DMARC Working Group | F. Martin, Ed. |
Internet-Draft | |
Intended status: Informational | E. Lear, Ed. |
Expires: September 24, 2015 | Cisco Systems GmbH |
T. Draegen, Ed. | |
Eudaemon | |
E. Zwicky, Ed. | |
Yahoo | |
March 23, 2015 |
Interoperability Issues Between DMARC and Indirect Email Flows
draft-ietf-dmarc-interoperability-01
DMARC introduces a mechanism for expressing domain-level policies and preferences for email message validation, disposition, and reporting. The DMARC mechanism can encounter interoperability issues when messages originate from third party sources, are modified in transit, or are forwarded enroute to their final destination. Collectively these email flows are referred to as indirect email flows. This document describes interoperability issues between DMARC and indirect email flows. Possible methods for addressing interoperability issues are presented.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 24, 2015.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
DMARC [RFC7489] introduces a mechanism for expressing domain-level policies and preferences for message validation, disposition, and reporting. DMARC is used to combat exact-domain phishing, to gain visibility into email infrastructure, and to provide email egress controls. Due to wide adoption, the impact of DMARC-based email rejection policies on both direct and indirect email flows can be significant.
The DMARC mechanism can encounter several different types of interoperability issues due to third-party message sourcing, message transformation or rerouting. These cases in which mail does not go directly from the author's administrative domain to the recipients are known collectively as indirect email flows.
The next section describes interoperability issues between DMARC and indirect email flows. These issues are first described in the context of configuration behavior that DMARC requires from underlying authentication technology, and then described as they appear in context of the Internet Mail Architecture [RFC5598].
Lastly, possible methods for addressing interoperability issues are presented. There are often multiple ways to address any given interoperability issue. While this document strives to be comprehensive in its review, it should not be treated as complete.
Notation regarding structured fields is taken from [RFC5598].
Organizational Domain and Authenticated Identifiers are specified in DMARC [RFC7489].
What do we mean by "interoperability issues"? We say that DMARC introduces interoperability issues or problems, when conformance to the DMARC specification leads an implementation to reject a message that is both compliant with the architecture as specified in [RFC5598] and would have been viewed as legitimate in the eyes of the intended recipient. Therefore, we can already conclude that DMARC poses no interoperability problems when legitimate messages properly validate through its specified processes. The rest of this section delves into how legitimate messages may get rejected.
A fundamental aspect of message source validation is understanding what defines the source that is validated. Each of the underlying mechanisms that DMARC uses (DKIM [RFC6376] and SPF [RFC7208]) takes a different approach. Therefore, the DMARC [RFC7489] mechanism attempts to predictably specify the domain of the originator that will be used for its purposes (reporting/message disposition). This step is referred to as Identifier Alignment.
DKIM provides a cryptographic means for a domain to be associated with a particular message. DKIM does not make any constraints on what domains may or must present this association. However, for a DKIM identifier to align in DMARC, the signing domain must be part of the same Organizational Domain as the domain in the RFC5322.From header field [RFC5322], and the signature must be valid.
In addition, DKIM allows for the possibility of multiple valid signatures. The DMARC mechanism will process Authenticated Identifiers that are based on DKIM signatures until an aligned Authenticated Identifier is found (if any). However, operational experience has shown that some implementations have difficulty processing multiple signatures. The impact on DMARC processing is clear: if an implementation cannot process multiple DKIM signatures it may lead to perfectly valid messages being flagged as not authentic.
SPF provides two Authenticated Identifiers the first one is RFC7208.HELO [RFC7208] based on RFC5321.HELO/EHLO and the second one is RFC7208.MAILFROM [RFC7208] based on the RFC5321.MailFrom [RFC5321] domain or, if the RFC5321.MailFrom address is absent (as in the case of "bounces"), on the domain found in the HELO/EHLO SMTP command. Local policies, as well as DMARC often only use the RFC7208.MAILFROM identifier. Again, for an SPF identifier to align in DMARC, the validated domain must be part of the same Organizational Domain as the domain in the RFC5322.From header field. Even when an SPF record exists for the domain in RFC5322.From, SPF will not authenticate it unless it is also the domain SPF checks. While aligning RFC5322.From and RFC5321.MailFrom is usually possible, it can be difficult to change the domain in the HELO/EHLO used for bounces to the domain in the RFC5322.From header field, especially when several mail streams share the same sending IP address.
Message forwarding is a generic concept encapsulating a variety of behaviors. Section 3 describes forwarding behavior as it relates to the components of the Internet Mail Architecture.
All of these behaviors involve mail being retransmitted by a new SMTP server. As discussed above, for SPF to cause a DMARC pass, the domain of the RFC5321.MailFrom or RFC5321.HELO/EHLO must be aligned with that of the RFC5322.From header field. If the forwarder keeps the RFC5321.MailFrom, the SPF validation will fail altogether unless the forwarder is an authorized part of the originator's mail sending infrastructure. If the forwarder uses its own domain in the RFC5321.MailFrom and/or RFC5321.HELO/EHLO, SPF passes but the alignment with the RFC5322.From header field fails. In either case, SPF cannot produce a DMARC pass, and DKIM will be required to get DMARC to pass.
Modification of email content invalidates most DKIM signatures. For instance while DKIM provides a length flag so that content can be appended (See Section 8.2 of RFC6376 [RFC6376] for additional security considerations), in practice, particularly with MIME-encoded [RFC2045] messages, a mailing list processor will do more than append (See Section 5.3 of [RFC5598] for details). Even forwarding systems make content modifications. Furthermore, the use of the length flag is by no means universal.
DKIM has two canonicalizations: simple and relaxed. The latter allows some modest in transit modifications that do not change the interpretation of the content of the email. The relaxed canonicalization used to be computing intensive and may not have been preferred in the early deployment of DKIM.
This section describes components within the Internet Mail Architecture [RFC5598] where interoperability issues between DMARC and indirect email flows can be found.
Section 4 of [RFC5598] describes six basic components that make up the Message Handling System (MHS):
Of these components MSA, MTA, and MDA are discussed in relation to interoperability with DMARC.
A Mediator is a special class of MUA that is given special consideration in this section due to the unique issues Mediators face when attempting to interoperate with DMARC.
An MSA accepts messages submitted by a Message User Agent (MUA) and enforces the policies of the hosting ADministrative Management Domain (ADMD) and the requirements of Internet standards.
MSAs are split into two sub-components:
MSA interoperability issues with DMARC begin when an aMSA accepts a message where the RFC5322.From header field contains a domain that is outside of the ADMD of the MSA. The ADMD will almost certainly not be capable of sending email that yields Authenticated Identifiers aligned with the domain found in the RFC5322.From header field. Examples of this issue include "forward-to-friend" functionality commonly found on news/article websites or "send-as" functionality present on some MUAs.
When an hMSA takes responsibility for transit of a message containing a domain in the RFC5322.From header field that is outside of the hMSA's ADMD, the hMSA faces DMARC interoperability issues if the domain publishes a DMARC policy of "quarantine" or "reject". These issues are marked by an inherent difficulty in modifying the domain present in a message's RFC5322.From header field. Examples of this issue include:
MTAs relay a message until the message reaches a destination MDA.
An MTA may change the message encoding, for instance by converting 8-bit mail sections to quoted-printable 7-bit sections. This is outside the scope of DKIM canonicalization and will invalidate DKIM signatures that include message content.
An MTA may standardize headers, usually in order to make non-RFC compliant headers properly compliant. For instance, some common MTAs will correct comprehensible but non-compliant date formats to compliant ones. Again, this is outside the scope of DKIM canonicalization and will invalidate DKIM signatures.
A DMARC interoperability issue arises in the context of Email Address Internationalization [RFC6530]. [RFC6854] allows group syntax in the RFC5322.From header field during the transition period to SMTPUTF8. If an EAI/SMTPUTF8-aware MTA needs to transmit a message to a non-aware MTA, the EAI/SMTPUTF8-aware system may transform the RFC5322.From header field of the message to include group syntax to allow the non-aware MTA to receive the email.
This transformation will modify the original content of the message and may invalidate any DKIM signatures if the transformation is not done by the MSA or MUA. In addition, group syntax will remove the ability for the DMARC mechanism to find an Organizational Domain that aligns with any authenticated domain identifier from SPF or DKIM.
In addition, the group syntax will result in an invalid domain in the RFC5322.From header field. If the receiving MTA pays attention to the validity and reputation of domains, this may present its own set of delivery problems.
The MDA transfers a message from the MHS to a mailbox. Like the MSA, the MDA consists of two sub-components:
Both the hMDA and the rMDA can redirect a message to an alternative address. DMARC interoperability issues related to redirecting of messages are described in Section 3.2.
SIEVE [RFC5228] functionality often lives in the rMDA sub-component and can cause DMARC interoperability issues. The SIEVE 'addheader' and 'deleteheader' filtering actions can modify messages and invalidate DKIM signatures, removing DKIM-supplied Authenticated Identifiers as inputs to the DMARC mechanism. There are also SIEVE extensions that modify the body. SIEVE may become an issue when the email is reintroduced in the transport infrastructure.
See [RFC5598] for a complete definition of Mediators.
Mediators forward messages through a re-posting process. Mediators share some functionality with basic MTA relaying, but have greater flexibility in both addressing and content modifications.
DMARC interoperability issues are prevalent within the context of Mediators, which are often used precisely for their ability to modify messages.
An Alias is a simple re-addressing facility that provides one or more new Internet Mail addresses, rather than a single, internal one. A message continues through the transfer service for delivery to one or more alternative addresses.
Aliases can be implemented by mailbox-level forwarding (e.g. through "dot-forwarding") or SIEVE-level forwarding (through the SIEVE 'redirect' action) or other methods. When an Alias preserves message content and does not make significant header changes, DKIM signatures may remain valid. However, Aliases often extend the delivery path beyond SPF's ability to grant authorization.
Examples of Aliasing include:
In most cases, the aMSA providing Alias services has no administrative relationship to the ADMD of the final recipient, so solutions to Alias-related DMARC failure should not assume such a relationship.
ReSenders "splice" a message's addressing information to connect the Author of the original message with the Recipient of the new message. The new Recipient sees the message as being from the original Author, even if the Mediator adds commentary.
ReSenders introduce DMARC interoperability issues as content modification invalidates DKIM signatures. SPF's ability to grant authorization via alignment is removed as the new Recipient receives the message from the Mediator.
Without an ability to produce Authenticated Identifiers relevant to the Author's RFC5322.From header field domain using either DKIM or SPF, the new Recipient has almost no chance of successfully applying the DMARC mechanism.
Examples of ReSenders include MUA-level forwarding by resending a message to a new recipient or by forwarding a message "inline" to a new recipient (this does not include forwarding a message "as an attachment"). An additional example comes in the form of calendaring software that allows a meeting attendee (not the meeting organizer) to modify the content of an invite causing the invitations to appear to be reissued from the meeting organizer.
A Mailing List receives messages as an explicit addressee and then re-posts them to a list of subscribed members. The Mailing List performs a task that can be viewed as an elaboration of the ReSender.
Mailing Lists share the same DMARC interoperability issues as ReSenders [resenders], and very commonly modify headers or message content in ways that will cause DKIM to fail, including:
Any such modifications would invalidate a DKIM signature.
Mailing Lists may also have the following DMARC interoperability issues:
A Gateway performs the basic routing and transfer work of message relaying, but it also is permitted to modify content, structure, address, or attributes as needed to send the message into a messaging environment that operates under different standards or potentially incompatible policies.
Gateways share the same DMARC interoperability issues as ReSenders [resenders].
Gateways may share also the same DMARC interoperability issues as MTAs [mta].
Gateway-level forwarding can introduce DMARC interoperability issues if the Gateway is configured to rewrite the message to map between recipient domains. For example, an acquisition may lead the acquiring company to decide to decommission the acquired companies domains by rewriting messages to use the domain of the acquiring company. Since the To: header is usually DKIM-signed, this kind of rewriting will also cause DKIM signatures to fail.
To enforce security boundaries, organizations can subject messages to analysis for conformance with their safety policies. A filter might alter the content to render it safe, such as by removing content deemed unacceptable.
Boundary Filters share the same DMARC interoperability issues as ReSenders.
Examples of Boundary Filters include:
The causes of indirect email flows can be combined. For example, a university student may subscribe to a mailing list (using his university email address) while this university email address is configured to forward all emails to a freemail provider where a more permanent email address for this student exists.
Within an organization the message may pass through various MTAs [mta], each of which performs a different function (authentication, filtering, distribution, etc.)
Solutions to interoperability issues between DMARC and indirect email flows vary widely in their scope and implications. They range from improvements to underlying processors, such as proper handling multiple DKIM signatures, to more radical approaches to the messaging architecture. This section describes possible ways to address interoperability issues.
Mail systems are diverse and widely deployed and are expected to continue to work with old systems. For instance, Qmail is still used and the base code has not been updated since 1998. Ezmlm, a once popular mailing list manager, is still deployed and has not been updated since 1997, although a new version, Ezmlm-idx exists. In this constrained environment, some solutions may be time-consuming and/or disruptive to implement.
DMARC provides for receivers to make decisions about identity alignment acceptability based on information outside the DMARC headers and communicate those decisions as "overrides" to the sender. This facility can be used to ease some interoperability issues, although care is needed to ensure that this does not create loopholes that abusers can use arbitrarily.
Currently used work-arounds and fixes to identifier alignment issues:
Proposed and in-progress work-arounds and fixes to identifier alignment issues:
Message modification invalidates DKIM signatures and complicates a receiver's ability to generate Authenticated Identifiers from a message. Avoiding message modification wherever possible is therefore desirable.
Currently used work-arounds and fixes to message modification issues:
Proposed and in-progress work-arounds and fixes to message modification issues:
Forwarding messages without modification is referred to as "transparent forwarding", and is a way to preserve the validity of DKIM signatures.
Currently used work-arounds and fixes to message forwarding issues:
The Original-From [RFC5703] (or X-Original-From) header is used in various contexts (X- header fields name are discouraged by [RFC6648]).
Note that Original-From (or X-Original-From) is merely adding complexity to the 'who was the author of this message' assessment, very possibly creating yet-another security hole.
[I-D.kucherawy-original-authres] has been mentioned in early DMARC drafts as a way to pass along Original Authentication Results to "downstream" receivers.
There are few reasons to modify the encoding of the message, compatibility issues between international character sets are few nowadays. More mail systems supports 8bitMIME, therefore the need for transport encoding changes are rarer. By default no modification of the message should be done when simply forwarding the message.
Filters should not add to or modify the body of the message, but either should reject the message or add new email headers (not under DKIM) to indicate the result of the filter.
During the transition from email systems that do not allow EAI (SMTPUTF8) to email system that allows it, [RFC6854] allows using the group syntax for the RFC5322.From header field rather than rejecting the message (if RFC5322 is implemented strictly). Allowing the group syntax is at the appreciation of the postmaster, that will always choose the solution best for its user, but really to avoid DMARC not finding a single useable domain in the RFC5322.From header field, the real solution is to upgrade your MTAs, to support EAI (SMTPUTF8). In that case a sending SMTPUTF8 MTA does not need to require a downgrade of the message to ASCII identifiers. Encouraging, by rejection or reputation scoring, the presence of a domain in the RFC5322.From header field is easier.
[RFC6377] provides some guidance on using DKIM with Mailing lists. Here are some other remediations techniques:
All these techniques may provide some specific challenges in MUAs and different operational usages for end users (like rewriting filters to sort emails in folders). There will be some time before all implications are understood and alleviated.
In practice a number of operators are using strict alignement mode in DMARC in order to avoid receiving new and innovative forms of unwanted and unauthentic mail through systems purporting to be mailing list handlers. The receiving ADMD has no knowledge of which lists the user has subscribed to and which they have not. One avenue of exploration would be for the user to authorize mailing lists as proxies for authentication, at which point the receiving ADMD would be vesting some trust in the mailing list service. The creators of DKIM foresaw precisely this possibility at the time by not tightly binding any semantics to the RFC5322.From header field. Some experimental work has taken place in this area, as mentioned above. Additional work might examine a new communication path to the user to authorize third party signatures.
This document contains no actions for IANA. [RFC Editor: Please delete this section prior to publication.]
This document is an analysis of DMARC's impact on indirect email flows. It describes the possibility of accidental denial-of-service that can be created by rejections of messages by DMARC-aware Mail Receivers. However, it introduces no new security issues to Internet messaging.
Miles Fidelman, John Levine, David Crocker, Stephen J. Turnbull, Rolf E. Sonneveld, Tim Dragen and Franck Martin contributed to the IETF DMARC Working Group's wiki page listing all known interoperability issues with DMARC and indirect mail flows.
Tim Draegen created the first draft of this document from these contributions and by carefully mapping contributions into the language of [RFC5598].
[I-D.kucherawy-dkim-delegate] | Kucherawy, M. and D. Crocker, "Delegating DKIM Signing Authority", Internet-Draft draft-kucherawy-dkim-delegate-01, June 2014. |
[I-D.kucherawy-dkim-list-canon] | Kucherawy, M., "A List-safe Canonicalization for DomainKeys Identified Mail (DKIM)", Internet-Draft draft-kucherawy-dkim-list-canon-00, June 2014. |
[I-D.kucherawy-original-authres] | Chew, M. and M. Kucherawy, "Original-Authentication-Results Header Field", Internet-Draft draft-kucherawy-original-authres-00, February 2012. |
[I-D.levine-dkim-conditional] | Levine, J., "DKIM Conditional Signatures", Internet-Draft draft-levine-dkim-conditional-00, June 2014. |
[I-D.otis-tpa-label] | Otis, D. and D. Black, "Third-Party Authorization Label", Internet-Draft draft-otis-tpa-label-00, May 2014. |
[RFC7489] | Kucherawy, M. and E. Zwicky, "Domain-based Message Authentication, Reporting, and Conformance (DMARC)", RFC 7489, March 2015. |