One document matched: draft-kucherawy-dmarc-base-03.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" >
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc strict="no"?>
<?rfc toc="yes"?>
<?rfc tocdepth="2"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc inline="yes"?>
<?rfc topblock="yes" ?>
<?rfc autobreaks="yes" ?>
<rfc category="std" docName="draft-kucherawy-dmarc-base-03" ipr="trust200902"
updates="6591">
<front>
<title abbrev="DMARC"> Domain-based Message Authentication, Reporting and Conformance
(DMARC) </title>
<author fullname="Murray S. Kucherawy" initials="M. S." role="editor" surname="Kucherawy">
<address>
<email>superuser@gmail.com</email>
</address>
</author>
<author fullname="Elizabeth Zwicky" initials="E." role="editor" surname="Zwicky">
<organization>Yahoo!</organization>
<address>
<email>zwicky@yahoo-inc.com</email>
</address>
</author>
<date year="2014" />
<area>Applications</area>
<workgroup>Network Working Group</workgroup>
<keyword>domain</keyword>
<keyword>email</keyword>
<keyword>security</keyword>
<keyword>messaging</keyword>
<keyword>dkim</keyword>
<keyword>spf</keyword>
<keyword>authentication</keyword>
<keyword>reporting</keyword>
<keyword>conformance</keyword>
<abstract>
<t>This memo presents a proposal for a scalable mechanism by which a mail sending
organization can express, using the Domain Name System, domain-level policies and
preferences for message validation, disposition, and reporting, and a mail receiving
organization can use those policies and preferences to improve mail handling.</t>
<t> The email ecosystem currently lacks a cohesive mechanism through which email senders
and receivers can make use of multiple authentication protocols to establish
reliable domain identifiers, communicate policies about those identifiers, and
report about mail using those identifiers. This lack of cohesion has several
effects: receivers have difficulty providing feedback to senders about
authentication, senders therefore have difficulty evaluating their authentication
deployments, and as a result neither is able to make effective use of existing
authentication technology.</t>
<t> The enclosed proposal is not intended to introduce mechanisms that provide elevated
delivery privilege of authenticated email. The proposal presents a mechanism for
policy distribution that enables a continuum of increasingly strict handling of
messages that fail multiple authentication checks, from no action, through altered
delivery, up to message rejection.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t> For years, senders have leveraged SPF-authorized and DKIM-signed messages to achieve
domain-level email authentication. Based on that authentication, various mail
receivers have tried to protect senders by using <xref target="DKIM" /> and/or <xref
target="SPF" /> results to detect and block unauthorized email. (A detailed
discussion of the threats these systems attempt to address can be found in <xref
target="DKIM-THREATS" />.) However, there has been no single widely accepted or
publicly available mechanism to communicate domain-specific message authentication
policies, or to request reporting of authentication and disposition of received
mail. As a result, senders who have implemented email authentication have had
difficulty determining how effective their authentication is, and receivers have
been unable to use authentication failures to reject mail or mark it as less
desirable.</t>
<t>Over time, one-on-one relationships were established between select senders and
receivers with privately communicated means to assert policy and receive message
traffic and authentication disposition reporting. Although these ad hoc practices
have been generally successful, they require significant manual coordination between
parties.</t>
<t>This document defines Domain-based Message Authentication, Reporting and Compliance
(DMARC), a mechanism by which email operators leverage existing authentication and
policy advertisement technologies to enable both message-stream feedback and
enforcement of policies against unauthenticated email.</t>
<t>DMARC allows domain owners and receivers to collaborate by <list style="numbers">
<t>Providing receivers with assertions about domain owners' policies</t>
<t>Providing feedback to senders so they can monitor authentication and judge
threats</t>
</list>
</t>
<t>The basic outline of DMARC is: <list style="numbers">
<t>Domain owners publish policy assertions about domains via the DNS.</t>
<t>SMTP receivers compare the RFC5322 From: address in the mail to the SPF and
DKIM results if present and the policy in DNS. <list style="numbers">
<t>These receivers can use these results to determine how the mail should be
handled.</t>
<t>The receiver reports to the domain owner about mail claiming to be
from their domain.</t>
</list></t>
</list></t>
<t>For the purposes of discussion, this document defines the word
"authentication" to include techniques used to verify message integrity
and/or sending-entity authorization. </t>
<t>DMARC differs from previous approaches to policy advertisement (e.g., <xref
target="SPF" /> and <xref target="ADSP" />) in that: <list style="symbols">
<t>Authentication technologies are: <list style="numbers">
<t>decoupled from any technology-specific policy mechanisms; and</t>
<t>used solely to establish reliable per-message domain-level
identifiers.</t>
</list>
</t>
<t>Multiple authentication technologies are used to: <list style="numbers">
<t>reduce the impact of transient authentication errors</t>
<t>reduce the impact of site-specific configuration errors and
deployment gaps</t>
<t>enable more use cases than any individual technology supports
alone</t>
</list>
</t>
<t>Receiver-generated feedback is required, allowing senders to establish
confidence in authentication practices.</t>
<t>The domain name extracted from a message's RFC5322.From field is the primary
identifier in the DMARC mechanism. This identifier is used in conjunction
with the results of the underlying authentication technologies to evaluate
results under DMARC.</t>
</list>
</t>
<section title="Scalability">
<t> Scalability is a major issue for systems that need to operate in a system as
widely deployed as current SMTP email. For this reason, DMARC seeks to avoid the
introduction of third parties or pre-sending agreements between senders and
receivers. This preserves the positive aspects of the current email
infrastructure.</t>
<t> Although DMARC does not introduce third parties to the email
handling flow, it also does not preclude them. Third parties
are free to provide services in conjunction with DMARC. </t>
</section>
<!-- Scalability -->
<section title="Anti-Phishing">
<t>DMARC is designed to prevent bad actors from sending mail which claims to come
from legitimate senders, particularly senders of transactional email.
(official mail that is about business transactions), One of the
primary uses of this kind of spoofed mail is phishing (enticing users to provide
information by pretending to be the legitimate service requesting the information).
Thus, DMARC is significantly informed by ongoing efforts to enact large-scale,
Internet-wide, anti-phishing measures. </t>
<t>Although DMARC can only be used to combat specific forms of exact-domain spoofing
directly, the DMARC mechanism is a substantial step towards the creation of
reliable and defensible message streams.</t>
<t>DMARC does not attempt to solve all problems with spoofed or otherwise fraudulent email. In particular, it
does not address the use of visually similar domain names (cousin domains) or
abuse of the <xref target="MAIL">RFC5322</xref>.From human readable
"display name".</t>
</section>
<!-- Anti-Phishing -->
</section>
<!-- Introduction -->
<section title="Requirements">
<t>Specification of DMARC is guided by the following high-level goals, security
dependencies, detailed requirements, and items that are documented as
out-of-scope.</t>
<section title="High-Level Goals">
<t> One common attack on Internet users involves imitating mail from a reputable
mail sender while including malicious content of some kind. The most damaging
version of this attack, both to end-users and to organizations, uses the RFC5322
From: address of the reputable sender. This kind of attack is more damaging to
end-users than attacks using other addresses because it is more believable and
for several reasons, more likely to be delivered to the inbox. (For instance,
many MUAs (Mail User Agents) support whitelisting of From: domains by end-users.) It is more
damaging to the organizations being spoofed because the
email, being indistinguishable to the user from legitimate
email, severely damages the reputation of the organization. </t>
<t>Current email authentication systems appear sufficient to prevent these attacks,
since both SPF and DKIM should allow receiving systems or users to distinguish
between forged and genuine email from a domain. In practice, however, these
technologies are difficult to implement correctly as a sender and therefore
difficult to use safely as a receiver. DMARC aims to bridge these gaps with
minimal interference to existing systems.</t>
<t>DMARC is intended to reduce the success of attackers sending mail pretending to
be from a domain they do not control, with minimal changes to existing mail
handling at both senders and receivers. It is particularly intended to protect
transactional email, as
opposed to mail between individuals.</t>
<t> That has resulted in the following goals: <list style="symbols">
<t>Allow Domain Owners to assert policy about domain authentication for
consumption by Mail Receivers.</t>
<t>Allow mail senders to verify their authentication deployment.</t>
<t>Minimize the effect on handling and delivery of legitimate messages.</t>
<t>Reduce the amount of successfully delivered spoofed email.</t>
<t>Work at Internet scale.</t>
<t>Minimize implementation complexity for both senders and receivers.</t>
</list></t>
</section>
<section title="Sender/Domain Owner Requirements">
<t>DMARC assumes that entities who send messages with their domains in the RFC5322.From field and wish to protect those messages with
DMARC can <list style="numbers">
<t>Control DNS entries for the domains to be protected, including adding
arbitrary new subdomains with TXT records.</t>
<t>Receive and evaluate reports of significant size via SMTP at some
address, not necessarily associated with the domains to be
protected.</t>
<t>If they wish full protection, and valid mail streams exist, control those
mail streams and associated machines and DNS servers sufficiently to
make messages pass DKIM and/or SPF.</t>
</list></t>
</section>
<section title="Mail Reciever Requirements">
<t>DMARC assumes that mail receivers are able to <list style="numbers">
<t>Do additional DNS lookups, beyond those normally associated with the
receipt of a message, to look for DMARC policy and reporting records. (This
is a worst-case maximum of 3 additional lookups per message, in addition to those required for DKIM and SPF.)</t>
<t>Log details required to generate forensic and aggregate reports about received messages for
a minimum of 24 hours.</t>
<t>Send outgoing aggregate reports from some DMARC-compliant sending system
(not necessarily the same as the system(s) receiving the mail).</t>
</list></t>
</section>
<section title="Out Of Scope">
<t>Several topics and issues are specifically out of scope for this work. This includes the following: <list style="symbols">
<t> DMARC shall not be required to protect against any attacks against
components that are essential dependencies (e.g. DNS attacks, bugs in
DKIM verification, malware on the end-user machine or in the sender's
system). Compromised components at or near the sender can cause passing
results for mail which the sender did not intend to be authenticated,
while compromised components at the receiver can cause either passing
result for unauthenticated mail, or failing results for authenticated
mail. </t>
<t> DMARC will not make a distinction between absent authentication and
failed authentication. </t>
<t> DMARC will not allow for use of header fields other than the
RFC5322.From to field perform identifier alignment checks (see <xref target="id_alignment_element"/>). </t>
<t> DMARC has no "short-circuit" provision, such as specifying that a pass
from one authentication test allows one to skip the other(s). All are
required for reporting. </t>
<t> This first version of DMARC supports only a single reporting format. </t>
<t> DMARC makes no attempt to accommodate discovery of policy outside of the
DNS. </t>
<t> DMARC provides no advice about handling of malformed messages that might
seek to exploit message processing weaknesses. There are other
specifications and operational documents that cover these issues. </t>
<t> DMARC reports only on the last-hop IP address, and does not provide for
reporting of the originating IP. </t>
<t> DMARC does not address attacks that provide false information in the
display-name portion of the RFC5322.From field. </t>
<t>Authentication of individuals rather than domains.</t>
<t>Handling of undesirable or malicious mail that is coming from the domain
from which it claims to be sent.</t>
</list>
</t>
</section>
</section>
<section anchor="terms_and_defs" title="Terminology and Definitions">
<t>This section defines terms used in the rest of the document.</t>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as
described in <xref target="KEYWORDS" />.</t>
<t>For the purpose of establishing context, readers are encouraged to be familiar with
the contents of <xref target="EMAIL-ARCH" />. In particular, that document defines
various roles in the messaging infrastructure that can appear the same or separate
in various contexts. For example, a Domain Owner could, via the messaging security
mechanisms on which DMARC is based, delegate the ability to send mail as the Domain
Owner to some third party. This memo does not address the distinctions among such
roles; the reader is encouraged to become familiar with that material before
continuing. </t>
<t>The following terms are also used: <list style="hanging">
<t hangText="Authenticated Identifiers:"> Domain-level identifiers that are
established using authentication technologies are referred to as
"Authenticated Identifiers". See <xref target="auth_mechs" /> for details
about the supported mechanisms. </t>
<t hangText="Author Domain:"> The domain name of the apparent author,
as extracted from the RFC5322.From field. </t>
<t hangText="Cousin Domain:"> A registered domain name that
is deceptively similar to a target domain name or other
name of a known entity. The target name is familiar to
many users, and therefore imparts a degree of trust.
The deception is enacted by embedding the essential
parts of the target name in a new string (such as,
"companysecurity.example" to attack "company.example"),
or it can use some variant of the target name, such as
replacing 'i' with '1', which is known as a
"homograph attack". </t>
<t hangText="Domain Owner:"> An entity or organization that "owns" a DNS domain.
The term "owns" here indicates that the entity or organization being
referenced holds the registration of that DNS domain. Entities that are
Domain Owners range from complex, globally-distributed organizations, to
service providers working on behalf of non-technical clients, to individuals
responsible for maintaining personal domains. This specification uses this
term as analogous to an Administrative Management Domain as defined in <xref
target="EMAIL-ARCH" />. </t>
<t hangText="Identifier Alignment:"> The concept of alignment between the
RFC5322.From address (i.e., the purported author of the message) and
the identifier(s) checked by message authentication schemes, in particular
SPF and DKIM. </t>
<t hangText="Mail Receiver:"> The entity or organization that receives and
processes email. Mail Receivers operate one or more Internet-facing Mail
Transport Agents (MTAs).</t>
<t hangText="Organizational Domain:"> For the purposes of this document, an
Organizational Domain is the domain that was registered with a domain name
registrar. In the absence of more accurate methods, heuristics are used to
determine this, since it is not always the case that the registered domain
name is simply a top-level DNS domain plus one component (e.g.,
"example.com", where "com" is a top-level domain). The Organizational Domain
is determined by applying algorithm found in <xref target="od"/>. </t>
<t hangText="Report Receiver:"> An operator that receives reports from another operator
implementing the reporting mechanism described in this document.
Such an operator might be receiving reports about its own messages,
or reports about the messages claiming to be from a third party.
This term applies collectively to the system components that
receive and process these reports and the organizations that
operate them. </t>
</list>
</t>
<section anchor="overview" title="Overview">
<t> This section provides a general overview of the design and operation
of the DMARC environment. </t>
<section anchor="auth_mechs" title="Authentication Mechanisms">
<t> The following mechanisms for determining Authenticated Identifiers are supported
in the current version of DMARC: <list style="symbols">
<t>
<xref target="DKIM" />, which provides a domain-level identifier in the
content of the "d=" tag of a validated signature. </t>
<t>
<xref target="SPF" />, which can authenticate the domain found in an
<xref target="SMTP" /> MAIL command. </t>
</list>
</t>
</section>
<!-- Authentication Mechanisms -->
<section anchor="general" title="General Concepts">
<t> A DMARC-enabled Domain Owner creates a DNS record to specify policy. Mail sent
from such a domain may or may not also be authenticated with DKIM and/or SPF.</t>
<t>A DMARC-enabled Mail Receiver looks for DMARC records in DNS during SMTP
processing and uses them to filter mail at that time, and later to provide
feedback to the Domain Owner.</t>
<t>DMARC's filtering component is based on whether SPF or DKIM can provide a
relevant authenticated identifier for the message under consideration. Messages
that purport to be from a Domain Owner's domain and arrive from servers that are
not authorized by SPF and do not contain an appropriate DKIM signature can be
affected by DMARC policies.</t>
<t>DMARC's feedback component involves the collection of information about received
messages claiming to be from the Organizational Domain for periodic aggregate reports to
the Domain Owner. The parameters and format for such reports are discussed in
later sections of this document.</t>
<t>A DMARC-enabled Mail Receiver might also generate per-message reports that
contain information related to individual messages which fail SPF and/or DKIM.
Per-message failure reports are a useful source of information when debugging deployments
(if messages can be determined to be legitimate even though failing
authentication) or in analyzing attacks. The capability for such services is
enabled by DMARC but defined in other referenced material.</t>
<t>It is important to note that the authentication mechanisms employed by DMARC
authenticate only a DNS domain, and do not authenticate the local-part of any
email address identifier found in a message.</t>
</section>
<section anchor="ascii_art" title="Flow Diagram">
<t> <figure> <artwork>
+--------+
| Author |<. . . . . . . . . . . . . . . . . . . . . . . . . . .
+--------+ . . .
| . . .
V V V .
+------------+ +--------+ +----------+ +----------+ .
| Submission |<***>| DKIM | | DKIM | | SPF | .
| Service | | Signer | | Verifier | | Verifier | .
+------------+ +--------+ +----------+ +----------+ .
| ^ ^ .
| * * .
V V * .
+------+ (~~~~~~~~~~~~) +------+ * .
| sMTA |------->( other MTAs )------>| rMTA |<******** .
+------+ (~~~~~~~~~~~~) +------+ .
| ^ +----------+ .
| ****>| DMARC |<..
| | Verifier |
V +----------+
+---------+
| User |
| Mailbox |
+---------+
</artwork> </figure> </t>
<t> The above diagram shows a simple flow of messages through a DMARC-aware
system. Solid lines denote the actual message flow; dotted lines
involve Domain Name System queries used to retrieve message policy
related to the supported message authentication schemes; asterisk
lines indicate data exchange between message handling modules
and message authentication modules. </t>
<t> In essence the steps are as follows:
<list style="numbers">
<t> Author constructs an SPF policy and publishes it in its
DNS database as per <xref target="SPF"/>. Author also
configures its system for DKIM signing as described
in <xref target="DKIM"/>. </t>
<t> Author generates a message and hands the message to its
designated mail submission service. </t>
<t> Submission service passes relevant details to the DKIM
signing module in order to generate a DKIM signature to be
applied to the message. </t>
<t> Submission service relays the now-signed message to
its designated transport service for routing to its
intended recipient(s). </t>
<t> Message may pass through other relays, but eventually
arrives at a recipient's transport service </t>
<t> Recipient transport service conducts SPF and DKIM
authentication checks by passing the necessary data to
their respective modules, each of which require queries
to the author's DNS data (when identifiers are
aligned; see below). </t>
<t> The results of these are passed to the DMARC module
along with the Author domain. The DMARC module does a small
number of further DNS queries to the Organizational Domain to
extract DMARC-specific policy details. These, in
combination, produce a DMARC policy result (e.g., a
"pass" or "fail"), and can
optionally cause one of two kinds of reports to be
generated (not shown). </t>
<t> Recipient transport service either delivers the message
to the recipient inbox, or takes other local policy action
based on the DMARC result (not shown). </t>
</list> </t>
</section>
<section anchor="id_alignment_element" title="Identifier Alignment">
<t>Email authentication technologies authenticate various (and disparate) aspects of
an individual message. For example, <xref target="DKIM" /> authenticates the
domain that affixed a signature to the message, while <xref target="SPF" />
authenticates either the domain that appears in the RFC5321.MailFrom portion of
<xref target="SMTP" /> or the RFC5321.EHLO/HELO domain if the
RFC5321.MailFrom is null (in the case of Delivery Status Notifications). These
may be different domains, and none of these domains are guaranteed to be visible
to the end user.</t>
<t>DMARC uses the <xref target="MAIL">RFC5322</xref>.From domain to evaluate the
applicability of Authenticated Identifiers. The <xref target="MAIL"
>RFC5322</xref>.From domain was selected as the central identity of the
DMARC mechanism because it is a required message header field and therefore guaranteed to be
present in compliant messages, and most MUAs represent the <xref target="MAIL"
>RFC5322</xref>.From field as the originator of the message and render some
or all of this header field's content to end users.</t>
<t>Domain names in this context are to be compared in a case-insensitive manner, per
<xref target="DNS-CASE" />. </t>
<t>It is important to note that identifier alignment cannot occur with a message that
is not valid per <xref target="MAIL" />, particularly one with a malformed or
absent RFC5322.From field. Handling of such cases is left to the discretion of
the Mail Receiver. </t>
<t> Both of the underlying authentication technologies DMARC takes as input
yield authenticated domains as their outputs. From the perspective
of DMARC, each
can be operated in a "strict" mode or a "relaxed" mode. An operator
would normally select "strict" mode if it wanted to affect
only messages bearing an RFC5322.From domain exactly matching
the domains those mechanisms will verify. Using "relaxed" mode
can be used when the operator also wishes to affect message flows bearing
subdomains of the verified domains. </t>
<section anchor="dkim_id_align" title="DKIM-authenticated Identifiers">
<t>DMARC provides the option of applying DKIM in a strict or relaxed
identifier alignment mode. (Note that these are not related to DKIM's "simple" and "relaxed"
canonicalization modes.) </t>
<t>In relaxed mode, the Organizational Domains of both the <xref target="DKIM"
/>-authenticated signing domain (taken from the value of the "d=" tag in
the signature) and that of the RFC5322.From domain must be equal if the identifiers
are to be considered aligned. In strict
mode, only an exact match between both of the Fully Qualified Domain Names (FQDN) considered to produce identifier alignment. </t>
<t>To illustrate, in relaxed mode, if a validated DKIM signature successfully
verifies with a "d=" domain of "example.com", and the RFC5322.From address is
"alerts@news.example.com", the DKIM "d=" domain and the RFC5322.From domain
are considered to be "in alignment". In strict mode, this test would
fail since the "d=" domain does not match the FQDN of the address.</t>
<t>However, a DKIM signature bearing a value of "d=com" would never allow an "in
alignment" result as "com" should appear on all public suffix lists, and
therefore cannot be an Organizational Domain.</t>
<t>Identifier alignment is required because mail can be validly signed by an
unrelated domain (for instance, a bad actor can sign it with a Cousin
Domain). By itself, DKIM does not make any assertions about the identity
visible to the end user.</t>
<t>Note that a single email can contain multiple DKIM signatures, and it is
considered to be a DMARC "pass" if any DKIM signature is aligned and
valid.</t>
</section>
<!-- DKIM Identifiers -->
<section anchor="spf_id_align" title="SPF-authenticated Identifiers">
<t>DMARC provides the option of applying SPF in a strict or relaxed identifier alignment mode. </t>
<t>In relaxed mode, the <xref target="SPF" />-authenticated domain and
RFC5322.From domain must have the same Organizational Domain. In strict
mode, only an exact DNS domain match is considered to produce identifier
alignment.</t>
<t>For example, if a message passes an SPF check with an RFC5321.MailFrom domain
of "cbg.bounces.example.com", and the address portion of the RFC5322.From
field contains "payments@example.com", the Authenticated RFC5321.MailFrom
domain identifier and the RFC5322.From domain are considered to be "in
alignment" in relaxed mode, but not in strict mode.</t>
</section>
<!-- SPF Identifiers -->
<section anchor="ext_id_align" title="Alignment and Extension Technologies">
<t> If DMARC is extended to include the use of other authentication mechanisms,
the extensions will need to allow for domain identifier extraction so that
alignment with the RFC5322.From domain can be verified.</t>
</section>
<!-- Alignment and Extension Technologies -->
</section>
<!-- Identifier Alignment -->
</section>
<!-- Definitions -->
<section anchor="od" title="Organizational Domain">
<t> The Organizational Domain is determined using the following algorithm: <list style="numbers">
<t> Acquire a "public suffix" list, i.e., a list of DNS domain names
reserved for registrations. Some country TLDs make specific
registration requirements, e.g. the United Kingdom places company
registrations under ".co.uk"; other TLDs such as ".com" appear in
the IANA registry of top-level DNS domains. A public suffix list is
the union of all of these. <xref target="suffixes" /> contains some
discussion about obtaining a public suffix list. </t>
<t> Break the subject DNS domain name into a set of "n" ordered labels.
Number these labels from right-to-left; e.g. for "example.com",
"com" would be label 1 and "example" would be label 2. </t>
<t> Search the public suffix list for the name that matches the largest
number of labels found in the subject DNS domain. Let that number be
"x". </t>
<t> Construct a new DNS domain name using the name that matched from the
public suffix list and prefixing to it the "x+1"th label from the
subject domain. This new name is the Organizational Domain. </t>
</list> Thus, since "com" is an IANA-registered TLD, a subject domain of
"a.b.c.d.example.com" would have an Organizational Domain of
"example.com".</t>
<t> The process of determining a suffix is currently a heuristic one. No list is
guaranteed to be accurate or current. </t>
</section>
</section>
<section anchor="policy_element" title="Policy">
<t> DMARC policies are published by Domain Owners and applied by Mail Receivers. </t>
<t> A Domain Owner advertises DMARC participation of one or more of its domains by adding a DNS TXT record (described
in <xref target="dmarc_record" />) to those domains. In doing so, Domain
Owners make specific requests of Mail Receivers regarding the disposition of
messages purporting to be from one of the Domain Owner's domains and the provision
of feedback about those messages.</t>
<t> A Mail Receiver MUST consider an arriving message to pass the DMARC test if and only
if one or more of the underlying message authentication mechanisms pass with proper
identifier alignment. DMARC considers only success; failure and nonexistence of authentication mechanisms
are equivalent.</t>
<t> A Domain Owner may find that although its messages pass a particular
authentication scheme's checks, it wishes not to have Mail Receivers
consider those results as evidence that the message was authorized.
In this case, the Domain Owner simply declines to advertise participation
in those schemes. For example, if the results of path authorization
checks ought not be considered as part of the overall DMARC result for
a given Author Domain, then the Domain Owner does not publish an
SPF policy record that can produce an SPF pass result. </t>
<t> A Mail Receiver implementing the DMARC mechanism makes a best-effort attempt to
adhere to the Domain Owner's published DMARC policy when a message fails the DMARC
test. Since email streams can be complicated (due to forwarding, existing
RFC5322.From domain-spoofing services, etc.), Mail Receivers MAY deviate from a
Domain Owner's published policy during message processing and SHOULD make available
the fact of and reason for the deviation to the Domain Owner via feedback reporting,
specifically using the "PolicyOverride" feature of the aggregate
report (see <xref target="fb_aggregate"/>).
</t>
</section>
<!-- Policy -->
<section anchor="dmarc_record" title="DMARC Policy Record">
<t> Domain Owner DMARC preferences are stored as DNS TXT records in subdomains named
"_dmarc". For example, the Domain Owner of "example.com" would post DMARC
preferences in a TXT record at "_dmarc.example.com". Similarly, a Mail Receiver
wishing to query for DMARC preferences regarding mail with an RFC5322.From domain of
"example.com" would issue a TXT query to the DNS for the subdomain of
"_dmarc.example.com". The DNS-located DMARC preference data will hereafter be called
the "DMARC record". </t>
<t> DMARC's use of the Domain Name Service is driven
by DMARC's use of domain names and the nature of the query it performs. The
query requirement matches perfectly with the DNS, for obtaining simple
parametric information. It uses an established method of storing the
information, associated with the target domain name, namely an isolated TXT
record that is restricted to the DMARC context. Use of the DNS as the query
service has the considerable benefit of re-using an extremely
well-established operations, administration and management infrastructure,
rather than creating a new one. </t>
<t> Per <xref target="DNS" />, a TXT record can comprise several "character-string"
objects. Where this is the case, the module performing DMARC evaluation MUST
concatenate these strings by joining together the objects in order and parsing the
result as a single string. </t>
<section anchor="dmarc_uris" title="DMARC URIs">
<t>
<xref target="URI" /> defines a generic syntax for identifying a resource. The
DMARC mechanism uses this as the format by which a Domain Owner specifies the
destination for the two report types (RUA and RUF) that are supported. </t>
<t> The place such URIs are specified (see <xref target="dmarc_format" />) allows a
list of these to be provided. A report is to be sent to each listed URI. Mail
Receivers MAY impose a limit on the number of URIs that receive reports, but
MUST support at least two. The list of URIs is separated by commas (ASCII 0x2C). </t>
<t> Each URI can have associated with it a maximum report size that may be sent to
it. This is accomplished by appending an exclamation point (ASCII 0x21),
followed by a maximum size indication, before a separating comma or terminating
semi-colon. </t>
<t> Thus, a DMARC URI is a URI within which any commas or exclamation points are
percent-encoded per <xref target="URI" />, followed by an OPTIONAL exclamation
point and a maximum size specification, and, if there are additional reporting
URIs in the list, a comma and the next URI. </t>
<t> For example, the URI "mailto:reports@example.com%2550m" would request a report be
sent via email to "reports@example.com" so long as the report payload does not
exceed 50 megabytes. </t>
<t> A formal definition is provided in <xref target="dmarc_abnf" />. </t>
</section>
<section anchor="dmarc_format" title="General Record Format">
<t> DMARC records follow the extensible "tag-value" syntax for DNS-based key records
defined in <xref target="DKIM">DKIM</xref>]. </t>
<t>
<xref target="iana_considerations" /> creates a registry for known DMARC tags
and registers the initial set defined in this memo. Only tags defined in this
memo or in later extensions, and thus added to that registry, are to be
processed; unknown tags MUST be ignored. </t>
<t> The following tags are introduced as the initial valid DMARC tags: <list
style="hanging">
<t hangText="adkim:"> (plain-text; OPTIONAL, default is "r".) Indicates
whether strict or relaxed DKIM identifier alignment mode is required by the
Domain Owner. See <xref target="dkim_id_align" /> for details. </t>
<t hangText="aspf:"> (plain-text; OPTIONAL, default is "r".) Indicates
whether strict or relaxed SPF identifier alignment mode is required by the Domain
Owner. See <xref target="spf_id_align" /> for details. </t>
<t hangText="fo:"> Failure reporting options (plain-text; OPTIONAL, default
"0")) Provides requested options for generation of failure reports.
Report generators MAY choose to adhere to the requested options. This
tag's content MUST be ignored if a "ruf" tag (below) is not also
specified. The value of this tag is a colon-separated list of characters
that indicate failure reporting options as follows: <list
style="hanging">
<t hangText="0:"> Generate a DMARC failure report if all underlying
authentication mechanisms failed to produce an aligned "pass"
result. </t>
<t hangText="1:"> Generate a DMARC failure report if any underlying
authentication mechanism failed to produce an aligned "pass"
result. </t>
<t hangText="d:"> Generate a DKIM failure report if the message had
a signature that failed evaluation, regardless of its alignment.
DKIM-specific reporting is described in <xref target="AFRF-DKIM"
/>. </t>
<t hangText="s:"> Generate an SPF failure report if the message
failed SPF evaluation, regardless of its alignment. SPF-specific
reporting is described in <xref target="AFRF-SPF" />. </t>
</list></t>
<t hangText="p:"> Requested Mail Receiver policy (plain-text; REQUIRED for
policy records). Indicates the policy to be enacted by the Receiver at
the request of the Domain Owner. Policy applies to the domain queried
and to sub-domains unless sub-domain policy is explicitly described
using the "sp" tag. This tag is mandatory for policy records only, but
not for third-party reporting records (see <xref target="fb_verify" />).
Possible values are as follows: <list style="hanging">
<t hangText="none:"> The Domain Owner requests no specific action be
taken regarding delivery of messages. </t>
<t hangText="quarantine:"> The Domain Owner wishes to have email
that fails the DMARC mechanism check to be treated by Mail
Receivers as suspicious. Depending on the capabilities of the
Mail Receiver, this can mean "place into spam folder",
"scrutinize with additional intensity", and/or "flag as
suspicious". </t>
<t hangText="reject:"> The Domain Owner wishes for Mail Receivers to
reject email that fails the DMARC mechanism check. Rejection
SHOULD occur during the SMTP transaction. See <xref
target="disc_rejection" /> for some discussion of SMTP
rejection methods and their implications. </t>
</list>
</t>
<t hangText="pct:"> (plain-text integer between 0 and 100, inclusive;
OPTIONAL; default is 100). Percentage of messages from the Domain Owner's
mail stream to which the DMARC mechanism is to be applied. However, this
MUST NOT be applied to the DMARC-generated reports, all of which must be
sent and received unhindered. The purpose of the "pct" tag is to allow
Domain Owners to enact a slow rollout enforcement of the DMARC
mechanism. The prospect of "all or nothing" is recognized as preventing
many organizations from experimenting with strong authentication-based
mechanisms. See <xref target="fallback" /> for details. Note that
random selection based on this percentage, such as the following pseudocode,
is adequate:
<figure> <artwork><![CDATA[
if (random mod 100) < pct then
selected = true
else
selected = false ]]></artwork> </figure> </t>
<t hangText="rf:"> Format to be used for message-specific failure reports
(colon-separated plain-text list of values; OPTIONAL; default "afrf").
The value of this tag is a list of one or more report formats as
requested by the Domain Owner to be used when a message fails both <xref
target="SPF" /> and <xref target="DKIM" /> tests to report details
of the individual failure. The values MUST be present in the registry of
reporting formats defined in <xref target="iana_considerations" />; a
Mail Receiver observing a different value SHOULD ignore it, or MAY
ignore the entire DMARC record. Possible values are "afrf"
(defined in <xref target="AFRF" />) and "iodef" (defined in <xref
target="IODEF" />). See <xref target="forensic" /> for details. </t>
<t hangText="ri:"> Interval requested between aggregate reports (plain-text,
32-bit unsigned integer; OPTIONAL; default 86400). Indicates a request
to Receivers to generate aggregate reports separated by no more than the
requested number of seconds. DMARC implementations MUST be able to
provide daily reports and SHOULD be able to provide hourly reports when
requested. However, anything other than a daily report is understood to
be accommodated on a best-effort basis. </t>
<t hangText="rua:"> Addresses to which aggregate feedback is to be sent
(comma-separated plain-text list of DMARC URIs; OPTIONAL). A comma or
exclamation point that is part of such a DMARC URI MUST be encoded per
Section 2.1 of <xref target="URI" /> so as to distinguish it from the
list delimiter or an OPTIONAL size limit. <xref target="fb_verify" />
discusses considerations that apply when the domain name of a URI
differs from that of the domain advertising the policy. See <xref
target="sec_external" /> for additional considerations. Any valid
URI can be specified. A Mail Receiver MUST implement support for a
"mailto:" URI, i.e. the ability to send a DMARC report via electronic
mail. If not provided, Mail Receivers MUST NOT generate aggregate
feedback reports. URIs not supported by Mail Receivers MUST be ignored.
The aggregate feedback report format is described in <xref
target="fb_aggregate" />. </t>
<t hangText="ruf:"> Addresses to which message-specific failure information
is to be reported (comma-separated plain-text list of DMARC URIs;
OPTIONAL). If present, the Domain Owner is requesting Mail Receivers to
send detailed failure reports about messages that fail the DMARC
evaluation in specific ways (see the "fo" tag above). The format of the
message to be generated MUST follow that specified in the "rf" tag.
<xref target="fb_verify" /> discusses considerations that apply when
the domain name of a URI differs from that of the domain advertising the
policy. A Mail Receiver MUST implement support for a "mailto:" URI, i.e.
the ability to send a DMARC report via electronic mail. If not provided,
Mail Receivers MUST NOT generate failure reports. See <xref
target="sec_external" /> for additional considerations. </t>
<t hangText="sp:"> Requested Mail Receiver policy for all subdomains
(plain-text; OPTIONAL). Indicates the policy to be enacted by the
Receiver at the request of the Domain Owner. It applies only to
subdomains of the domain queried and not to the domain itself. Its
syntax is identical to that of the "p" tag defined above. If absent, the
policy specified by the "p" tag MUST be applied for subdomains. Note that
"sp" will be ignored for DMARC records published on sub-domains of
Organizational Domains due to the effect of the DMARC Policy Discovery mechanism
described in <xref target="policy_discovery" />.</t>
<t hangText="v:"> Version (plain-text; REQUIRED). Identifies the record
retrieved as a DMARC record. It MUST have the value of "DMARC1". The
value of this tag MUST match precisely; if it does not or it is absent,
the entire retrieved record MUST be ignored. It MUST be the first tag in
the list. </t>
</list>
</t>
<t> A DMARC policy record MUST comply with the formal specification found in <xref
target="dmarc_abnf" /> in that the "v" and "p" tags MUST be present and MUST
appear in that order. Unknown tags MUST be ignored. Syntax errors in the
remainder of the record SHOULD be discarded in favor of default values (if any)
or ignored outright. </t>
<t> Note that given the rules of the previous paragraph, addition of a new tag into
the registered list of tags does not itself require a new version of DMARC to be
generated (with a corresponding change to the "v" tag's value), but a change to
any existing tags does require a new version of DMARC. </t>
</section>
<!-- General Record Format -->
<section anchor="dmarc_abnf" title="Formal Definition">
<t> The formal definition of the DMARC format using <xref target="ABNF" /> is as
follows: </t>
<figure>
<artwork>
dmarc-uri = URI [ "!" 1*DIGIT [ "k" / "m" / "g" / "t" ] ]
; "URI" is imported from [URI]; commas (ASCII
; 0x2c) and exclamation points (ASCII 0x21)
; MUST be encoded; the numeric portion MUST fit
; within an unsigned 64-bit integer
dmarc-record = dmarc-version dmarc-sep
[dmarc-request]
[dmarc-sep dmarc-srequest]
[dmarc-sep dmarc-auri]
[dmarc-sep dmarc-furi]
[dmarc-sep dmarc-adkim]
[dmarc-sep dmarc-aspf]
[dmarc-sep dmarc-ainterval]
[dmarc-sep dmarc-fo]
[dmarc-sep dmarc-rfmt]
[dmarc-sep dmarc-percent]
[dmarc-sep]
; components other than dmarc-version and
; dmarc-request may appear in any order
dmarc-version = %x76 *WSP "=" %x44 %x4d %x41 %x52 %x43 %x31
dmarc-sep = *WSP %3b *WSP
dmarc-request = %x70 *WSP "=" *WSP
( "none" / "quarantine" / "reject" )
dmarc-srequest = %x73 %x70 *WSP "=" *WSP
( "none" / "quarantine" / "reject" )
dmarc-auri = %x72 %x75 %x61 *WSP "=" *WSP
dmarc-uri *(*WSP "," *WSP dmarc-uri)
dmarc-furi = %x72 %x75 %x66 *WSP "=" *WSP
dmarc-uri *(*WSP "," *WSP dmarc-uri)
dmarc-adkim = %x61 %x64 %x6b %x69 %x6d *WSP "=" *WSP
( "r" / "s" )
dmarc-aspf = %x61 %x73 %x70 %x66 *WSP "=" *WSP
( "r" / "s" )
dmarc-ainterval = %x72 %x69 *WSP "=" *WSP 1*DIGIT
dmarc-fo = %x66 %x6f *WSP "=" *WSP
( "0" / "1" / "d" / "s" )
*(*WSP ":" *WSP ( "0" / "1" / "d" / "s" ))
dmarc-rfmt = %x72 %x66 *WSP "=" *WSP
( "afrf" / "iodef" )
dmarc-percent = %x70 %x63 %x74 *WSP "=" *WSP
1*3DIGIT
</artwork>
</figure>
<t> A size limitation in a dmarc-uri, if provided, is interpreted as a count of
units followed by an OPTIONAL unit size ("k" for kilobytes, "m" for megabytes,
"g" for gigabytes, "t" for terabytes). Without a unit, the number is presumed to
be a basic byte count. Note that the units are considered to be powers of two; a
kilobyte is 2^10, a megabyte is 2^20, etc. </t>
<t> Tag and value matching is case-insensitive. </t>
</section>
<!-- Formal Definition -->
</section>
<!-- DMARC Policy Record -->
<section anchor="enforcement_policy_element" title="Policy Enforcement Considerations">
<t> Mail Receivers MAY choose to reject or quarantine email even if email passes the
DMARC mechanism check. The DMARC mechanism does not inform Mail Receivers whether an
email stream is "good". Mail Receivers are encouraged to maintain anti-abuse
technologies to combat the possibility of DMARC-enabled criminal campaigns.</t>
<t> Mail Receivers MAY choose to accept email that fails the DMARC mechanism check even
if the Domain Owner has published a "reject" policy. Mail Receivers need to make a
best effort not to increase the likelihood of accepting abusive mail if they choose
not to comply with a Domain Owner's reject, against policy. At a minimum, addition
of the Authentication-Results header field (see <xref target="AUTH-RESULTS" />) is
RECOMMENDED when delivery of failing mail is done. When this is done, the DNS domain
name thus recorded MUST be encoded as an A-label, as described in Section 2.3 of
<xref target="IDNA" />. </t>
<t> Mail Receivers are only obligated to report reject or quarantine policy actions in
aggregate feedback reports that are due to DMARC policy. They are not required to
report reject or quarantine actions that are the result of local policy. If local
policy information is exposed, abusers can gain insight into the effectiveness and
delivery rates of spam campaigns.</t>
<t> Final disposition of a message is always a matter of local policy.
An operator that wishes to favor DMARC policy over SPF policy, for example,
will disregard the SPF policy since enacting an SPF-determined rejection
prevents evaluation of DKIM; DKIM might otherwise pass, satisfying the DMARC
evaluation. There is a trade-off to doing so, namely acceptance and processing
of the entire message body in exchange for the enhanced protection DMARC
provides. </t>
<t> DMARC-compliant Mail Receivers typically disregard any mail handling directive discovered as
part of an authentication mechanism (e.g., ADSP, SPF) where a DMARC record is also
discovered that specifies a policy other than "none". Deviating from this practice
introduces inconsistency among DMARC operators in terms of handling of the message. However, such deviation is not
proscribed. </t>
<t> To enable Domain Owners to
receive DMARC feedback without impacting existing mail processing, discovered
policies of "p=none" SHOULD NOT modify existing mail disposition processing. </t>
<t> Mail Receivers SHOULD also implement reporting instructions of DMARC in place of any
extensions to SPF or DKIM that might enable such reporting. </t>
<section anchor="fallback" title="Policy Fallback Mechanism">
<t> If the "pct" tag is present in a policy record, application of policy is done on
a selective basis. The stated percentage of messages that fail the DMARC test
MUST be subjected to whatever policy is selected by the "p" or "sp" tag (if
present). Those that are not thus selected MUST instead be subjected to the next
policy lower in terms of severity. In decreasing order of severity, the policies
are "reject", "quarantine", and "none". </t>
<t> For example, in the presence of "pct=50" and "p=reject" in the DMARC policy
record for "example.com", half of the messages with an RFC5322.From domain of "example.com"
that fail the DMARC test would be subjected to "reject"
action, and the remainder subjected to "quarantine" action. </t>
<t>Mail receivers MAY implement pct via statistical mechanisms that achieve a close
approximation to the requested percentage. Mail receivers SHOULD make a
best-effort attempt to make the sampling even across a reporting period. </t>
</section>
<!-- Policy Fallback Mechanism -->
</section>
<!-- Policy Enforcement -->
<section anchor="feedback" title="DMARC Feedback">
<t> Providing Domain Owners with visibility into how Mail Receivers implement and
enforce the DMARC mechanism in the form of feedback is critical to establishing and
maintaining accurate authentication deployments. When Domain Owners can see what
effect their policies and practices are having, they are better willing and able to
use quarantine and reject policies. </t>
<section anchor="fb_verify" title="Verifying External Destinations">
<t> It is possible to specify destinations for the different reports that are
outside the authority of the Domain Owner making the request. This is enabled to allow domains that do
not operate mail servers to request reports and have them go someplace that is able
to receive and process them. </t>
<t> Without checks, this would allow a bad actor to publish a DMARC policy record
that requests reports be sent to a victim address, and then send a large volume
of mail that will fail both DKIM and SPF checks to a wide variety of
destinations, which will in turn flood the victim with unwanted reports.
Therefore, a verification mechanism is included. </t>
<t> When a Mail Receiver discovers a DMARC policy in the DNS, and the Organizational
Domain at which that record was discovered is not identical to the Organizational
Domain of the host part of the authority component of a <xref target="URI" />
specified in the "rua" or "ruf" tag, the following verification steps SHOULD be
taken:
<list style="numbers">
<t> Extract the host portion of the authority component of the URI. Call
this the "destination host", and refers to a Report Receiver. </t>
<t> Prepend the string "_report._dmarc". </t>
<t> Prepend the domain name from which the policy was retrieved, after
conversion to an A-label if needed. </t>
<t> Query the DNS for a TXT record at the constructed name. If the result of
this request is a temporary DNS error of some kind (e.g., a timeout),
the Mail Receiver MAY elect to temporarily fail the delivery so the
verification test can be repeated later. </t>
<t> For each record returned, parse the result as a series of "tag=value"
pairs, i.e., the same overall format as the policy record (see <xref
target="dmarc_abnf" />). In particular, the "v=DMARC1" tag is
mandatory and MUST appear first in the list. Discard any that do not
pass this test. </t>
<t> If the result includes no TXT resource records that pass basic parsing,
a positive determination of the external reporting relationship cannot
be made; stop. </t>
<t> If at least one TXT resource record remains in the set after parsing,
then the external reporting arrangement was authorized by the
Report Receiver. </t>
<t> If a "rua" or "ruf" tag is thus discovered, replace the corresponding
value extracted from the domain's DMARC policy record with the one found
in this record. This permits the Report Receiver to override the report
destination. However, to prevent loops or indirect abuse, the overriding
URI MUST use the same destination host from the first step. </t>
</list>
</t>
<t> For example, if a DMARC policy query for "blue.example.com" contained
"rua=mailto:reports@red.example.net", the host extracted from the latter
("red.example.net") does not match "blue.example.com", so this procedure is
enacted. A TXT query for "blue.example.com._report._dmarc.red.example.net" is
issued. If a single reply comes back containing a tag of "v=DMARC1", then the
relationship between the two is confirmed. Moreover, red.example.net has the
opportunity to override the report destination requested by "blue.example.com"
if needed. </t>
<t> Where the above algorithm fails to confirm that the external reporting was
authorized by the Report Receiver, the URI MUST be ignored by the Mail
Receiver generating the report. Further, if the confirming record includes a URI
whose host is again different than the domain publishing that override, the Mail
Receiver generating the report MUST NOT generate a report to either the original
or the override URI. </t>
<t> A Report Receiver publishes such a record in its DNS if it wishes to receive
reports for other domains. </t>
<t> A Report Receiver that is willing to receive
reports for any domain can use a wildcard DNS record.
For example, a TXT resource record at "*._report._dmarc.example.com"
containing at least "v=DMARC1" confirms that example.com is willing to receive
DMARC reports for any domain. </t>
<t> If the Report Receiver is overcome by volume, it can simply remove
the confirming DNS record. However, due to positive caching, the change could
take as long as the time-to-live on the record to go into effect. </t>
<t> A Mail Receiver might decide not to enact this procedure if, for example, it
relies on a local list of domains for which external reporting addresses are
permitted. </t>
</section>
<!-- Verifying External Destinations -->
<section anchor="fb_aggregate" title="Aggregate Reports">
<t> Visibility comes in the form of daily (or more frequent) Mail
Receiver-originated feedback reports that contain aggregate data on message
streams relevant to the Domain Owner. This information includes data about
messages that passed DMARC authentication as well as those that did not. </t>
<t> The format for these reports is defined in <xref target="xml_schema" />. </t>
<t> The report SHOULD include the following data: <list style="symbols">
<t> The DMARC policy discovered and applied, if any </t>
<t> The selected message disposition </t>
<t> The identifier evaluated by SPF and the SPF result,
if any </t>
<t> The identifier evaluated by DKIM and the DKIM result,
if any </t>
<t> For both DKIM and SPF, in indication of whether the
identifier was in alignment </t>
<t> Data for each sender subdomain separately from mail from the sender's
organizational domain, even if there is no explicit subdomain policy. </t>
<t> Sending and receiving domains </t>
<t> The policy requested by the Domain Owner and the policy actually applied
(if different) </t>
<t> The number of successful authentications </t>
<t> The counts of messages based on all messages received even if their
delivery is ultimately blocked by other filtering agents </t>
</list>
</t>
<t> Note that Domain Owners or their agents may change the published DMARC policy
for a domain or subdomain at any time. From a Mail Receiver's perspective this
will occur during a reporting period and may be noticed during that period, at
the end of that period when reports are generated, or during a subsequent
reporting period, all depending on the Mail Receiver's implementation. Under
these conditions it is possible that a Mail Receiver could do any of the
following: <list style="symbols">
<t> generate a single aggregate report for such a reporting period that
includes message dispositions based on the old policy, or a mix of the
two policies, even though the report only contains a single
"policy_published" element; </t>
<t> generate multiple reports for the same period, one for each published
policy occurring during the reporting period; </t>
<t> generate a report whose end time occurs when the updated policy was
detected, regardless of any requested report interval. </t>
</list>
</t>
<t> Such policy changes are expected to be infrequent for any given domain, whereas
more stringent policy monitoring requirements on the Mail Receiver would produce
a very large burden at Internet scale. Therefore it is the responsibility of
report consumers and Domain Owners to be aware of this situation and allow for
such mixed reports during the propagation of the new policy to Mail Receivers. </t>
<t> Aggregate reports are most useful when they all cover a common time period. By
contrast, correlation of these reports from multiple generators when they cover
incongruent time periods is difficult or impossible. Report generators SHOULD,
wherever possible, adhere to hour boundaries for the reporting period they are
using. For example, starting a per-day report at 00:00; starting per-hour
reports at 00:00, 01:00, 02:00; et cetera. Report Generators using a 24-hour
report period are strongly encouraged to begin that period at 00:00 UTC,
regardless of local timezone or time of report production, in order to
facilitate correlation. </t>
</section>
<!-- Aggregate Reports -->
<section anchor="forensic" title="Failure Reports">
<t> When a Domain Owner requests failure reports for the purpose of forensic
analysis, and the Mail Receiver is willing to provide such reports, the Mail
Receiver generates and sends a message using the format described in <xref
target="AFRF" />. This document updates the AFRF format as described in
<xref target="afrf_update" />. </t>
<t> The format for failure reports is defined in either <xref target="AFRF" /> or
<xref target="IODEF" /> depending on the value found in the "rf" tag of the
DMARC record (or its default). </t>
<t> The destination(s) and nature of the reports are defined by the "ruf" and "fo"
tags as defined in <xref target="dmarc_format" />. </t>
<t> Where multiple URIs are selected to receive failure reports the report generator
MUST make an attempt to deliver to each of them. </t>
<t> An obvious consideration is the denial of service attack that can be perpetrated
by an attacker who sends numerous messages purporting to be from the intended
victim Domain Owner but which fail both SPF and DKIM; this would cause
participating Mail Receivers to send failure reports to the Domain Owner or its
delegate in potentially huge volumes. Accordingly, participating Mail Receivers
are encouraged to aggregate these reports as much as is practical, using the
Incidents field of the Abuse Reporting Format (<xref target="ARF" />). Various
aggregation techniques are possible, including: <list style="symbols">
<t> only send a report to the first recipient of multi-recipient messages; </t>
<t> store reports for a period of time before sending them, allowing
detection, collection, and reporting of like incidents; </t>
<t> apply rate limiting, such as a maximum number of reports per minute that
will be generated (and the remainder discarded). </t>
</list>
</t>
<section anchor="afrf_update" title="Reporting Format Update">
<t>
<xref target="AFRF" /> is updated to include the following changes: <list
style="numbers">
<t> Section 3.2 is updated to indicate that a DMARC failure report
includes the following ARF header fields, with the indicated
normative requirement levels: <list style="symbols">
<t> Identity-Alignment (REQUIRED; defined below) </t>
<t> Delivery-Result (OPTIONAL) </t>
<t> DKIM-Domain, DKIM-Identity, DKIM-Selector (REQUIRED if the
message was signed by DKIM) </t>
<t> DKIM-Canonicalized-Header, DKIM-Canonicalized-Body (OPTIONAL
if the message was signed by DKIM) </t>
<t> SPF-DNS (REQUIRED) </t>
</list>
</t>
<t> Section 3.2 is updated to define the "Identity-Alignment" field as
containing a comma-separated list of authentication mechanism names
that produced an aligned identity, or the keyword "none" if none
did. ABNF: <figure>
<artwork>
id-align = "Identity-Alignment:" [CFWS]
( "none" /
dmarc-method *( [CFWS] "," [CFWS] dmarc-method ) )
[CFWS]
dmarc-method = ( "dkim" / "spf" )
; each may appear at most once in an id-align</artwork>
</figure></t>
<t> Section 3.3 is updated to add Authentication Failure Type "dmarc",
which is to be used when a failure report is generated because some
or all of the authentication mechanisms failed to produce aligned
identifiers. Note that a failure report generator MAY also
independently produce an AFRF message for any or all of the
underlying authentication methods. </t>
</list>
</t>
</section>
</section>
<!-- Failure Reports -->
<section anchor="fb_failure" title="Utility of Failure Reports">
<t> Failure reports are normally generated and sent almost
immediately after the Mail Receiver detects an
authentication failure. Rather than waiting for an
aggregate report, these reports are useful for quickly
notifying the Domain Owners when there is an
authentication failure. Whether the failure is due to an
infrastructure problem or the message is inauthentic,
failure reports also provide more information about the
failed message than is available in an aggregate
report. </t>
<t> These reports SHOULD include any URI(s) from the message
that failed authentication. These reports SHOULD include
as much of the message and message header as is reasonable
to support the Domain Owner's investigation into what
caused the message to fail authentication and track down
the sender. </t>
</section>
<!-- Failure Feedback -->
</section>
<!-- DMARC Feedback -->
<section anchor="policy_discovery" title="Policy Discovery">
<t> As stated above, the DMARC mechanism uses DNS TXT records to advertise policy.
Policy discovery is accomplished via a method similar to the method used for SPF
records. This method and the important differences between DMARC and SPF mechanisms
are discussed below.</t>
<t> To balance the conflicting requirements of supporting wildcarding, allowing
subdomain policy overrides, and limiting DNS query load, the following DNS lookup
scheme is employed: <list style="numbers">
<t> Mail Receivers MUST query the DNS for a DMARC TXT record at the DNS domain
matching the one found in the RFC5322.From domain in the message. A possibly
empty set of records is returned. </t>
<t> Records that do not start with a "v=" tag that identifies the
current version of DMARC are discarded. </t>
<t> If the set is now empty, the Mail Receiver MUST query the DNS for a DMARC
TXT record at the DNS domain matching the Organizational Domain in place of
the RFC5322.From domain in the message (if different). This record can
contain policy to be asserted for subdomains of the Organizational Domain. A
possibly empty set of records is returned. </t>
<t> Records that do not start with a "v=" tag that identifies the current version
of DMARC are discarded. </t>
<t> If the remaining set contains multiple records or no records, processing
terminates and the Mail Receiver takes no action. </t>
<t> If a retrieved policy record does not contain a valid "p" tag, or contains
an "sp" tag that is not valid, then: <list style="numbers">
<t> if an "rua" tag is present and contains at least one syntactically
valid reporting URI, the Mail Receiver SHOULD act as if a record
containing a valid "v" tag and "p=none" was retrieved, and continue
processing; </t>
<t> otherwise, the Mail Receiver SHOULD take no action. </t>
</list>
</t>
</list>
</t>
<t> If the set produced by the mechanism above contains no DMARC policy record (i.e.,
any indication that there is no such record as opposed to a transient DNS error),
Mail Receivers SHOULD NOT apply the DMARC mechanism to the message. </t>
<t> If the RFC5322.From domain does not exist in the DNS, Mail Receivers SHOULD direct
the receiving SMTP server to reject the message. The choice of mechanism for such
rejection and the implications of those choices are discussed in <xref
target="mail_receiver_actions" /> and <xref target="disc_rejection" />. </t>
<t> Handling of DNS errors when querying for the DMARC policy record is left to the
discretion of the Mail Receiver. For example, to ensure minimal disruption of mail
flow, transient errors could result in delivery of the message ("fail open"), or
they could result in the message being temporarily rejected (i.e., an SMTP 4yx
reply) which invites the sending MTA to try again after the condition has possibly
cleared, allowing a definite DMARC conclusion to be reached ("fail closed"). </t>
</section>
<!-- Policy Discovery -->
<section anchor="domain_owner_actions" title="Domain Owner Actions">
<t> To implement the DMARC mechanism, the only action required of a Domain Owner is the
creation of the DMARC policy record in the DNS. However, in order to make meaningful
use of DMARC, a Domain Owner must at minimum either establish an address to receive
reports, or deploy authentication technologies and ensure identifier alignment. Most Domain Owners will want to do both. </t>
<t>DMARC reports will be of significant size and the addresses that receive them are
publicly visible, so we encourage Domain Owners to set up dedicated email addresses
to receive and process reports, and to deploy abuse countermeasures on those email addresses as
appropriate.</t>
<t> Authentication technologies are discussed in <xref target="DKIM" /> (see also <xref
target="DKIM-OVERVIEW" /> and <xref target="DKIM-DEPLOYMENT" />) and <xref
target="SPF" />. </t>
</section>
<!-- Domain Owner Actions -->
<section anchor="mail_receiver_actions" title="Mail Receiver Actions">
<t>This section describes receiver actions in the DMARC environment. </t>
<section anchor="receiver_domain" title="Extract Author Domain">
<t>The domain in the RFC5322.From field is extracted as the domain to be evaluated
by DMARC. If the domain is encoded with UTF-8, the domain name must be converted
to an A-label for further processing. </t>
<t>In order to be processed by DMARC, a message must contain exactly one RFC5322 From: domain (a single From: field with a single domain in it).
Not all messages meet this requirement. They may <list
style="symbols">
<t>Have multiple RFC5322.From fields (which is also forbidden under <xref
target="MAIL">RFC 5322</xref>)</t>
<t>Have a single RFC5322.From field containing multiple entities</t>
<t>Have no RFC5322.From field (which is also forbidden under <xref
target="MAIL">RFC 5322</xref>)</t>
<t>Have a RFC5322.From field that contains no meaningful values, such as
<xref target="MAIL">RFC 5322</xref>'s "group" syntax.</t>
</list> Such messages SHOULD be rejected. If they are not, the Mail Receiver can
either ignore the message entirely with respect to DMARC processing, or (if
there are multiple identifiers) evaluate DMARC against all identifiers. </t>
<t>If multiple identifiers are evaluated, the Mail Receiver should prioritize
identifiers visible to the end user. This requires an understanding of the end
user environment, the specification of which is outside of the scope of this
document. </t>
</section>
<!-- Extract Author Domain -->
<section anchor="receiver_policy" title="Determine Handling Policy">
<t>To arrive at a policy disposition for an individual message, Mail Receivers MUST
perform the following actions or their semantic equivalents. Steps 2-4 MAY be
done in parallel, whereas steps 5 and 6 require input from previous steps.</t>
<t>The steps are as follows: <list style="numbers">
<t> Extract the RFC5322.From domain from the message (as above). </t>
<t> Query the DNS for a DMARC policy record. Continue if one is found, or
abort DMARC evaluation otherwise. See <xref target="policy_discovery" />
for details. </t>
<t> Perform DKIM signature verification checks. A single email may contain
multiple DKIM signatures. The results of this step are passed to the
remainder of the algorithm and MUST include the value of the "d=" tag
from all checked DKIM signatures. </t>
<t> Perform SPF validation checks. The results of this step are passed to
the remainder of the algorithm and MUST include the domain name used to
complete the SPF check. </t>
<t> Conduct identifier alignment checks. With authentication checks and
policy discovery performed, the Mail Receiver checks if Authenticated
Identifiers fall into alignment as described in <xref
target="terms_and_defs" />. If one or more of the Authenticated
Identifiers align with the RFC5322.From domain, the message is
considered to pass the DMARC mechanism check. All other conditions
(authentication failures, identifier mismatches) are considered to be
DMARC mechanism check failures. </t>
<t> Apply policy. Emails that fail the DMARC mechanism check are disposed of
in accordance with the discovered DMARC policy of the Domain Owner. See
<xref target="dmarc_format" /> for details. </t>
</list>
</t>
<t> Heuristics applied in the absence of use by a Domain Owner of either SPF or DKIM
(e.g., <xref target="Best-Guess-SPF" />) SHOULD NOT be used, as it may be the
case that the Domain Owner wishes a Message Receiver not to consider the results
of that underlying authentication protocol at all. </t>
<t> Handling of messages for which SPF and/or DKIM evaluation encounters a DNS error
is left to the discretion of the Mail Receiver. Further discussion is available
in <xref target="policy_discovery" />. </t>
</section>
<section anchor="sampling" title="Message Sampling">
<t> If the "pct" tag is present in the policy record, the Mail Receiver MUST NOT enact the
requested policy ("p" tag or "sp" tag") on more than the stated percent of the
totality of affected messages. However, regardless of whether or not the "pct"
tag is present, the Mail Receiver MUST include all relevant message data in any
reports produced. </t>
<t> If email is subject to the DMARC policy of "quarantine", the Mail Receiver
SHOULD quarantine the message. If the email is not subject to the "quarantine"
policy (due to the "pct" tag), the Mail Receiver SHOULD apply local message
classification as normal. </t>
<t> If email is subject to the DMARC policy of "reject", the Mail Receiver SHOULD
reject the message (see <xref target="disc_rejection" />). If the email is not
subject to the "reject" policy (due to the "pct" tag), the Mail Receiver SHOULD
treat the email as though the "quarantine" policy applies. This behavior allows
senders to experiment with progressively stronger policies without relaxing
existing policy.</t>
</section>
<!-- Message Sampling -->
<section anchor="feedback_store_mr_action" title="Store Results of DMARC Processing">
<t>The results of Mail Receiver-based DMARC processing should be stored for eventual
presentation back to the Domain Owner in the form of aggregate feedback reports.
<xref target="dmarc_record" /> and <xref target="feedback_mechanism" />
discuss aggregate feedback.</t>
<t>See <xref target="capacity" /> for a discussion of matters regarding
aggregation of such data. </t>
</section>
<!-- Store Results -->
</section>
<!-- Mail Receiver Actions -->
<section anchor="feedback_mechanism" title="Feedback Mechanism">
<t>The DMARC aggregate feedback report is designed to provide Domain Owners with precise insight into <list style="symbols">
<t>authentication results</t>
<t>corrective action that needs to be taken by Domain Owners, and</t>
<t>the effect of Domain Owner DMARC policy on email streams processed by Mail
Receivers.</t>
</list> The format of the original payload comprising the report can be found in
<xref target="xml_schema" />.</t>
<t>Aggregate DMARC feedback provides visibility into real-world email streams that
Domain Owners need to make informed decisions regarding the publication of DMARC
policy. When Domain Owners know what legitimate mail they are sending, what the
authentication results are on that mail, and what forged mail receivers are getting,
they can make better decisions about the policies they need and the steps they need
to take to enable those policies. When Domain Owners set policies appropriately and
understand their effects, Mail Receivers can act on them confidently. </t>
<section anchor="discovery_fb_mech" title="Discovery">
<t>A Mail Receiver discovers reporting requests when it looks up a DMARC policy
record that corresponds to a RFC5322 From: domain on received mail. The
presence of the "rua" tag specifies where to send feedback. </t>
<t>For more on the considerations given to DMARC discovery, see <xref
target="policy_discovery"/>. </t>
</section>
<!-- Discovery -->
<section anchor="transport_fb_mech" title="Transport">
<t>Where the URI specified in an "rua" tag does not specify otherwise, a Mail
Receiver generating a feedback report SHOULD apply a secure transport
mechanism.</t>
<t>The Mail Receiver, after preparing a report, MUST evaluate the provided reporting
URIs in the order given. Any reporting URI that includes a size limitation
exceeded by the generated report (after compression and after any encoding
required by the particular transport mechanism) MUST NOT be used. An attempt
MUST be made to deliver an aggregate report to every remaining URI, up to the
receiver's limits on supported URIs. </t>
<t>If transport is not possible because the services advertised by the published
URIs are not able to accept reports (e.g., the URI refers to a service that is
unreachable, or all provided URIs specify size limits exceeded by the generated
record), the Mail Receiver SHOULD send a short report (see <xref
target="error_reports" />) indicating that a report is available but could
not be sent. The Mail Receiver MAY cache that data and try again later, or MAY
discard data that could not be sent. </t>
<section anchor="email_transport_fb_mech" title="Email">
<t>In the case of a "mailto" URI, the Mail Receiver MUST communicate reports
using the method described in <xref target="STARTTLS"/>
whenever it is offered by a Report Receiver. </t>
<t>The message generated by the Mail Receiver must be a <xref target="MIME" />
formatted <xref target="MAIL" /> message. The aggregate report itself MUST
be included in one of the parts of the message. A human-readable portion MAY
be included as a MIME part (such as a text/plain part). </t>
<t>The aggregate data MUST be an XML file that SHOULD be subjected to GZIP compression. Declining
to apply compression can cause the report to be too large for a receiver to process
(a commonly-observed receiver limit is ten megabytes);
doing the compression increases the chances of acceptance of the report at some compute cost. The
aggregate data SHOULD be present using the media type "application/gzip" if
compressed (see <xref target="GZIP"/>), and "text/xml" otherwise.
The filename is typically constructed using the following ABNF: <figure>
<artwork>
filename = receiver "!" policy-domain "!" begin-timestamp
"!" end-timestamp [ "!" unique-id ] "." extension
unique-id = 1*(ALPHA | DIGIT)
receiver = domain
; imported from [MAIL]
policy-domain = domain
begin-timestamp = 1*DIGIT
; seconds since 00:00:00 UTC January 1, 1970
; indicating start of the time range contained
; in the report
end-timestamp = 1*DIGIT
; seconds since 00:00:00 UTC January 1, 1970
; indicating end of the time range contained
; in the report
extension = "xml" / "xml.gz" </artwork>
</figure>
</t>
<t> The extension MUST be "xml" for a plain XML file,
or "xml.gz" for an XML file compressed using GZIP. </t>
<t> "unique-id" allows an optional unique ID generated by the Mail Receiver to
distinguish among multiple reports generated simultaneously by different
sources within the same Domain Owner. </t>
<t>For example, this is a possible filename for the gzip file of a report to the
Domain Owner "example.com" from the Mail Receiver
"mail.receiver.example". <figure>
<artwork>
<![CDATA[mail.receiver.example!example.com!1013662812!1013749130.gz]]></artwork>
</figure>
</t>
<t> No specific MIME message structure is required. It is presumed that the
aggregate reporting address will be equipped to extract MIME parts with the
prescribed media type and filename and ignore the rest. </t>
<t>Email streams carrying DMARC feedback data MUST conform to the DMARC
mechanism, thereby resulting in an aligned "pass" (see <xref
target="id_alignment_element" />). This practice minimizes the risk of
report consumers processing fraudulent reports. </t>
<t>The RFC5322.Subject field for individual report submissions SHOULD conform to
the following ABNF: <figure>
<artwork>
dmarc-subject = %x52.65.70.6f.72.74 1*FWS ; "Report"
%x44.6f.6d.61.69.6e.3a 1*FWS ; "Domain:"
domain-name 1*FWS ; from RFC6376
%x53.75.62.6d.69.74.74.65.72.3a ; "Submitter:"
1*FWS domain-name 1*FWS
%x52.65.70.6f.72.74.2d.49.44.3a ; "Report-ID:"
msg-id ; from RFC5322</artwork>
</figure>
</t>
<t>The first domain-name indicates the DNS domain name about which the report
was generated. The second domain-name indicates the DNS domain name
representing the Mail Receiver generating the report. The purpose of the
Report-ID: portion of the field is to enable the Domain Owner to identify
and ignore duplicate reports that might be sent by a Mail Receiver. </t>
<t> For instance, this is a possible Subject field for a report to the Domain
Owner "example.com" from the Mail Receiver
"mail.receiver.example". It is line-wrapped as allowed by
<xref target="MAIL"/>. <figure>
<artwork>
<![CDATA[Subject: Report Domain: example.com
Submitter: mail.receiver.example
Report-ID: <2002.02.15.1>]]></artwork>
</figure></t>
<t>This transport mechanism potentially encounters a problem when feedback data
size exceeds maximum allowable attachment sizes for either the generator or
the consumer. See <xref target="error_reports" /> for further discussion.
</t>
</section>
<!-- Email Transport -->
<section anchor="other_transport_fb_mech" title="Other Methods">
<t>The specification as written allows for the addition of
other registered URI schemes to be supported in later
versions.
</t>
</section>
<!-- Other Transport -->
<section anchor="error_reports" title="Error Reports">
<t> When a Mail Receiver is unable to complete delivery of a report via any of
the URIs listed by the Domain Owner, the Mail Receiver SHOULD generate an
error message. An attempt MUST be made to send this report to all listed
"mailto" URIs and it MAY also be sent to any or all other listed
URIs. </t>
<t> The error report MUST be formatted per <xref target="MIME" />. A text/plain
part MUST be included that contains field-value pairs such as those found in
Section 2 of <xref target="DSN" />. The fields required, which may appear in
any order, are: <list style="hanging">
<t hangText="Report-Date:"> A <xref target="MAIL" />-formatted date
expression indicating when the transport failure occurred. </t>
<t hangText="Report-Domain:"> The domain-name about which the failed
report was generated. </t>
<t hangText="Report-ID:"> The Report-ID: that the report tried to use. </t>
<t hangText="Report-Size:"> The size, in bytes, of the report that was
unable to be sent. This MUST represent the number of bytes that the
Mail Receiver attempted to send. Where more than one transport
system was attempted, the sizes may be different; in such cases,
separate error reports MUST be generated so that this value matches
the actual attempt that was made.</t>
<t hangText="Submitter:"> The domain-name representing the Mail Receiver
that generated, but was unable to submit, the report. </t>
<t hangText="Submitting-URI:"> The URI(s) to which the Mail Receiver
tried, but failed, to submit the report.</t>
</list>
</t>
<t> An additional text/plain part MAY be included that gives a human-readable
explanation of the above, and MAY also include a URI that can be used to
seek assistance. </t>
<t> [NOTE: A more rigorous syntax specification, including ABNF and possible
registration of a new media type, will be added here when more operational
experience is acquired.]</t>
</section>
<!-- Error Reports -->
</section>
<!-- Transport -->
</section>
<!-- Feedback -->
<section anchor="capacity" title="Capacity Planning">
<t> DMARC participants will need to perform capacity planning to support their
implementations. Some factors to consider include: <list style="hanging">
<t hangText="Storage:"> As Mail Receivers process increasing numbers of
messages -- from increasingly disparate sources -- claiming to be from
DMARC-enabled domains, additional storage of information will be
required to support the generation of feedback reports. Similarly,
Domain Owners will need to plan based on how long they wish to store the
data found in received reports. When Domain Owners enter exceptional
situations and are unable to accept reports, Mail Receivers, as a matter
of policy, might discard undelivered reports. </t>
<t hangText="Frequency:"> Sending reports more frequently increases
processing costs at both the Mail Receiver and the Domain Owner, but can
decrease Mail Receiver storage requirements as data are consumed and
storage is freed through report generation and transmission. At the same
time, less frequent report generation may lead to somewhat stale
feedback. An appropriate balance should be sought.</t>
<t hangText="DNS:"> DMARC imposes up to two additional DNS queries per
arriving message, namely the TXT queries to try to locate a policy
statement. For Mail Receivers, these are queries sent; for Domain
Owners, these are queries that must be handled. Both sides will need to
plan for the additional DNS load. There were will be additional DNS
load caused by the generation and sending of reports, and any
external reporting records placed in the DNS. </t>
</list>
</t>
</section>
<section anchor="minimum" title="Minimum Implementations">
<t> A minimum implementation of DMARC has the following characteristics: <list
style="symbols">
<t> Is able to send and/or receive reports at least daily; </t>
<t> Is able to send and/or receive reports using "mailto" URIs; </t>
<t> Other than in exceptional circumstances such as resource exhaustion, can
generate or accept a report up to ten megabytes in size; </t>
<t> If acting as a Mail Receiver, fully implements the provisions of <xref
target="mail_receiver_actions" />. </t>
</list>
</t>
</section>
<section anchor="privacy" title="Privacy Considerations">
<t> This section discusses security issues specific to private data that may be
included in the interactions that are part of DMARC. </t>
<section anchor="priv_data" title="Data Exposure Considerations">
<t> Aggregate reports are limited in scope to DMARC policy and disposition
results, to information pertaining to the underlying authentication
mechanisms, and to the identifiers involved in DMARC validation. </t>
<t> Failed message reporting provides message-specific details pertaining to
authentication failures. Individual reports can contain message content as
well as trace header fields. Domain Owners are able to analyze individual
reports and attempt to determine root causes of authentication mechanism
failures, gain insight into misconfigurations or other problems with email
and network infrastructure, or inspect messages for insight into abusive
practices. </t>
<t> Both report types may expose sender and recipient identifiers (e.g.,
RFC5322.From addresses), and although the <xref target="AFRF" /> format used
for failed message reporting supports redaction, failed message reporting is
capable of exposing the entire message to the report recipient. </t>
<t> Domain Owners requesting reports will receive information about mail
claiming to be from them, which includes mail that was not, in fact, from
them. Information about the final destination of mail where it might
otherwise be obscured by intermediate systems will therefore be exposed.
</t>
<t> Domain Owners requesting reports will also receive information about mail
forwarded to unexpected Mail Receivers when message forwarding
relationships exists. </t>
</section>
<section anchor="priv_rcpt" title="Report Recipients">
<t> A DMARC record can specify that reports should be sent to an intermediary
operating on behalf of the Domain Owner. This is done when the Domain Owner
contracts with an entity to monitor mail-streams for abuse and performance
issues. Receipt by third parties of such data may or may not be permitted by
the Mail Receiver's privacy policy, terms of use, or other similar governing
document. Domain Owners and Mail Receivers should both review and understand
if their own internal policies constrain the use and transmission of DMARC
reporting. </t>
</section>
<section anchor="priv_gen" title="Report Generators">
<t> The entity (e.g., mailbox provider, Internet service provider) receiving
emails is typically responsible for generating DMARC reports. Such entities
are typically charged with protecting accidental disclosure of their users'
data. In this case, disclosure is being requested by the entity generating
the email in the first place, i.e., the Domain Owner, so this may not fit
squarely within existing privacy policy provisions. For some providers,
aggregate and failed message reporting are viewed as a function similar to
complaint reporting about spamming or phishing, and treated similarly under
the privacy policy. Report generators (i.e., Mail Receivers) are encouraged
to review their reporting limitations under such policies before enabling
DMARC reporting. </t>
</section>
<section anchor="priv_tls" title="Secure Protocols">
<t> This document encourages use of secure transport mechanisms to prevent loss
of private data to third parties that may be able to monitor such
transmissions. Unencrypted mechanisms should be avoided. </t>
<t> In particular, a message that was originally encrypted or otherwise
secured might appear in a report that is not sent securely, which
could reveal private information. </t>
</section>
</section>
<section anchor="discuss" title="Other Topics">
<t> This section discusses some topics regarding choices made in the
development of DMARC, largely to commit the history to
record. </t>
<section anchor="disc_from" title="Use of RFC5322.From">
<t> One of the most obvious points of security scrutiny for DMARC is the choice to
focus on an identifier, namely the RFC5322.From address, which is part of a body of data
trivially forged throughout the history of email. </t>
<t> Several points suggest it is the most correct and safest thing to do in this
context: <list style="symbols">
<t> Of all the identifiers that are part of the message itself, this is the
only one guaranteed to be present. </t>
<t> It seems the best choice of an identifier on which to focus as most MUAs
display some or all of the contents of that field in
a manner strongly suggesting those data as reflective of the true
originator of the message. </t>
<t> The focus of email authentication efforts has been to create mechanisms
by which this field, or at least some field in the message, can be
deemed genuine. Thus, this field is not easily forged within the context
of its use with DMARC.</t>
<t> The DMARC mechanism confers no additional privilege to the message
without successful authentication of this identifier. </t>
</list></t>
<t> The absence of a single, properly-formed RFC5322.From field renders the message
invalid. This document prescribes no specific action in that case, other than to
suggest that the message ought to be disposed of by the Mail Receiver's
infrastructure in a safe manner that recognizes and possibly even highlights the
malformation. </t>
</section>
<section anchor="disc_spf" title="Issues Specific to SPF">
<t>Though DMARC does not inherently change the semantics of an SPF policy record,
historically lax enforcement of such policies has led many to publish extremely
broad records containing many large network ranges. Domain Owners are strongly
encouraged to carefully review their SPF records to understand which networks
are authorized to send on behalf of the Domain Owner before publishing a DMARC
record.</t>
<t> Some receiver architectures might implement SPF in advance of any DMARC
operations. This means a "-" prefix on a Sender's SPF mechanism, such as "-all",
could cause that rejection go into effect early in handling, causing message
rejection, before any DMARC processing takes place. Operators choosing to use
"-all" should be aware of this. </t>
</section>
<section anchor="disc_dns" title="DNS Load and Caching">
<t> DMARC policies are communicated using the DNS, and therefore inherit a number of
considerations related to DNS caching. The inherent conflict between freshness
and the impact of caching on the reduction of DNS-lookup overhead should be
considered from the Mail Receiver's point of view. Should Domain Owners publish
a DNS record with a very short TTL, Mail Receivers can be provoked through the
injection of large volumes of messages to overwhelm the Domain Owner's DNS.
Although this is not a concern specific to DMARC, the implications of a very
short TTL should be considered when publishing DMARC policies.</t>
<t> Conversely, long TTLs will cause records to be cached for long periods of time.
This can cause a critical change to DMARC parameters advertised by a Domain
Owner to go unnoticed for the length of the TTL (while waiting for DNS caches to
expire). Avoiding this problem can mean shorter TTLs, with the potential
problems described above. A balance should be sought to maintain responsiveness
of DMARC preference changes while preserving the benefits of DNS caching. </t>
</section>
<section anchor="disc_rejection" title="Rejecting Messages">
<t> This proposal calls for rejection of a message during the SMTP session under
certain circumstances. This is typically done in one of two ways: <list
style="symbols">
<t> Full rejection, wherein the SMTP server issues a 5xy reply code as an
indication to the SMTP client that the transaction failed; the SMTP
client is then responsible for generating notification that delivery
failed (see Section 4.2.5 of <xref target="SMTP" />). </t>
<t> A "silent discard", wherein the SMTP server returns a 2xy reply code
implying to the client that delivery (or, at least, relay) was
successfully completed, but then simply discarding the message with no
further action. </t>
</list>
</t>
<t> Each of these has a cost. For instance, a silent discard may prevent
"backscatter" (the annoying generation of delivery failure reports, which go
back to the RFC5321.MailFrom address, about messages that were fraudulently
generated), but effectively means the SMTP server has to be programmed to give a
false result, which can confound external debugging efforts. </t>
<t> Similarly, the text portion of the SMTP reply may be important to consider. For
example, when rejecting a message, revealing the reason for the rejection might
give an attacker enough information to bypass those efforts on a later attempt,
though it might also assist a legitimate client to determine the source of some
local issue that caused the rejection. </t>
<t> In the latter case, when doing an SMTP rejection, providing a clear hint can be
useful in resolving issues. A receiver might indicate in plain text the reason
for the rejection by using the word "DMARC" somewhere in the reply text. Many
systems are able to scan the SMTP reply text to determine the nature of the
rejection, thus providing a machine-detectable reason for rejection allows
automated sorting of rejection causes so they can be properly addressed. For
example: <figure>
<artwork>
550 5.7.1 Email rejected per DMARC policy for example.com</artwork>
</figure></t>
<t> If a Mail Receiver elects to defer delivery due to inability to retrieve or
apply DMARC policy, this is best done with a 4xy SMTP reply code. </t>
</section>
<section anchor="disc_id_align" title="Identifier Alignment Considerations">
<t> The DMARC mechanism allows both DKIM and SPF-authenticated identifiers to
authenticate email on behalf of a Domain Owner and, possibly, on
behalf of different subdomains. If malicious or unaware users can gain control
of the SPF record or DKIM signing practices for a subdomain, the subdomain can be
used to generate DMARC-passing email on behalf of the Organizational Domain. </t>
<t> For example, an attacker who controls the SPF record for "evil.example.com" can
send mail with an RFC5322.From field containing "foo@example.com" that can pass both
authentication and the DMARC check against "example.com".</t>
<t> The Organizational Domain administrator should be careful not to delegate control of
sub-domains if this is an issue, and to consider using the "strict" Identifier
Alignment option if appropriate. </t>
</section>
</section> <!-- Other Topics -->
<section anchor="iana_considerations" title="IANA Considerations">
<t>This section describes actions requested of IANA.</t>
<section anchor="iana_auth_results_method"
title="Authentication-Results Method Registry Update">
<t> IANA is requested to add the following to the Email Authentication Method Name
Registry: <list style="hanging">
<t hangText="Method:"> dmarc </t>
<t hangText="Defined In:"> [this memo] </t>
<t hangText="ptype:"> header </t>
<t hangText="property:"> from </t>
<t hangText="value:"> the domain portion of the RFC5322.From field </t>
</list>
</t>
</section>
<section anchor="iana_auth_results_result"
title="Authentication-Results Result Registry Update">
<t> IANA has added the following in the Email Authentication Result Name Registry:
<list style="hanging">
<t hangText="Code:"> none </t>
<t hangText="Existing/New Code:"> existing </t>
<t hangText="Defined In:">
<xref target="AUTH-RESULTS" />
</t>
<t hangText="Auth Method:"> dmarc (added) </t>
<t hangText="Meaning:"> No DMARC policy record was published for the aligned
identifier, or no aligned identifier could be extracted. </t>
</list>
<list style="hanging">
<t hangText="Code:"> pass </t>
<t hangText="Existing/New Code:"> existing </t>
<t hangText="Defined In:">
<xref target="AUTH-RESULTS" />
</t>
<t hangText="Auth Method:"> dmarc (added) </t>
<t hangText="Meaning:"> A DMARC policy record was published for the aligned
identifier, and at least one of the authentication mechanisms passed.
</t>
</list>
<list style="hanging">
<t hangText="Code:"> fail </t>
<t hangText="Existing/New Code:"> existing </t>
<t hangText="Defined In:">
<xref target="AUTH-RESULTS" />
</t>
<t hangText="Auth Method:"> dmarc (added) </t>
<t hangText="Meaning:"> A DMARC policy record was published for the aligned
identifier, and none of the authentication mechanisms passed. </t>
</list>
<list style="hanging">
<t hangText="Code:"> temperror </t>
<t hangText="Existing/New Code:"> existing </t>
<t hangText="Defined In:">
<xref target="AUTH-RESULTS" />
</t>
<t hangText="Auth Method:"> dmarc (added) </t>
<t hangText="Meaning:"> A temporary error occurred during DMARC evaluation.
A later attempt might produce a final result. </t>
</list>
<list style="hanging">
<t hangText="Code:"> permerror </t>
<t hangText="Existing/New Code:"> existing </t>
<t hangText="Defined In:">
<xref target="AUTH-RESULTS" />
</t>
<t hangText="Auth Method:"> dmarc (added) </t>
<t hangText="Meaning:"> A permanent error occurred during DMARC evaluation,
such as encountering a syntactically incorrect DMARC record. A later
attempt is unlikely to produce a final result. </t>
</list>
</t>
</section>
<section anchor="iana_afrf" title="Feedback Report Header Fields Registry">
<t> The following is added to the Feedback Report Header Fields Registry:
<list style="hanging">
<t hangText="Field Name:"> Identity-Alignment </t>
<t hangText="Description:"> indicates whether the message
about which a report is being generated had
any identifiers in alignment as defined in [this RFC] </t>
<t hangText="Multiple Appearances:"> no </t>
<t hangText='Related "Feedback-Type":'> auth-failure </t>
<t hangText="Published In:"> [this RFC] </t>
<t hangText="Status:"> current </t>
</list> </t>
</section>
<section anchor="iana_dmarc_tags" title="DMARC Tag Registry">
<t>Names of DMARC tags must be registered with IANA. New entries are assigned only
for values that have been documented in a published RFC that has had IETF
Review, per <xref target="IANA-CONSIDERATIONS" />. Each registration must
include the tag name, the specification that defines it, a brief description,
and its status which must be one of "current", "experimental" or "historic". </t>
<t> To avoid version compatibility issues,
tags added to the DMARC specification are to avoid changing the semantics of
existing records when processed by implementations conforming to prior
specifications.</t>
<t>The initial set of entries in this registry is as follows: <figure>
<artwork>
+----------+-------------+---------+------------------------------+
| Tag Name | Defined | Status | Description |
+----------+-------------+---------+------------------------------+
| adkim | [THIS MEMO] | current | DKIM alignment mode |
+----------+-------------+---------+------------------------------+
| aspf | [THIS MEMO] | current | SPF alignment mode |
+----------+-------------+---------+------------------------------+
| fo | [THIS MEMO] | current | Failure reporting options |
+----------+-------------+---------+------------------------------+
| pct | [THIS MEMO] | current | Sampling rate |
+----------+-------------+---------+------------------------------+
| p | [THIS MEMO] | current | Requested handling policy |
+----------+-------------+---------+------------------------------+
| rf | [THIS MEMO] | current | Failure reporting format(s) |
+----------+-------------+---------+------------------------------+
| ri | [THIS MEMO] | current | Aggregate Reporting interval |
+----------+-------------+---------+------------------------------+
| rua | [THIS MEMO] | current | Reporting URI(s) for |
| | | | aggregate data |
+----------+-------------+---------+------------------------------+
| ruf | [THIS MEMO] | current | Reporting URI(s) for |
| | | | failure data |
+----------+-------------+---------+------------------------------+
| sp | [THIS MEMO] | current | Requested handling policy |
| | | | for subdomains |
+----------+-------------+---------+------------------------------+
| v | [THIS MEMO] | current | Specification version |
+----------+-------------+---------+------------------------------+</artwork>
</figure>
</t>
</section>
<section anchor="iana_dmarc_formats" title="DMARC Report Format Registry">
<t>Names of DMARC failure reporting formats must be registered with IANA. New
entries are assigned only for values that have been documented in a published
RFC that has had IETF Review, per <xref target="IANA-CONSIDERATIONS" />. Each
registration must include the tag name, the specification that defines it, a
brief description, and its status which must be one of "current", "experimental"
or "historic". </t>
<t>The initial set of entries in this registry is as follows: <figure>
<artwork>
+--------+-------------+---------+-----------------------------+
| Format | Defined | Status | Description |
| Name | | | |
+--------+-------------+---------+-----------------------------+
| afrf | [THIS MEMO] | current | Authentication Failure |
| | | | Reporting Format (see |
| | | | [AFRF]) |
+--------+-------------+---------+-----------------------------+
| iodef | [THIS MEMO] | current | Incident Object Description |
| | | | Exchange Format (see |
| | | | [IODEF]) |
+--------+-------------+---------+-----------------------------+</artwork>
</figure></t>
</section>
</section>
<!-- IANA Considerations -->
<section anchor="sec" title="Security Considerations">
<t> This section discusses security issues and possible
remediations (where available) for DMARC. </t>
<section anchor="sec_auth" title="Authentication Methods">
<t> Security considerations from the authentication methods used by
DMARC are incorporated here by reference. </t>
</section>
<section anchor="sec_rep_uris" title="Attacks on Reporting URIs">
<t>URIs published in DNS TXT records are well-understood possible targets for
attack. Specifications such as <xref target="DNS" /> and <xref target="ROLES" />
either expose or cause the exposure of email addresses that could be flooded by
an attacker, for example; MX, NS and other records found in the DNS advertise
potential attack destinations; common DNS names such as "www" plainly identify
the locations at which particular services can be found, providing destinations
for targeted denial-of-service or penetration attacks. </t>
<t>Thus, Domain Owners will need to harden these addresses against various attacks,
including but not limited to: <list style="symbols">
<t> high-volume denial-of-service attacks; </t>
<t> deliberate construction of malformed reports intended to identify or
exploit parsing or processing vulnerabilities; </t>
<t> deliberate construction of reports containing false claims for the
Submitter or Reported-Domain fields, including the possibility of false
data from compromised but known Mail Receivers. </t>
</list>
</t>
</section>
<section anchor="sec_dnssec" title="DNS Security">
<t> The DMARC mechanism and its underlying technologies (SPF, DKIM) depend on the
security of the DNS. To reduce the risk of subversion of the DMARC mechanism due
to DNS-based exploits, serious consideration should be given to the deployment
of DNSSEC in parallel to the deployment of DMARC by both Domain Owners
and Mail Receivers. </t>
</section>
<section anchor="sec_display" title="Display Name Attacks">
<t> A common attack in messaging abuse is the presentation of false information in
the display-name portion of the RFC5322.From field. For example, it is
possible for the email address in that field to be an arbitrary address or
domain name, while containing a well-known name (a person, brand, role, etc.) in
the display name, intending to fool the end user into believing that the name is
used legitimately. The attack is predicated on the notion that most common
MUAs will show the display name and not the email address when
both are available. </t>
<t> Generally, display name attacks are out of scope for DMARC as further
exploration of possible defenses against these attacks needs to be undertaken. </t>
<t> There are a few possible mechanisms that attempt mitigation of these attacks,
such as: <list style="symbols">
<t> If the display name is found to include an email address (as specified
in <xref target="MAIL" />), execute the DMARC mechanism on the domain
name found there rather than the domain name discovered originally.
However, this addresses only a very specific attack space and is easily
circumvented by spoofers simply by not using an email address in the
display name. There are also known cases of legitimate uses of an email
address in the display name with a domain different from the one in the
address portion, e.g.: <figure>
<artwork>
From: "user@example.org via Bug Tracker" <support@example.com></artwork>
</figure>
</t>
<t> In the MUA, only show the display name if the DMARC mechanism succeeds.
This too is easily defeated, as an attacker could arrange to pass the
DMARC tests while fraudulently using another domain name in the display
name. </t>
<t> In the MUA, only show the display name if the DMARC mechanism passes and
the email address thus validated matches one found in the receiving
user's list of known addresses. </t>
</list>
</t>
</section>
<section anchor="sec_external" title="External Reporting Addresses">
<t>To avoid abuse by bad actors, reporting addresses generally have to be inside the
domains about which reports are requested. In order to accommodate special cases
such as a need to get reports about domains that cannot actually receive mail,
<xref target="fb_verify" /> describes a DNS-based mechanism for verifying
approved external reporting. </t>
<t>The obvious consideration here is an increased DNS load against domains that are
claimed as external recipients. Negative caching will mitigate this problem, but
only to a limited extent, mostly dependent on the default time-to-live in the
domain's SOA record. </t>
<t>Where possible, external reporting is best achieved by having the report be
directed to domains that can receive mail and simply having it automatically
forwarded to the desired external destination. </t>
<t>Note that the addresses shown in the "ruf" tag receive more information that
might be considered private data, since it is possible for actual email content
to appear in the failure reports. The URIs identified there are thus more
attractive targets for intrusion attempts than those found in the "rua" tag.
Moreover, attacking the DNS of the subject domain to cause failure data to be
routed fraudulently to an attacker's systems may be an attractive prospect.
Deployment of <xref target="DNSSEC" /> is advisable if this is a concern. </t>
<t>The verification mechanism presented in <xref target="fb_verify" /> is currently
not mandatory ("MUST") but strongly recommended ("SHOULD"). It is possible that
it would be elevated to a "MUST" by later security review. </t>
</section>
</section> <!-- Security Considerations -->
</middle>
<back>
<references title="Normative References">
<reference anchor="ABNF">
<front>
<title> Augmented BNF for Syntax Specifications: ABNF </title>
<author fullname="D. Crocker" initials="D." surname="Crocker">
<organization> Brandenburg InternetWorking </organization>
</author>
<author fullname="P. Overell" initials="P." surname="Overell">
<organization> THUS plc. </organization>
</author>
<date month="January" year="2008" />
</front>
<seriesInfo name="RFC" value="5234" />
</reference>
<reference anchor="AFRF">
<front>
<title abbrev="AFRF"> Authentication Failure Reporting using the Abuse Report
Format </title>
<author fullname="H. Fontana" initials="H." surname="Fontana"> </author>
<date month="April" year="2012" />
</front>
<seriesInfo name="RFC" value="6591" />
</reference>
<reference anchor="AFRF-DKIM">
<front>
<title abbrev="AFRF-DKIM"> Extensions to DomainKeys Identified Mail (DKIM) for
Failure Reporting </title>
<author fullname="M. Kucherawy" initials="M." surname="Kucherawy"> </author>
<date month="June" year="2012" />
</front>
<seriesInfo name="RFC" value="6651" />
</reference>
<reference anchor="AFRF-SPF">
<front>
<title abbrev="AFRF-SPF"> Sender Policy Framework (SPF) Authentication Failure
Reporting Using the Abuse Reporting Format </title>
<author fullname="S. Kitterman" initials="S." surname="Kitterman"> </author>
<date month="June" year="2012" />
</front>
<seriesInfo name="RFC" value="6652" />
</reference>
<reference anchor="DKIM">
<front>
<title> DomainKeys Identified Mail (DKIM) Signatures </title>
<author fullname="D. Crocker" initials="D." surname="Crocker">
<organization />
</author>
<author fullname="T. Hansen" initials="T." surname="Hansen">
<organization />
</author>
<author fullname="M. Kucherawy" initials="M." surname="Kucherawy">
<organization />
</author>
<date month="September" year="2011" />
</front>
<seriesInfo name="RFC" value="6376" />
</reference>
<reference anchor="DNS">
<front>
<title abbrev="Domain Implementation and Specification"> Domain names -
implementation and specification </title>
<author fullname="P. Mockapetris" initials="P." surname="Mockapetris">
<organization>USC/ISI</organization>
</author>
<date day="1" month="November" year="1987" />
</front>
<seriesInfo name="STD" value="13" />
<seriesInfo name="RFC" value="1035" />
</reference>
<reference anchor="DNS-CASE">
<front>
<title abbrev="DNS Case Insensitivity"> Domain Name System (DNS) Case
Insensitivity Clarification </title>
<author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake">
<organization> Motorola Laboratories </organization>
</author>
<date month="January" year="2006" />
</front>
<seriesInfo name="RFC" value="4343" />
</reference>
<reference anchor="GZIP">
<front>
<title> The 'application/zlib' and 'application/gzip' Media Types </title>
<author fullname="J. Levine" initials="J." surname="Levine">
<organization> Taughannock Networks </organization>
</author>
<date month="August" year="2012" />
</front>
<seriesInfo name="RFC" value="6713" />
</reference>
<reference anchor="IDNA">
<front>
<title> Internationalized Domain Names for Applications (IDNA): Definitions and
Document Framework </title>
<author fullname="J. Klensin" initials="J." surname="Klensin"> </author>
<date month="August" year="2000" />
</front>
<seriesInfo name="RFC" value="5890" />
</reference>
<reference anchor="IODEF">
<front>
<title> The Incident Object Description Exchange Format </title>
<author fullname="R. Danyliw" initials="R." surname="Danyliw">
<organization> CERT </organization>
</author>
<author fullname="J. Meijer" initials="J." surname="Meijer">
<organization> UNINETT </organization>
</author>
<author fullname="Y. Demchenko" initials="Y." surname="Demchenko">
<organization> University of Amsterdam </organization>
</author>
<date month="December" year="2007" />
</front>
<seriesInfo name="RFC" value="5070" />
</reference>
<reference anchor="KEYWORDS">
<front>
<title abbrev="RFC Key Words">Key words for use in RFCs to Indicate Requirement
Levels</title>
<author fullname="Scott Bradner" initials="S." surname="Bradner">
<organization>Harvard University</organization>
</author>
<date month="March" year="1997" />
</front>
<seriesInfo name="BCP" value="14" />
<seriesInfo name="RFC" value="2119" />
</reference>
<reference anchor="MAIL">
<front>
<title>Internet Message Format</title>
<author fullname="Peter W. Resnick" initials="P." role="editor"
surname="Resnick">
<organization> Qualcomm Incorporated </organization>
</author>
<date month="October" year="2008" />
</front>
<seriesInfo name="RFC" value="5322" />
</reference>
<reference anchor="MIME">
<front>
<title abbrev="Internet Message Bodies"> Multipurpose Internet Mail Extensions
(MIME) Part One: Format of Internet Message Bodies </title>
<author fullname="Ned Freed" initials="N." surname="Freed">
<organization> Innosoft International, Inc. </organization>
</author>
<author fullname="Nathaniel S. Borenstein" initials="N.S." surname="Borenstein">
<organization> First Virtual Holdings </organization>
</author>
<date month="November" year="1996" />
</front>
<seriesInfo name="RFC" value="2045" />
</reference>
<reference anchor="SMTP">
<front>
<title>Simple Mail Transfer Protocol</title>
<author fullname="J. Klensin" initials="J." surname="Klensin">
<organization />
</author>
<date month="October" year="2008" />
</front>
<seriesInfo name="RFC" value="5321" />
</reference>
<reference anchor="SPF">
<front>
<title> Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail,
Version 1 </title>
<author fullname="M. Wong" initials="M." surname="Wong">
<organization />
</author>
<author fullname="W. Schlitt" initials="W." surname="Schlitt">
<organization />
</author>
<date month="April" year="2006" />
</front>
<seriesInfo name="RFC" value="4408" />
</reference>
<reference anchor="STARTTLS">
<front>
<title> SMTP Service Extension for Secure SMTP over Transport Layer Security </title>
<author fullname="P. Hoffman" initials="P." surname="Hoffman">
<organization> Internet Mail Consortium </organization>
</author>
<date month="February" year="2002" />
</front>
<seriesInfo name="RFC" value="3207" />
</reference>
<reference anchor="URI">
<front>
<title> Uniform Resource Identifier (URI): Generic Syntax </title>
<author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee">
<organization> W3C/MIT </organization>
</author>
<author fullname="R. Fielding" initials="R." surname="Fielding">
<organization> Day Software </organization>
</author>
<author fullname="L. Masinter" initials="L." surname="Masinter">
<organization> Adobe Systems </organization>
</author>
<date month="January" year="2005" />
</front>
<seriesInfo name="RFC" value="3986" />
</reference>
</references>
<references title="Informative References">
<reference anchor="ADSP">
<front>
<title> DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP) </title>
<author fullname="E. Allman" initials="E." surname="Allman">
<organization> Sendmail, Inc. </organization>
</author>
<author fullname="J. Fenton" initials="J." surname="Fenton">
<organization> Cisco Systems, Inc. </organization>
</author>
<author fullname="M. Delany" initials="M." surname="Delany">
<organization> Yahoo!, Inc. </organization>
</author>
<author fullname="J. Levine" initials="J." surname="Levine">
<organization> Taughannock Networks </organization>
</author>
<date month="August" year="2009" />
</front>
<seriesInfo name="RFC" value="5617" />
</reference>
<reference anchor="ARF">
<front>
<title> An Extensible Format for Email Feedback Reports </title>
<author fullname="Y. Shafranovich" initials="Y." surname="Shafranovich">
<organization> ShafTek Enterprises </organization>
</author>
<author fullname="J. Levine" initials="J." surname="Levine">
<organization> Taughannock Networks </organization>
</author>
<author fullname="M. Kucherawy" initials="M." surname="Kucherawy">
<organization> Cloudmark </organization>
</author>
<date month="August" year="2010" />
</front>
<seriesInfo name="RFC" value="5965" />
</reference>
<reference anchor="AUTH-RESULTS">
<front>
<title> Message Header Field for Indicating Message Authentication Status </title>
<author fullname="M. Kucherawy" initials="M." surname="Kucherawy">
<organization> Sendmail, Inc. </organization>
</author>
<date month="April" year="2009" />
</front>
<seriesInfo name="RFC" value="5451" />
</reference>
<reference anchor="Best-Guess-SPF" target="http://www.openspf.org/FAQ/Best_guess_record">
<front>
<title> Sender Policy Framework: Best guess record (FAQ entry) </title>
<author fullname="S. Kitterman" initials="S." surname="Kitterman">
<organization />
</author>
<date month="May" year="2010" />
</front>
</reference>
<reference anchor="DKIM-DEPLOYMENT">
<front>
<title> DomainKeys Identified Mail (DKIM) Development, Deployment, and
Operations </title>
<author fullname="T. Hansen" initials="T." surname="Hansen">
<organization> AT&T Laboratories </organization>
</author>
<author fullname="E. Siegel" initials="E." surname="Siegel">
<organization />
</author>
<author fullname="D. Crocker" initials="D." surname="Crocker">
<organization> Brandenburg InternetWorking </organization>
</author>
<author fullname="P. Hallam-Baker" initials="P." surname="Hallam-Baker">
<organization> Default Deny Security, Inc. </organization>
</author>
<date month="May" year="2010" />
</front>
<seriesInfo name="RFC" value="5863" />
</reference>
<reference anchor="DKIM-OVERVIEW">
<front>
<title> DomainKeys Identified Mail (DKIM) Service Overview </title>
<author fullname="T. Hansen" initials="T." surname="Hansen">
<organization> AT&T Laboratories </organization>
</author>
<author fullname="D. Crocker" initials="D." surname="Crocker">
<organization> Brandenburg InternetWorking </organization>
</author>
<author fullname="P. Hallam-Baker" initials="P." surname="Hallam-Baker">
<organization> Default Deny Security, Inc. </organization>
</author>
<date month="July" year="2009" />
</front>
<seriesInfo name="RFC" value="5585" />
</reference>
<reference anchor="DKIM-THREATS">
<front>
<title> Analysis of Threats Motivating DomainKeys Identified Mail (DKIM) </title>
<author fullname="J. Fenton" initials="J." surname="Fenton">
<organization />
</author>
<date month="September" year="2006" />
</front>
<seriesInfo name="RFC" value="4686" />
</reference>
<reference anchor="DNSSEC">
<front>
<title> DNS Security Introduction and Requirements </title>
<author fullname="R. Arends" initials="R." surname="Arends">
<organization> Telematica Instituut </organization>
</author>
<author fullname="R. Austein" initials="R." surname="Austein">
<organization> ISC </organization>
</author>
<author fullname="M. Larson" initials="M." surname="Larson">
<organization> VeriSign </organization>
</author>
<author fullname="D. Massey" initials="D." surname="Massey">
<organization> Colorado State University </organization>
</author>
<author fullname="S. Rose" initials="S." surname="Rose">
<organization> NIST </organization>
</author>
<date month="March" year="2005" />
</front>
<seriesInfo name="RFC" value="4033" />
</reference>
<reference anchor="DSN">
<front>
<title> An Extensible Message Format for Delivery Status Notifications </title>
<author fullname="K. Moore" initials="K." surname="Moore">
<organization> University of Tennessee </organization>
</author>
<author fullname="G. Vaudreuil" initials="G." surname="Vaudreuil">
<organization> Lucent Technologies </organization>
</author>
<date month="January" year="2003" />
</front>
<seriesInfo name="RFC" value="3464" />
</reference>
<reference anchor="EMAIL-ARCH">
<front>
<title> Internet Mail Architecture </title>
<author fullname="D. Crocker" initials="D." surname="Crocker">
<organization> Brandenburg InternetWorking </organization>
</author>
<date month="July" year="2009" />
</front>
<seriesInfo name="RFC" value="5598" />
</reference>
<reference anchor="IANA-CONSIDERATIONS">
<front>
<title> Guidelines for Writing an IANA Considerations Section in RFCs </title>
<author fullname="T. Narten" initials="T." surname="Narten">
<organization />
</author>
<author fullname="H. Alvestrand" initials="H." surname="Alvestrand">
<organization />
</author>
<date month="May" year="2008" />
</front>
<seriesInfo name="BCP" value="26" />
<seriesInfo name="RFC" value="5226" />
</reference>
<reference anchor="ROLES">
<front>
<title> Mailbox Names for Common Services, Roles and Functions </title>
<author fullname="D. Crocker" initials="D." surname="Crocker">
<organization> Internet Mail Consortium </organization>
</author>
<date month="May" year="1997" />
</front>
<seriesInfo name="RFC" value="2142" />
</reference>
</references>
<section anchor="app_choices" title="Technology Considerations">
<t> This section documents some design decisions that were made in the development of
DMARC. Specifically, addressed here are some suggestions that were considered but
not included in the design. This text is included to explain why they were
considered and not included in this version. </t>
<section anchor="app_choices_smime" title="S/MIME">
<t> S/MIME, or Secure Multipurpose Internet Mail Extensions, is a standard for
encryption and signing of MIME data in a message. This was suggested and
considered as a third security protocol for authenticating the source of a
message. </t>
<t> DMARC is focused on authentication at the domain level (i.e., the Domain Owner
taking responsibility for the message), while S/MIME is really intended for
user-to-user authentication and encryption. This alone appears to make it a bad
fit for DMARC's goals. </t>
<t> S/MIME also suffers from the heavyweight problem of Public Key Infrastructure,
which means distribution of keys used to verify signatures needs to be
incorporated. In many instances, this alone is a showstopper. There have been
consistent promises that PKI usability and deployment will improve, but these
have yet to materialize. DMARC can revisit this choice after those barriers are
addressed. </t>
<t> S/MIME has extensive deployment in specific market segments (government, for
example), but does not enjoy similar widespread deployment over the general
Internet, and this shows no signs of changing. DKIM and SPF both are deployed
widely over the general Internet and their adoption rates continue to be
positive. </t>
<t> Finally, experiments have shown that including S/MIME support in the initial
version of DMARC would neither cause nor enable a substantial increase in the
accuracy of the overall mechanism. </t>
</section>
<section anchor="app_choices_exclusion" title="Method Exclusion">
<t> It was suggested that DMARC include a mechanism by which a Domain Owner could
tell Message Receivers not to attempt validation by one of the supported methods
(e.g., "check DKIM, but not SPF"). </t>
<t> Specifically, consider a Domain Owner that has deployed one of the technologies,
and that technology fails for some messages, but such failures don't cause
enforcement action. Deploying DMARC would cause enforcement action for policies
other than "none", which would appear to exclude participation by that Domain
Owner. </t>
<t> The DMARC development team evaluated the idea of policy exception mechanisms on
several occasions and invariably concluded that there was not a strong enough
use case to include them. The specific target audience for DMARC does not appear
to have concerns about the failure modes of one or the other being a barrier to
DMARC's adoption. </t>
<t> In the scenario described above, the Domain Owner has a few options: <list
style="numbers">
<t> Tighten up its infrastructure to minimize the failure modes of the
single deployed technology. </t>
<t> Deploy the other supported authentication mechanism, to offset the
failure modes of the first. </t>
<t> Deploy DMARC in a reporting-only mode. </t>
</list>
</t>
</section>
<section anchor="app_choices_sender" title="Sender Header Field">
<t> It has been suggested in several message authentication efforts that the Sender
header field be checked for an identifier of interest, as the standards indicate
this as the proper way to indicate a re-mailing of content such as through a
mailing list. Most recently, it was a protocol-level option for DomainKeys, but
on evolution to DKIM, this property was removed. </t>
<t> The DMARC development team considered this and decided not to include support
for doing so, for two primary reasons: <list style="numbers">
<t> The main user protection approach is to be concerned with what the user
sees when a message is rendered. There is no consistent behavior among
MUAs regarding what to do with the content of the Sender field, if
present. Accordingly, supporting checking of the Sender identifier would
mean applying policy to an identifier the end user might never actually
see, which can create a vector for attack against end users by simply
forging a Sender field containing some identifier that DMARC will like. </t>
<t> Although it is certainly true that this is what Sender is for, its use
in this way is also unreliable, making it a poor candidate for inclusion
in the DMARC evaluation algorithm. </t>
<t> Allowing multiple ways to discover policy introduces unacceptable
ambiguity into the DMARC evaluation algorithm in terms of which policy
is to be applied and when. </t>
</list>
</t>
</section>
<section anchor="app_dom_exist" title="Domain Existence Test">
<t> A common practice among MTA operators, and indeed one documented in <xref
target="ADSP" />, is a test to determine domain existence prior to any more
expensive processing. This is typically done by querying the DNS for MX, A or
AAAA resource records for the name being evaluated, and assuming the domain is
non-existent if it could be determined that no such records were published for
that domain name. </t>
<t> The original pre-standardization version of this protocol included a mandatory
check of this nature. It was ultimately removed, as the method's error rate was
too high without substantial manual tuning and heuristic work. There are indeed
use cases this work needs to address where such a method would return a negative
result about a domain for which reporting is desired, such as a registered
domain name that never sends legitimate mail and thus has none of these records
present in the DNS. </t>
</section>
<section anchor="issues_with_adsp" title="Issues With ADSP In Operation">
<t>DMARC has been characterized as a "super-ADSP" of sorts. </t>
<t>Contributors to DMARC have compiled a list of issues associated with ADSP, gained
from operational experience, that have influenced the direction of DMARC: <list
style="numbers">
<t> ADSP has no support for subdomains, i.e., the ADSP record for
example.com does not explicitly or implicitly apply to
subdomain.example.com. If wildcarding is not applied, then spammers can
trivially bypass ADSP by sending from a subdomain with no ADSP record. </t>
<t> Non-existent subdomains are explicitly out of scope in ADSP. There is
nothing in ADSP that states receivers should simply reject mail from
NXDOMAINs regardless of ADSP policy (which of course allows spammers to
trivially bypass ADSP by sending email from non-existent subdomains). </t>
<t> ADSP has no operational advice on when to look up the ADSP record. </t>
<t> ADSP has no support for using SPF as an auxiliary mechanism to DKIM. </t>
<t> ADSP has no support for a slow roll-out, i.e., no way to configure a
percentage of email on which the receiver should apply the policy. This
is important for large-volume senders. </t>
<t> ADSP has no explicit support for an intermediate phase where the
receiver quarantines (e.g., sends to the recipient's "spam" folder)
rather than rejects the email. </t>
<t> The binding between the "From" header domain and DKIM is too tight for
ADSP; they must match exactly. </t>
</list></t>
</section>
<section anchor="od_issues" title="Organizational Domain Discovery Issues">
<t> Although protocols like ADSP are useful for "protecting" a specific domain name,
they are not helpful at protecting subdomains. If one wished to protect
"example.com" by requiring via ADSP that all mail bearing an RFC5322.From domain
of "example.com" be signed, this would "protect" that domain; however, one could
then craft an email whose RFC5322.From domain is "security.example.com", and
ADSP would not provide any protection. One could use a DNS wildcard, but this
can undesirably interfere with other DNS activity; one could add ADSP records as
fraudulent domains are discovered, but this solution does not scale and is a
purely reactive measure against abuse. </t>
<t> The DNS does not provide a method by which the "domain of record", or the domain
that was actually registered with a domain registrar, can be determined given an
arbitrary domain name. Suggestions have been made that attempt to glean such
information from SOA or NS resource records, but these too are not fully
reliable as the partitioning of the DNS is not always done at administrative
boundaries. </t>
<t> When seeking domain-specific policy based on an arbitrary domain name, one could
"climb the tree", dropping labels off the left end of the name until the root is
reached or a policy is discovered, but then one could craft a name that has a
large number of nonsense labels; this would cause a Mail Receiver to attempt a
large number of queries in search of a policy record. Sending many such messages
constitutes an amplified denial-of-service attack. </t>
<t> The Organizational Domain mechanism is a necessary component to the goals of
DMARC. The method described in <xref target="terms_and_defs" /> is far from perfect,
but serves this purpose reasonably well without adding undue burden or semantics
to the DNS. If a method is created to do so that is more reliable and secure than
the use of a public suffix list, DMARC should be amended to use that method as soon
as it is generally available. </t>
<section anchor="suffixes" title="Public Suffix Lists">
<t> A public suffix list for the purposes of determining the Organizational
Domain can be obtained from various sources. The most common one is
maintained by the Mozilla Foundation and made public at
http://publicsuffix.org. License terms governing the use of that list are
available at that URI. </t>
<t> Note that if operators use a variety of public suffix lists,
interoperability will be difficult or impossible to guarantee. </t>
</section>
</section>
</section>
<section anchor="examples" title="Examples">
<t> This section illustrates both the Domain Owner side and the Mail Receiver side of a
DMARC exchange. </t>
<section anchor="ex_id_align" title="Identifier Alignment examples">
<t> The following examples illustrate the DMARC mechanism's use of Identifier
Alignment. For brevity's sake, only message headers are shown as message bodies
are not considered when conducting DMARC checks. </t>
<section anchor="ex_spf_id_align" title="SPF">
<t> The following SPF examples assume that SPF produces a passing result. </t>
<t>
<figure>
<preamble> Example 1: SPF in alignment: </preamble>
<artwork>
MAIL FROM: <sender@example.com>
From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample</artwork>
<postamble> SPF In Alignment </postamble>
</figure>
</t>
<t> In this case, the RFC5321.MailFrom parameter and the RFC5322.From field have
identical DNS domains. Thus, the identifiers are in alignment. </t>
<t>
<figure>
<preamble> Example 2: SPF in alignment (parent): </preamble>
<artwork>
MAIL FROM: <sender@child.example.com>
From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample</artwork>
<postamble> SPF In Alignment (Parent) </postamble>
</figure>
</t>
<t> In this case, the RFC5322.From parameter includes a DNS domain that is a
parent of the RFC5321.MailFrom domain. Thus, the identifiers are in alignment if
"relaxed" SPF mode is requested by the Domain Owner, and not in alignment if
"strict" SPF mode is requested. </t>
<t>
<figure>
<preamble> Example 3: SPF not in alignment: </preamble>
<artwork>
MAIL FROM: <sender@sample.net>
From: sender@child.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample</artwork>
<postamble> SPF Not In Alignment </postamble>
</figure>
</t>
<t> In this case, the RFC5321.MailFrom parameter includes a DNS domain that is
neither the same as nor a parent of the RFC5322.From domain. Thus, the
identifiers are not in alignment. </t>
</section>
<section anchor="ex_dkim_id_align" title="DKIM">
<t> The examples below assume the DKIM signatures pass verification. Alignment
cannot exist with a DKIM signature that does not verify. </t>
<t>
<figure>
<preamble> Example 1: DKIM in alignment: </preamble>
<artwork>
DKIM-Signature: v=1; ...; d=example.com; ...
From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample</artwork>
<postamble> DKIM In Alignment </postamble>
</figure>
</t>
<t> In this case, the DKIM "d=" parameter and the RFC5322.From field have
identical DNS domains. Thus, the identifiers are in alignment. </t>
<t>
<figure>
<preamble> Example 2: DKIM in alignment (parent): </preamble>
<artwork>
DKIM-Signature: v=1; ...; d=example.com; ...
From: sender@child.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample</artwork>
<postamble> DKIM In Alignment (Parent) </postamble>
</figure>
</t>
<t> In this case, the DKIM signature's "d=" parameter includes a DNS domain that
is a parent of the RFC5322.From domain. Thus, the identifiers are in
alignment. </t>
<t>
<figure>
<preamble> Example 3: DKIM not in alignment: </preamble>
<artwork>
DKIM-Signature: v=1; ...; d=sample.net; ...
From: sender@child.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Subject: here's a sample</artwork>
<postamble> DKIM Not In Alignment </postamble>
</figure>
</t>
<t> In this case, the DKIM signature's "d=" parameter includes a DNS domain that
is neither the same as nor a parent of the RFC5322.From domain. Thus, the
identifiers are not in alignment. </t>
</section>
</section>
<section anchor="ex_owner" title="Domain Owner example">
<t> A Domain Owner that wants to use DMARC should have already deployed and tested
SPF and DKIM. The next step is to publish a DNS record that advertises a DMARC
policy for the Domain Owner's organizational domain. </t>
<section anchor="ex_owner_1" title="Entire Domain, Monitoring Only">
<t> The owner of the domain "example.com" has deployed SPF and DKIM on its
messaging infrastructure. The owner wishes to begin using DMARC with a
policy that will solicit aggregate feedback from receivers without affecting
how the messages are processed, in order to: <list style="symbols">
<t> Confirm that its legitimate messages are authenticating correctly </t>
<t> Verify that all authorized message sources have implemented
authentication measures </t>
<t> Determine how many messages from other sources would be affected by
a blocking policy </t>
</list></t>
<t> The Domain Owner accomplishes this by constructing a policy record
indicating that: <list style="symbols">
<t> The version of DMARC being used is "DMARC1" ("v=DMARC1") </t>
<t> Receivers should not alter how they treat these messages because of
this DMARC policy record ("p=none") </t>
<t> Aggregate feedback reports should be sent via email to the address
"dmarc-feedback@example.com"
("rua=mailto:dmarc-feedback@example.com") </t>
<t> All messages from this organizational domain are subject to this
policy (no "pct" tag present, so the default of 100% applies) </t>
</list></t>
<t> The DMARC policy record might look like this when retrieved using a common
command-line tool: <figure>
<artwork>
% dig +short TXT _dmarc.example.com.
"v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com"</artwork>
</figure></t>
<t> To publish such a record, the DNS administrator for the Domain Owner creates
an entry like the following in the appropriate zone file (following the
conventional zone file format): <figure>
<artwork>
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=none; "
"rua=mailto:dmarc-feedback@example.com" )</artwork>
</figure></t>
</section>
<section anchor="ex_owner_2"
title="Entire Domain, Monitoring Only, Per-Message Reports">
<t> The Domain Owner from the previous example has used the aggregate reporting
to discover some messaging systems that had not yet implemented DKIM
correctly, but they are still seeing periodic authentication failures. In
order to diagnose these intermittent problems they wish to request
per-message failure reports when authentication failures occur. </t>
<t> Not all Receivers will honor such a request, but the Domain Owner feels that
any reports it does receive will be helpful enough to justify publishing
this record. The default per-message report format (<xref target="AFRF" />)
meets the Domain Owner's needs in this scenario. </t>
<t> The Domain Owner accomplishes this by adding the following to its policy
record from <xref target="ex_owner" />): <list style="symbols">
<t> Per-message failure reports should be sent via email to the address
"auth-reports@example.com" ("ruf=mailto:auth-reports@example.com")
</t>
</list>
</t>
<t> The DMARC policy record might look like this when retrieved using a common
command-line tool (the output shown would appear on a single line, but is
wrapped here for publication): <figure>
<artwork>
% dig +short TXT _dmarc.example.com.
"v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com;
ruf=mailto:auth-reports@example.com"</artwork>
</figure>
</t>
<t> To publish such a record, the DNS administrator for the Domain Owner might
create an entry like the following in the appropriate zone file (following
the conventional zone file format): <figure>
<artwork>
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=none; "
"rua=mailto:dmarc-feedback@example.com; "
"ruf=mailto:auth-reports@example.com" )</artwork>
</figure>
</t>
</section>
<section anchor="ex_owner_2_1"
title="Per-Message Failure Reports Directed to Third Party">
<t> The Domain Owner from the previous example is maintaining the same policy,
but now wishes to have a third party receive and process the per-message
failure reports. Again, not all Receivers will honor this request, but those
that do may implement additional checks to validate that the third party
wishes to receive the failure reports for this domain. </t>
<t> The Domain Owner needs to alter its policy record from <xref
target="ex_owner_2" /> as follows: <list style="symbols">
<t> Per message failure reports should be send via email to the address
"auth-reports@thirdparty.example.net"
("ruf=mailto:auth-reports@thirdparty.example.net") </t>
</list>
</t>
<t> The DMARC policy record might look like this when retrieved using a common
command-line tool (the output shown would appear on a single line, but is
wrapped here for publication): <figure>
<artwork>
% dig +short TXT _dmarc.example.com.
"v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com;
ruf=mailto:auth-reports@thirdparty.example.net"</artwork>
</figure>
</t>
<t> To publish such a record, the DNS administrator for the Domain Owner might
create an entry like the following in the appropriate zone file (following
the conventional zone file format): <figure>
<artwork>
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=none; "
"rua=mailto:dmarc-feedback@example.com; "
"ruf=mailto:auth-reports@thirdparty.example.net" )</artwork>
</figure></t>
<t> Because the address used in the "ruf" tag is outside the Organizational
Domain in which this record is published, conforming Receivers will
implement additional checks as described in <xref target="fb_verify" /> of
this document. In order to pass these additional checks, the third party
will need to publish an additional DNS record as follows: <list
style="symbols">
<t> Given the DMARC record published by the Domain Owner at
"_dmarc.example.com", the DNS administrator for the third party will
need to publish a TXT resource record at
"example.com._report._dmarc.thirdparty.example.net" with the value
"v=DMARC1". </t>
</list>
</t>
<t> The resulting DNS record might look like this when retrieved using a common
command-line tool (the output shown would appear on a single line, but is
wrapped here for publication): <figure>
<artwork>
% dig +short TXT example.com._report._dmarc.thirdparty.example.net
"v=DMARC1"</artwork>
</figure></t>
<t> To publish such a record, the DNS administrator for example.net might create
an entry like the following in the appropriate zone file (following the
conventional zone file format): <figure>
<artwork>
; zone file for thirdparty.example.net
; Accept DMARC failure reports on behalf of example.com
example.com._report._dmarc IN TXT "v=DMARC1"</artwork>
</figure></t>
<t> Intermediaries and other third parties should refer to <xref
target="fb_verify" /> for the full details of this mechanism. </t>
</section>
<section anchor="ex_owner_3"
title="Sub-Domain, Sampling, and Multiple Aggregate Report URIs">
<t> The Domain Owner has implemented SPF and DKIM in a sub-domain used for
pre-production testing of messaging services. It now wishes to request that
participating receivers act to reject messages from this sub-domain that
fail to authenticate. </t>
<t> As a first step it will ask that a portion (1/4 in this example) of failing
messages be quarantined, enabling examination of messages sent to mailboxes
hosted by participating receivers. Aggregate feedback reports will be sent
to a mailbox within the Organizational Domain, and to a mailbox at a third
party selected and authorized to receive same by the Domain Owner. Aggregate
reports sent to the third party are limited to a maximum size of ten
megabytes. </t>
<t> The Domain Owner will accomplish this by constructing a policy record
indicating that: <list style="symbols">
<t> The version of DMARC being used is "DMARC1" ("v=DMARC1") </t>
<t> It is applied only to this sub-domain (record is published at
"_dmarc.test.example.com" and not "_dmarc.example.com") </t>
<t> Receivers should quarantine messages from this organizational domain
that fail to authenticate ("p=quarantine") </t>
<t> Aggregate feedback reports should be sent via email to the addresses
"dmarc-feedback@example.com" and
"example-tld-test@thirdparty.example.net", with the latter subjected
to a maximum size limit
("rua=mailto:dmarc-feedback@example.com,mailto:tld-test@thirdparty.example.net!10m") </t>
<t> 25% of messages from this Organizational Domain are subject to
action based on this policy ("pct=25") </t>
</list></t>
<t> The DMARC policy record might look like this when retrieved using a common
command-line tool (the output shown would appear on a single line, but is
wrapped here for publication): <figure>
<artwork>
% dig +short TXT _dmarc.test.example.com
"v=DMARC1; p=quarantine; rua=mailto:dmarc-feedback@example.com,
mailto:tld-test@thirdparty.example.net!10m; pct=25"</artwork>
</figure></t>
<t> To publish such a record, the DNS administrator for the Domain Owner might
create an entry like the following in the appropriate zone file: <figure>
<artwork>
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=quarantine; "
"rua=mailto:dmarc-feedback@example.com,"
"mailto:tld-test@thirdparty.example.net!10m; "
"pct=25" )</artwork>
</figure></t>
</section>
<section anchor="ex_third" title="Third Party Sender and Identifier Alignment">
<t> The Domain Owner only uses the top-level domain for email, and uses a
third-party sender for some marketing message traffic. It has implemented
SPF and DKIM across its in-house infrastructure and required the third-party
to do the same. A monitoring period has shown that the Domain Owner and the
third-party sender are both executing well with respect to email
authentication measures. </t>
<t> The third-party has access to the appropriate DKIM private or signing keys
for the selectors it will use. However the third-party uses sub-domains like
"id1234.bounces.example.com" in the RFC5321.MailFrom address for campaign
tracking and troubleshooting purposes. The sub-domain "bounces.example.com"
has been delegated to the third-party so that it can publish appropriate MX
records in the DNS. </t>
<t> Therefore the Domain Owner wishes to publish a policy that requests
rejection of messages which fail to authenticate, strict identifier
alignment for DKIM authentication, and relaxed identifier alignment for SPF
checks. Aggregate reports will only be sent to the Domain Owner in this
example. </t>
<t> The Domain Owner will accomplish this by constructing a policy record
indicating that: <list style="symbols">
<t> The version of DMARC being used is "DMARC1" ("v=DMARC1") </t>
<t> Receivers should reject messages that fail to authenticate
("p=reject") </t>
<t> Strict identifier alignment should be applied to DKIM checks
("adkim=s") </t>
<t> Relaxed identifier alignment should be applied to SPF checks
("aspf=r") </t>
<t> Aggregate feedback reports should be sent via email to the address
"dmarc-feedback@example.com"
("rua=mailto:dmarc-feedback@example.com") </t>
</list>
</t>
<t> The DMARC policy record might look like this when retrieved using a common
command-line tool (the output shown would appear on a single line, but is
wrapped here for publication): <figure>
<artwork>
% dig +short TXT _dmarc.example.com
"v=DMARC1; p=reject; adkim=s; aspf=r;
rua=mailto:dmarc-feedback@example.com"</artwork>
</figure>
</t>
<t> To publish such a record, the DNS administrator for the Domain Owner might
create an entry like the following in the appropriate zone file: <figure>
<artwork>
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=reject; adkim=s; aspf=r; "
"rua=mailto:dmarc-feedback@example.com" )</artwork>
</figure>
</t>
</section>
<section anchor="ex_subdomain" title="Sub-Domain Policy, Reporting Interval">
<t> In this example the Domain Owner only uses addresses in the Organizational
Domain itself ("user@example.com" versus "user@sub.example.com"). A business
decision has been made that messages incorrectly being rejected as false
positives during, for example, a transient outage are unacceptable.
Therefore, the desired policy is that: <list style="symbols">
<t> Messages from the Organizational Domain that fail authentication
should be quarantined </t>
<t> Messages from any sub-domain should be rejected </t>
</list>
</t>
<t> Furthermore the Domain Owner would like to request that aggregate data be
sent at four hour intervals to themselves and a third-party service for
analysis and action. It recognizes that not all Receivers will honor this
request, but feels that faster intra-day analysis of failures and threats
make this worthwhile. </t>
<t> The Domain Owner will accomplish this by constructing a policy record
indicating that: <list style="symbols">
<t> The version of DMARC being used is "DMARC1" ("v=DMARC1") </t>
<t> Receivers should quarantine messages from this domain that fail to
authenticate ("p=quarantine") </t>
<t> Receivers should reject messages from any sub-domains that fail to
authenticate ("sp=reject") </t>
<t> Aggregate reports should be generated every four hours ("ri=14400") </t>
<t> Aggregate reports should be sent via email to the addresses
"dmarc-feedback@example.com" and
"customer-analysis@thirdparty.example.net"
("rua=mailto:dmarc-feedback@example.com,mailto:customer-data@thirdparty.example.net")
</t>
</list>
</t>
<t> The DMARC policy record might look like this when retrieved using a common
command-line tool (the output shown would appear on a single line, but is
wrapped here for publication): <figure>
<artwork>
% dig +short TXT _dmarc.example.com
"v=DMARC1; p=quarantine; sp=reject; ri=14400;
rua=mailto:dmarc-feedback@example.com,
mailto:customer-data@thirdparty.example.net"</artwork>
</figure></t>
<t> To publish such a record, the DNS administrator for the Domain Owner might
create an entry like the following in the appropriate zone file: <figure>
<artwork>
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=quarantine; sp=reject; "
"rua=mailto:dmarc-feedback@example.com,"
"mailto:customer-data@thirdparty.example.net" )</artwork>
</figure></t>
</section>
</section>
<section anchor="ex_receiver" title="Mail Receiver Example">
<t> A Mail Receiver that wants to use DMARC should already be checking SPF and DKIM,
and possess the ability to collect relevant information from various email
processing stages to provide feedback to Domain Owners. </t>
<section anchor="ex_smtp" title="SMTP-time Processing">
<t> An optimal DMARC-enabled Mail Receiver performs authentication and
identifier alignment checking during the <xref target="SMTP" />
conversation. </t>
<t> Prior to returning a reply to the DATA command, the Mail Receiver's MTA has
performed: <list style="numbers">
<t> An SPF check to determine an SPF-authenticated Identifier. </t>
<t> DKIM checks that yield one or more DKIM-authenticated Identifiers. </t>
<t> A DMARC policy lookup. </t>
</list>
</t>
<t> The presence of an Author Domain DMARC record indicates that the Mail
Receiver should continue with DMARC-specific processing before returning a
reply to the DATA command. </t>
<t> Given a DMARC record and the set of Authenticated Identifiers, the Mail
Receiver checks to see if the Authenticated Identifiers align with the
Author Domain (taking into consideration any "strict" vs "relaxed" options
found in the DMARC record). </t>
<t> For example, the following sample data is considered to be from a piece of
email originating from the Domain Owner of "example.com": <figure>
<artwork>
Author Domain: example.com
SPF-authenticated Identifier: mail.example.com
DKIM-authenticated Identifier: example.com
DMARC record:
"v=DMARC1; p=reject; aspf=r;
rua=mailto:dmarc-feedback@example.com"</artwork>
</figure>
</t>
<t> In the above sample, both the SPF and the DKIM-authenticated Identifiers
align with the Author Domain. The Mail Receiver considers the above email to
pass the DMARC check, avoiding the "reject" policy that is to be applied to
email that fails to pass the DMARC check. </t>
<t> If no Authenticated Identifiers align with the Author Domain, then the Mail
Receiver applies the DMARC-record-specified policy. However, before this
action is taken, the Mail Receiver can consult external information to
override the Domain Owner's policy. For example, if the Mail Receiver knows
that this particular email came from a known and trusted forwarder (that
happens to break both SPF and DKIM), then the Mail Receiver may choose to
ignore the Domain Owner's policy. </t>
<t> The Mail Receiver is now ready to reply to the DATA command. If the DMARC
check yields that the message is to be rejected, then the Mail Receiver
replies with a 5xy code to inform the sender of failure. If the DMARC check
cannot be resolved due to transient network errors, then the Mail Receiver
replies with a 4xy code to inform the sender as to the need to reattempt
delivery later. If the DMARC check yields a passing message, then the Mail
Receiver continues on with email processing, perhaps using the result of the
DMARC check as an input to additional processing modules such as a domain
reputation query. </t>
<t> Before exiting DMARC-specific processing, the Mail Receiver checks to see if
the Author Domain DMARC record requests AFRF-based reporting. If so, then
the Mail Receiver can emit an AFRF to the reporting address supplied in the
DMARC record. </t>
<t> At the exit of DMARC-specific processing, the Mail Receiver captures
(through logging or direct insertion into a data store) the result of DMARC
processing. Captured information is used to build feedback for Domain Owner
consumption. This is not necessary if the Domain Owner has not requested
aggregate reports, i.e., no "rua" tag was found in the policy record. </t>
</section>
<section anchor="ex_afrf" title="Real-time Feedback Processing">
<t> If the DMARC record for the Author Domain of the message under processing
requests <xref target="AFRF" />-based reporting, then the Mail Receiver can
supply an AFRF report for a message that does not pass all underlying DMARC
authentication checks. In other words, if any DMARC-supporting
authentication checks fail, an AFRF report should be generated and sent to
the reporting address found in the Author Domain's DMARC record. </t>
</section>
</section>
<section anchor="ex_ag_fb" title="Utilization of Aggregate Feedback example">
<t> Aggregate feedback is consumed by Domain Owners to verify the Domain Owners
understanding of how the Domain Owner's Domain is being processed by the Mail
Receiver. Aggregate reporting data on emails that pass all DMARC-supporting
authentication checks is used by Domain Owners to verify that authentication
practices remain accurate. For example, if a third party is sending on behalf of
a Domain Owner, the Domain Owner can use aggregate report data to verify ongoing
authentication practices of the third party. </t>
<t> Data on email that only partially passes underlying authentication checks
provides visibility into problems that need to be addressed by the Domain Owner.
For example, if either SPF or DKIM fail to pass, the Domain Owner is provided
with enough information to either directly correct the problem or to understand
where authentication-breaking changes are being introduced in the email
transmission path. If authentication-breaking changes due to email transmission
path cannot be directly corrected, then the Domain Owner at least maintains an
understanding of the effect of DMARC-based policies upon the Domain Owner's
email. </t>
<t> Data on email that fails all underlying authentication checks provides baseline
visibility on how the Domain Owner's Domain is being received at the Mail
Receiver. Based on this visibility, the Domain Owner can begin deployment of
authentication technologies across uncovered email sources. Additionally, the
Domain Owner may come to an understanding of how its Domain is being misused.
</t>
</section>
<section anchor="ex_mailto" title="mailto Transport example">
<t> A DMARC record can contain a "mailto" reporting address, such as: <figure>
<artwork>
mailto:dmarc-feedback@example.com</artwork>
</figure></t>
<t> A sample aggregate report from the Mail Receiver at mail.receiver.example
follows: <figure>
<artwork>
DKIM-Signature: v=1; ...; d=mail.receiver.example; ...
From: dmarc-reporting@mail.receiver.example
Date: Fri, Feb 15 2002 16:54:30 -0800
To: dmarc-feedback@example.com
Subject: Report Domain: example.com
Submitter: mail.receiver.example
Report-ID: <2002.02.15.1>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_024E_01CC9B0A.AFE54C00"
Content-Language: en-us
This is a multipart message in MIME format.
------=_NextPart_000_024E_01CC9B0A.AFE54C00
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
This is an aggregate report from mail.receiver.example.
------=_NextPart_000_024E_01CC9B0A.AFE54C00
Content-Type: application/gzip
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="mail.receiver.example!example.com!
1013662812!1013749130.gz"
<gzipped content of report>
------=_NextPart_000_024E_01CC9B0A.AFE54C00--</artwork>
</figure></t>
<t> Not shown in the above example is that the Mail Receiver's feedback should be
authenticated using SPF. Also, the value of the "filename" MIME parameter is
wrapped for printing in this specification but would normally appear as one
continuous string. </t>
</section>
</section>
<!-- Examples -->
<section anchor="xml_schema" title="DMARC XML Schema">
<t> The following is the proposed initial schema for producing XML formatted aggregate
reports as described in this memo. </t>
<t> NOTE: Per the definition of XML, unless otherwise specified in the schema below, the
minOccurs and maxOccurs values for each element is set to 1. <figure>
<artwork>
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://dmarc.org/dmarc-xml/0.1">
<!-- The time range in UTC covered by messages in this report,
specified in seconds since epoch. -->
<xs:complexType name="DateRangeType">
<xs:all>
<xs:element name="begin" type="xs:integer"/>
<xs:element name="end" type="xs:integer"/>
</xs:all>
</xs:complexType>
<!-- Report generator metadata -->
<xs:complexType name="ReportMetadataType">
<xs:sequence>
<xs:element name="org_name" type="xs:string"/>
<xs:element name="email" type="xs:string"/>
<xs:element name="extra_contact_info" type="xs:string"
minOccurs="0"/>
<xs:element name="report_id" type="xs:string"/>
<xs:element name="date_range" type="DateRangeType"/>
<xs:element name="error" type="xs:string" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- Alignment mode (relaxed or strict) for DKIM and
SPF. -->
<xs:simpleType name="AlignmentType">
<xs:restriction base="xs:string">
<xs:enumeration value="r"/>
<xs:enumeration value="s"/>
</xs:restriction>
</xs:simpleType>
<!-- The policy actions specified by p and sp in the
DMARC record. -->
<xs:simpleType name="DispositionType">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="quarantine"/>
<xs:enumeration value="reject"/>
</xs:restriction>
</xs:simpleType>
<!-- The DMARC policy that applied to the messages in
this report. -->
<xs:complexType name="PolicyPublishedType">
<xs:all>
<!-- The domain at which the DMARC record was found. -->
<xs:element name="domain" type="xs:string"/>
<!-- The DKIM alignment mode. -->
<xs:element name="adkim" type="AlignmentType"
minOccurs="0"/>
<!-- The SPF alignment mode. -->
<xs:element name="aspf" type="AlignmentType"
minOccurs="0"/>
<!-- The policy to apply to messages from the domain. -->
<xs:element name="p" type="DispositionType"/>
<!-- The policy to apply to messages from subdomains. -->
<xs:element name="sp" type="DispositionType"/>
<!-- The percent of messages to which policy applies. -->
<xs:element name="pct" type="xs:integer"/>
<!-- Failure reporting options in effect. -->
<xs:element name="fo" type="xs:string"/>
</xs:all>
</xs:complexType>
<!-- The DMARC-aligned authentication result. -->
<xs:simpleType name="DMARCResultType">
<xs:restriction base="xs:string">
<xs:enumeration value="pass"/>
<xs:enumeration value="fail"/>
</xs:restriction>
</xs:simpleType>
<!-- Reasons that may affect DMARC disposition or execution
thereof. -->
<xs:simpleType name="PolicyOverrideType">
<xs:restriction base="xs:string">
<xs:enumeration value="forwarded"/>
<xs:enumeration value="sampled_out"/>
<xs:enumeration value="trusted_forwarder"/>
<xs:enumeration value="mailing_list"/>
<xs:enumeration value="local_policy"/>
<xs:enumeration value="other"/>
</xs:restriction>
</xs:simpleType>
<!-- How do we allow report generators to include new
classes of override reasons if they want to be more
specific than "other"? -->
<xs:complexType name="PolicyOverrideReason">
<xs:all>
<xs:element name="type" type="PolicyOverrideType"/>
<xs:element name="comment" type="xs:string"
minOccurs="0"/>
</xs:all>
</xs:complexType>
<!-- Taking into account everything else in the record,
the results of applying DMARC. -->
<xs:complexType name="PolicyEvaluatedType">
<xs:sequence>
<xs:element name="disposition" type="DispositionType"/>
<xs:element name="dkim" type="DMARCResultType"/>
<xs:element name="spf" type="DMARCResultType"/>
<xs:element name="reason" type="PolicyOverrideReason"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- Credit to Roger L. Costello for IPv4 regex
http://mailman.ic.ac.uk/pipermail/xml-dev/1999-December/
018018.html -->
<!-- Credit to java2s.com for IPv6 regex
http://www.java2s.com/Code/XML/XML-Schema/
IPv6addressesareeasiertodescribeusingasimpleregex.htm -->
<xs:simpleType name="IPAddress">
<xs:restriction base="xs:string">
<xs:pattern value="((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]).){3}
(1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])|
([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="RowType">
<xs:all>
<!-- The connecting IP. -->
<xs:element name="source_ip" type="IPAddress"/>
<!-- The number of matching messages -->
<xs:element name="count" type="xs:integer"/>
<!-- The DMARC disposition applying to matching
messages. -->
<xs:element name="policy_evaluated"
type="PolicyEvaluatedType"
minOccurs="1"/>
</xs:all>
</xs:complexType>
<xs:complexType name="IdentifierType">
<xs:all>
<!-- The envelope recipient domain. -->
<xs:element name="envelope_to" type="xs:string"
minOccurs="0"/>
<!-- The envelope from domain. -->
<xs:element name="envelope_from" type="xs:string"
minOccurs="1"/>
<!-- The payload From domain. -->
<xs:element name="header_from" type="xs:string"
minOccurs="1"/>
</xs:all>
</xs:complexType>
<!-- DKIM verification result, according to RFC 5451
Section 2.4.1. -->
<xs:simpleType name="DKIMResultType">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="pass"/>
<xs:enumeration value="fail"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="neutral"/>
<xs:enumeration value="temperror"/>
<xs:enumeration value="permerror"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="DKIMAuthResultType">
<xs:all>
<!-- The d= parameter in the signature -->
<xs:element name="domain" type="xs:string"
minOccurs="1"/>
<!-- The s= parameter in the signature -->
<xs:element name="selector" type="xs:string"
minOccurs="0"/>
<!-- The DKIM verification result -->
<xs:element name="result" type="DKIMResultType"
minOccurs="1"/>
<!-- Any extra information (e.g., from
Authentication-Results -->
<xs:element name="human_result" type="xs:string"
minOccurs="0"/>
</xs:all>
</xs:complexType>
<!-- SPF domain scope -->
<xs:simpleType name="SPFDomainScope">
<xs:restriction base="xs:string">
<xs:enumeration value="helo"/>
<xs:enumeration value="mfrom"/>
</xs:restriction>
</xs:simpleType>
<!-- SPF result -->
<xs:simpleType name="SPFResultType">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="neutral"/>
<xs:enumeration value="pass"/>
<xs:enumeration value="fail"/>
<xs:enumeration value="softfail"/>
<!-- "TempError" commonly implemented as "unknown" -->
<xs:enumeration value="temperror"/>
<!-- "PermError" commonly implemented as "error" -->
<xs:enumeration value="permerror"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="SPFAuthResultType">
<xs:all>
<!-- The checked domain. -->
<xs:element name="domain" type="xs:string" minOccurs="1"/>
<!-- The scope of the checked domain. -->
<xs:element name="scope" type="SPFDomainScope" minOccurs="1"/>
<!-- The SPF verification result -->
<xs:element name="result" type="SPFResultType"
minOccurs="1"/>
</xs:all>
</xs:complexType>
<!-- This element contains DKIM and SPF results, uninterpreted
with respect to DMARC. -->
<xs:complexType name="AuthResultType">
<xs:sequence>
<!-- There may be no DKIM signatures, or multiple DKIM
signatures. -->
<xs:element name="dkim" type="DKIMAuthResultType"
minOccurs="0" maxOccurs="unbounded"/>
<!-- There will always be at least one SPF result. -->
<xs:element name="spf" type="SPFAuthResultType" minOccurs="1"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- This element contains all the authentication results that
were evaluated by the receiving system for the given set of
messages. -->
<xs:complexType name="RecordType">
<xs:sequence>
<xs:element name="row" type="RowType"/>
<xs:element name="identifiers" type="IdentifierType"/>
<xs:element name="auth_results" type="AuthResultType"/>
</xs:sequence>
</xs:complexType>
<!-- Parent -->
<xs:element name="feedback">
<xs:complexType>
<xs:sequence>
<xs:element name="version"
type="xs:decimal"/>
<xs:element name="report_metadata"
type="ReportMetadataType"/>
<xs:element name="policy_published"
type="PolicyPublishedType"/>
<xs:element name="record" type="RecordType"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema></artwork>
</figure>
</t>
<t> Descriptions of the PolicyOverrideTypes: <list style="hanging">
<t hangText="forwarded:"> Message was relayed via a known forwarder, or local
heuristics identified the message as likely having been forwarded. There is
no expectation that authentication would pass. </t>
<t hangText="local_policy:"> The Mail Receiver's local policy exempted the
message from being subjected to the Domain Owner's requested policy action. </t>
<t hangText="mailing_list:"> Local heuristics determined that the message
arrived via a mailing list, and thus authentication of the original message
was not expected to succeed. </t>
<t hangText="other:"> Some policy exception not covered by the other entries in
this list occurred. Additional detail can be found in the
PolicyOverrideReason's "comment" field. </t>
<t hangText="sampled_out:"> Message was exempted from application of policy by
the "pct" setting in the DMARC policy record. </t>
<t hangText="trusted_forwarder:"> Message authentication failure was anticipated
by other evidence linking the message to a locally-maintained list of known
and trusted forwarders. </t>
</list>
</t>
<t> The "version" for reports generated per this specification MUST be the value 1.0.
</t>
</section>
<section anchor="public" title="Public Discussion">
<t> Public discussion of the DMARC proposal documents is taking place on the
dmarc-discuss@dmarc.org mailing list. Subscription is available at
http://www.dmarc.org/mailman/listinfo/dmarc-discuss. </t>
</section>
<section anchor="acks" title="Acknowledgements">
<t> DMARC and the version of this document submitted to the IETF were the result of
lengthy efforts by an informal industry consortium: <eref target="http://dmarc.org"
>DMARC.org</eref>. Participating companies included: Agari, American Greetings,
AOL, Bank of America, Cloudmark, Comcast, Facebook, Fidelity Investments, Google,
JPMorgan Chase & Company, LinkedIn, Microsoft, Netease, Paypal, ReturnPath,
Trusted Domain Project, and Yahoo!. Although the number of contributors and
supporters are too numerous to mention, notable individual contributions were made
by J. Trent Adams, Michael Adkins, Monica Chew, Dave Crocker, Tim Draegen, Murray
Kucherawy, Steve Jones, Franck Martin, Brett McDowell, and Paul Midgen. The
contributors would also like to recognize the invaluable input and guidance that was
provided by J.D. Falk.</t>
<t> Additional contributions within the IETF context were made by Jim Fenton, J. Gomez, Eliot Lear, John Levine, S. Moonesamy, Henry
Timmes, (other names) </t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 01:20:47 |