875 <xs:enumeration value="permerror"/>
3876 </xs:restriction>
3877 </xs:simpleType>
3878
3879 <xs:complexType name="DKIMAuthResultType">
3880 <xs:all>
3881 <!-- The "d=" parameter in the signature. -->
3882 <xs:element name="domain" type="xs:string"
3883 minOccurs="1"/>
3884 <!-- The "s=" parameter in the signature. -->
3885 <xs:element name="selector" type="xs:string"
3886 minOccurs="0"/>
3887 <!-- The DKIM verification result. -->
3888 <xs:element name="result" type="DKIMResultType"
3889 minOccurs="1"/>
3890 <!-- Any extra information (e.g., from
3891 Authentication-Results). -->
3892 <xs:element name="human_result" type="xs:string"
3893 minOccurs="0"/>
3894 </xs:all>
3895 </xs:complexType>
3896
3897 <!-- SPF domain scope. -->
3898 <xs:simpleType name="SPFDomainScope">
3899 <xs:restriction base="xs:string">
3900 <xs:enumeration value="helo"/>
3901 <xs:enumeration value="mfrom"/>
3902 </xs:restriction>
3903 </xs:simpleType>
3904
3905 <!-- SPF result. -->
3906 <xs:simpleType name="SPFResultType">
3907 <xs:restriction base="xs:string">
3908 <xs:enumeration value="none"/>
3909 <xs:enumeration value="neutral"/>
3910 <xs:enumeration value="pass"/>
3911 <xs:enumeration value="fail"/>
3912 <xs:enumeration value="softfail"/>
3913 <!-- "TempError" commonly implemented as "unknown". -->
3914 <xs:enumeration value="temperror"/>
3915 <!-- "PermError" commonly implemented as "error". -->
3916 <xs:enumeration value="permerror"/>
3917 </xs:restriction>
3918 </xs:simpleType>
3919
3920
3921
3922Kucherawy & Zwicky Informational [Page 70]
3923
3924RFC 7489 DMARC March 2015
3925
3926
3927 <xs:complexType name="SPFAuthResultType">
3928 <xs:all>
3929 <!-- The checked domain. -->
3930 <xs:element name="domain" type="xs:string" minOccurs="1"/>
3931 <!-- The scope of the checked domain. -->
3932 <xs:element name="scope" type="SPFDomainScope" minOccurs="1"/>
3933 <!-- The SPF verification result. -->
3934 <xs:element name="result" type="SPFResultType"
3935 minOccurs="1"/>
3936 </xs:all>
3937 </xs:complexType>
3938
3939 <!-- This element contains DKIM and SPF results, uninterpreted
3940 with respect to DMARC. -->
3941 <xs:complexType name="AuthResultType">
3942 <xs:sequence>
3943 <!-- There may be no DKIM signatures, or multiple DKIM
3944 signatures. -->
3945 <xs:element name="dkim" type="DKIMAuthResultType"
3946 minOccurs="0" maxOccurs="unbounded"/>
3947 <!-- There will always be at least one SPF result. -->
3948 <xs:element name="spf" type="SPFAuthResultType" minOccurs="1"
3949 maxOccurs="unbounded"/>
3950 </xs:sequence>
3951 </xs:complexType>
3952
3953 <!-- This element contains all the authentication results that
3954 were evaluated by the receiving system for the given set of
3955 messages. -->
3956 <xs:complexType name="RecordType">
3957 <xs:sequence>
3958 <xs:element name="row" type="RowType"/>
3959 <xs:element name="identifiers" type="IdentifierType"/>
3960 <xs:element name="auth_results" type="AuthResultType"/>
3961 </xs:sequence>
3962 </xs:complexType>
3963
3964 <!-- Parent -->
3965 <xs:element name="feedback">
3966 <xs:complexType>
3967 <xs:sequence>
3968 <xs:element name="version"
3969 type="xs:decimal"/>
3970 <xs:element name="report_metadata"
3971 type="ReportMetadataType"/>
3972 <xs:element name="policy_published"
3973 type="PolicyPublishedType"/>
3974
3975
3976
3977
3978Kucherawy & Zwicky Informational [Page 71]
3979
3980RFC 7489 DMARC March 2015
3981
3982
3983 <xs:element name="record" type="RecordType"
3984 maxOccurs="unbounded"/>
3985 </xs:sequence>
3986 </xs:complexType>
3987 </xs:element>
3988 </xs:schema>
3989
3990 Descriptions of the PolicyOverrideTypes:
3991
3992 forwarded: The message was relayed via a known forwarder, or local
3993 heuristics identified the message as likely having been forwarded.
3994 There is no expectation that authentication would pass.
3995
3996 local_policy: The Mail Receiver's local policy exempted the message
3997 from being subjected to the Domain Owner's requested policy
3998 action.
3999
4000 mailing_list: Local heuristics determined that the message arrived
4001 via a mailing list, and thus authentication of the original
4002 message was not expected to succeed.
4003
4004 other: Some policy exception not covered by the other entries in
4005 this list occurred. Additional detail can be found in the
4006 PolicyOverrideReason's "comment" field.
4007
4008 sampled_out: The message was exempted from application of policy by
4009 the "pct" setting in the DMARC policy record.
4010
4011 trusted_forwarder: Message authentication failure was anticipated by
4012 other evidence linking the message to a locally maintained list of
4013 known and trusted forwarders.
4014
4015 The "version" for reports generated per this specification MUST be
4016 the value 1.0.
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034Kucherawy & Zwicky Informational [Page 72]
4035
4036RFC 7489 DMARC March 2015
4037
4038
4039Acknowledgements
4040
4041 DMARC and the draft version of this document submitted to the
4042 Independent Submission Editor were the result of lengthy efforts by
4043 an informal industry consortium: DMARC.org (see <http://dmarc.org>).
4044 Participating companies included Agari, American Greetings, AOL, Bank
4045 of America, Cloudmark, Comcast, Facebook, Fidelity Investments,
4046 Google, JPMorgan Chase & Company, LinkedIn, Microsoft, Netease,
4047 PayPal, ReturnPath, The Trusted Domain Project, and Yahoo!. Although
4048 the contributors and supporters are too numerous to mention, notable
4049 individual contributions were made by J. Trent Adams, Michael Adkins,
4050 Monica Chew, Dave Crocker, Tim Draegen, Steve Jones, Franck Martin,
4051 Brett McDowell, and Paul Midgen. The contributors would also like to
4052 recognize the invaluable input and guidance that was provided early
4053 on by J.D. Falk.
4054
4055 Additional contributions within the IETF context were made by Kurt
4056 Anderson, Michael Jack Assels, Les Barstow, Anne Bennett, Jim Fenton,
4057 J. Gomez, Mike Jones, Scott Kitterman, Eliot Lear, John Levine,
4058 S. Moonesamy, Rolf Sonneveld, Henry Timmes, and Stephen J. Turnbull.
4059
4060Authors' Addresses
4061
4062 Murray S. Kucherawy (editor)
4063
4064 EMail: superuser@gmail.com
4065
4066
4067 Elizabeth Zwicky (editor)
4068 Yahoo!
4069
4070 EMail: zwicky@yahoo-inc.com
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090Kucherawy & Zwicky Informational [Page 73]
4091
4092