Network Working Group | M. Kucherawy, Ed. |
Internet-Draft | |
Intended status: Informational | E. Zwicky, Ed. |
Expires: July 10, 2015 | Yahoo! |
January 6, 2015 |
Domain-based Message Authentication, Reporting and Conformance (DMARC)
draft-kucherawy-dmarc-base-11
Domain-based Message Authentication, Reporting and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail receiving organization can use to improve mail handling.
Originators of Internet Mail need to be able to associate reliable and authenticated domain identifiers with messages, communicate policies about messages that use those identifiers, and report about mail using those identifiers. These abilities have several benefits: Receivers can provide feedback to domain owners about the use of their domains, which can provide valuable insight about the management of internal operations and the presence of external domain name abuse.
DMARC does not produce or encourage elevated delivery privilege of authenticated email. DMARC is a mechanism for policy distribution that enables increasingly strict handling of messages that fail authentication checks, ranging from no action, through altered delivery, up to message rejection.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 10, 2015.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Sender Policy Framework ([SPF]) and DomainKeys Identified Mail ([DKIM]) provide domain-level authentication. They enable cooperating email receivers to detect mail authorized to use the domain name, which can permit differential handling. (A detailed discussion of the threats these systems attempt to address can be found in [DKIM-THREATS].) However, there has been no single widely accepted or publicly available mechanism to communication of domain-specific message handling policiies for receivers, or to request reporting of authentication and disposition of received mail. Absent the ability to obtain feedback reports, originators who have implemented email authentication have difficulty determining how effective their authentication is. As a consequence, use of authentication failures to filter mail typically does not succeed.
Over time, one-on-one relationships were established between select senders and receivers with privately communicated means to assert policy and receive message traffic and authentication disposition reporting. Although these ad hoc practices have been generally successful, they require significant manual coordination between parties, and this model does not scale for general use on the Internet.
This document defines Domain-based Message Authentication, Reporting and Compliance (DMARC), a mechanism by which email operators leverage existing authentication and policy advertisement technologies to enable both message-stream feedback and enforcement of policies against unauthenticated email.
DMARC allows domain owners and receivers to collaborate by:
The basic outline of DMARC is:
Security terms used in this document are defined in [SEC-TERMS].
DMARC differs from previous approaches to policy advertisement (e.g., [SPF] and [ADSP]) in that:
Experience with DMARC has revealed some issues of interoperability with email in general that require due consideration before deployment, particularly with configurations that can cause mail to be rejected. These are discussed in Section 10.
Specification of DMARC is guided by the following high-level goals, security dependencies, detailed requirements, and items that are documented as out-of-scope.
DMARC has the following high-level goals:
Several topics and issues are specifically out of scope for the initial version of this work. This includes the following:
Scalability is a major issue for systems that need to operate in a system as widely deployed as current SMTP email. For this reason, DMARC seeks to avoid the need for third parties or pre-sending agreements between senders and receivers. This preserves the positive aspects of the current email infrastructure.
Although DMARC does not introduce third party senders (namely external agents authorized to send on behalf of an operator) to the email handling flow, it also does not preclude them. Such third parties are free to provide services in conjunction with DMARC.
DMARC is designed to prevent bad actors from sending mail that claims to come from legitimate senders, particularly senders of transactional email (official mail that is about business transactions). One of the primary uses of this kind of spoofed mail is phishing (enticing users to provide information by pretending to be the legitimate service requesting the information). Thus, DMARC is significantly informed by ongoing efforts to enact large-scale, Internet-wide, anti-phishing measures.
Although DMARC can only be used to combat specific forms of exact-domain spoofing directly, the DMARC mechanism has been found to be useful in the creation of reliable and defensible message streams.
DMARC does not attempt to solve all problems with spoofed or otherwise fraudulent email. In particular, it does not address the use of visually similar domain names ("cousin domains") or abuse of the RFC5322 [MAIL].From human readable <display-name>.
This section defines terms used in the rest of the document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS].
Readers are encouraged to be familiar with the contents of [EMAIL-ARCH]. In particular, that document defines various roles in the messaging infrastructure that can appear the same or separate in various contexts. For example, a Domain Owner could, via the messaging security mechanisms on which DMARC is based, delegate the ability to send mail as the Domain Owner to a third party with another role. This document does not address the distinctions among such roles; the reader is encouraged to become familiar with that material before continuing.
The following terms are also used:
Email authentication technologies authenticate various (and disparate) aspects of an individual message. For example, [DKIM] authenticates the domain that affixed a signature to the message, while [SPF] authenticates either the domain that appears in the RFC5321.MailFrom portion of [SMTP] or the RFC5321.EHLO/HELO domain if the RFC5321.MailFrom is null (in the case of Delivery Status Notifications). These may be different domains, and they are typically not visible to the end user.
DMARC uses the RFC5322 [MAIL].From domain to evaluate the applicability of Authenticated Identifiers. The RFC5322 [MAIL].From domain was selected as the central identity of the DMARC mechanism because it is a required message header field and therefore guaranteed to be present in compliant messages, and most MUAs represent the RFC5322 [MAIL].From field as the originator of the message and render some or all of this header field's content to end users.
Thus, this field is the one used by end users to identify the source of the message, and therefore is a prime target for abuse. Many high-profile email sources, such as email service providers, require that the sending agent have authenticated before email can be generated. Thus, for these mailboxes, the mechanism described in this document provides recipient end users with strong evidence that the message was indeed originated by the agent they associate with that mailbox, if the end user knows that these various protections have been provided.
Domain names in this context are to be compared in a case-insensitive manner, per [DNS-CASE].
It is important to note that identifier alignment cannot occur with a message that is not valid per [MAIL], particularly one with a malformed, absent, or repeated RFC5322.From field, since in that case there is no reliable way to determine a DMARC policy that applies to the message. Accordingly, DMARC operation is predicated on the input being a valid RFC5322 message object, and handling of such non-compliant cases is outside of the scope of this specification. Further discussion of this can be found in Section 6.6.1.
Each of the underlying authentication technologies that DMARC takes as input yield authenticated domains as their outputs when they succeed. From the perspective of DMARC, each can be operated in a "strict" mode or a "relaxed" mode. A Domain Owner would normally select "strict" mode if it wanted Mail Receivers to apply DMARC processing only to messages bearing an RFC5322.From domain exactly matching the domains those mechanisms will verify. Using "relaxed" mode can be used when the operator also wishes to affect message flows bearing subdomains of the verified domains.
DMARC provides the option of applying DKIM in a strict or relaxed identifier alignment mode. (Note that these are not related to DKIM's "simple" and "relaxed" canonicalization modes.)
In relaxed mode, the Organizational Domains of both the [DKIM]-authenticated signing domain (taken from the value of the "d=" tag in the signature) and that of the RFC5322.From domain must be equal if the identifiers are to be considered aligned. In strict mode, only an exact match between both of the Fully Qualified Domain Names (FQDN) is considered to produce identifier alignment.
To illustrate, in relaxed mode, if a validated DKIM signature successfully verifies with a "d=" domain of "example.com", and the RFC5322.From address is "alerts@news.example.com", the DKIM "d=" domain and the RFC5322.From domain are considered to be "in alignment". In strict mode, this test would fail since the "d=" domain does not exactly match the FQDN of the address.
However, a DKIM signature bearing a value of "d=com" would never allow an "in alignment" result as "com" should appear on all public suffix lists (see Appendix A.6.1), and therefore cannot be an Organizational Domain.
Identifier alignment is required because a message can bear a valid signature from any domain, including domains used by a mailing list or even a bad actor. Therefore, merely bearing a valid signature is not enough to infer authenticity of the Author Domain.
Note that a single email can contain multiple DKIM signatures, and it is considered to be a DMARC "pass" if any DKIM signature is aligned and verifies.
DMARC provides the option of applying SPF in a strict or relaxed identifier alignment mode.
In relaxed mode, the [SPF]-authenticated domain and RFC5322.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce identifier alignment.
For example, if a message passes an SPF check with an RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address portion of the RFC5322.From field contains "payments@example.com", the Authenticated RFC5321.MailFrom domain identifier and the RFC5322.From domain are considered to be "in alignment" in relaxed mode, but not in strict mode.
If in the future DMARC is extended to include the use of other authentication mechanisms, the extensions will need to allow for domain identifier extraction so that alignment with the RFC5322.From domain can be verified.
The Organizational Domain is determined using the following algorithm:
Thus, since "com" is an IANA-registered TLD, a subject domain of "a.b.c.d.example.com" would have an Organizational Domain of "example.com".
The process of determining a suffix is currently a heuristic one. No list is guaranteed to be accurate or current.
This section provides a general overview of the design and operation of the DMARC environment.
The following mechanisms for determining Authenticated Identifiers are supported in this version of DMARC:
DMARC policies are published by the Domain Owner, and retrieved by the Mail Receiver during the SMTP session, via the DNS.
DMARC's filtering function is based on whether SPF or DKIM can provide an authenticated, aligned identifier for the message under consideration. Messages that purport to be from a Domain Owner's domain and arrive from servers that are not authorized by that domain's SPF record and do not contain an appropriate DKIM signature can be affected by DMARC policies.
It is important to note that the authentication mechanisms employed by DMARC authenticate only a DNS domain, and do not authenticate the local-part of any email address identifier found in a message, nor does it validate the legitimacy of message content.
DMARC's feedback component involves the collection of information about received messages claiming to be from the Organizational Domain for periodic aggregate reports to the Domain Owner. The parameters and format for such reports are discussed in later sections of this document.
A DMARC-enabled Mail Receiver might also generate per-message reports that contain information related to individual messages that fail SPF and/or DKIM. Per-message failure reports are a useful source of information when debugging deployments (if messages can be determined to be legitimate even though failing authentication) or in analyzing attacks. The capability for such services is enabled by DMARC but defined in other referenced material such as [AFRF].
A message satisfies the DMARC checks if at least one of the supported authentication mechanisms:
+---------------+ | Author Domain |< . . . . . . . . . . . . . . . . . . . . . . . +---------------+ . . . | . . . V V V . +-----------+ +--------+ +----------+ +----------+ . | MSA |<***>| DKIM | | DKIM | | SPF | . | Service | | Signer | | Verifier | | Verifier | . +-----------+ +--------+ +----------+ +----------+ . | ^ ^ . | ************** . V * . +------+ (~~~~~~~~~~~~) +------+ * . | sMTA |------->( other MTAs )----->| rMTA | * . +------+ (~~~~~~~~~~~~) +------+ * . | * ........ | * . V * . +-----------+ V V +---------+ | MDA | +----------+ | User |<--| Filtering |<***>| DMARC | | Mailbox | | Engine | | Verifier | +---------+ +-----------+ +----------+
The above diagram shows a simple flow of messages through a DMARC-aware system. Solid lines denote the actual message flow, dotted lines involve Domain Name System queries used to retrieve message policy related to the supported message authentication schemes, and asterisk lines indicate data exchange between message handling modules and message authentication modules. "sMTA" is the sending MTA, and "rMTA" is the receiving MTA.
In essence the steps are as follows:
One of the most obvious points of security scrutiny for DMARC is the choice to focus on an identifier, namely the RFC5322.From address, which is part of a body of data that has been trivially forged throughout the history of email.
Several points suggest it is the most correct and safest thing to do in this context:
The absence of a single, properly-formed RFC5322.From field renders the message invalid. Handling of such a message is outside of the scope of this specification.
Since the sorts of mail typically protected by DMARC participants tend to only have single Authors, DMARC participants generally operate under a slightly restricted profile of RFC5322 with respect to the expected syntax of this field. See Section 6.6 for details.
DMARC policies are published by Domain Owners and applied by Mail Receivers.
A Domain Owner advertises DMARC participation of one or more of its domains by adding a DNS TXT record (described in Section 6.1) to those domains. In doing so, Domain Owners make specific requests of Mail Receivers regarding the disposition of messages purporting to be from one of the Domain Owner's domains and the provision of feedback about those messages.
A Domain Owner may choose not to participate in DMARC evaluation by Mail Receivers. In this case, the Domain Owner simply declines to advertise participation in those schemes. For example, if the results of path authorization checks ought not be considered as part of the overall DMARC result for a given Author Domain, then the Domain Owner does not publish an SPF policy record that can produce an SPF pass result.
A Mail Receiver implementing the DMARC mechanism SHOULD make a best-effort attempt to adhere to the Domain Owner's published DMARC policy when a message fails the DMARC test. Since email streams can be complicated (due to forwarding, existing RFC5322.From domain-spoofing services, etc.), Mail Receivers MAY deviate from a Domain Owner's published policy during message processing and SHOULD make available the fact of and reason for the deviation to the Domain Owner via feedback reporting, specifically using the "PolicyOverride" feature of the aggregate report (see Section 7.2).
Domain Owner DMARC preferences are stored as DNS TXT records in subdomains named "_dmarc". For example, the Domain Owner of "example.com" would post DMARC preferences in a TXT record at "_dmarc.example.com". Similarly, a Mail Receiver wishing to query for DMARC preferences regarding mail with an RFC5322.From domain of "example.com" would issue a TXT query to the DNS for the subdomain of "_dmarc.example.com". The DNS-located DMARC preference data will hereafter be called the "DMARC record".
DMARC's use of the Domain Name Service is driven by DMARC's use of domain names and the nature of the query it performs. The query requirement matches with the DNS, for obtaining simple parametric information. It uses an established method of storing the information, associated with the target domain name, namely an isolated TXT record that is restricted to the DMARC context. Use of the DNS as the query service has the benefit of re-using an extremely well-established operations, administration and management infrastructure, rather than creating a new one.
Per [DNS], a TXT record can comprise several "character-string" objects. Where this is the case, the module performing DMARC evaluation MUST concatenate these strings by joining together the objects in order and parsing the result as a single string.
[URI] defines a generic syntax for identifying a resource. The DMARC mechanism uses this as the format by which a Domain Owner specifies the destination for the two report types (RUA and RUF) that are supported.
The place such URIs are specified (see Section 6.3) allows a list of these to be provided. A report is normally sent to each listed URI in the order provided by the Domain Owner. Receivers MAY impose a limit on the number of URIs to which they will send reports, but MUST support the ability to send to at least two. The list of URIs is separated by commas (ASCII 0x2C).
Each URI can have associated with it a maximum report size that may be sent to it. This is accomplished by appending an exclamation point (ASCII 0x21), followed by a maximum size indication, before a separating comma or terminating semi-colon.
Thus, a DMARC URI is a URI within which any commas or exclamation points are percent-encoded per [URI], followed by an OPTIONAL exclamation point and a maximum size specification, and, if there are additional reporting URIs in the list, a comma and the next URI.
For example, the URI "mailto:reports@example.com!50m" would request a report be sent via email to "reports@example.com" so long as the report payload does not exceed 50 megabytes.
A formal definition is provided in Section 6.4.
DMARC records follow the extensible "tag-value" syntax for DNS-based key records defined in DKIM [DKIM].
Section 11 creates a registry for known DMARC tags and registers the initial set defined in this document. Only tags defined in this document or in later extensions, and thus added to that registry, are to be processed; unknown tags MUST be ignored.
if (random mod 100) < pct then selected = true else selected = false
The following tags are introduced as the initial valid DMARC tags:
A DMARC policy record MUST comply with the formal specification found in Section 6.4 in that the "v" and "p" tags MUST be present and MUST appear in that order. Unknown tags MUST be ignored. Syntax errors in the remainder of the record SHOULD be discarded in favor of default values (if any) or ignored outright.
Note that given the rules of the previous paragraph, addition of a new tag into the registered list of tags does not itself require a new version of DMARC to be generated (with a corresponding change to the "v" tag's value), but a change to any existing tags does require a new version of DMARC.
The formal definition of the DMARC format using [ABNF] is as follows:
dmarc-uri = URI [ "!" 1*DIGIT [ "k" / "m" / "g" / "t" ] ] ; "URI" is imported from [URI]; commas (ASCII ; 0x2c) and exclamation points (ASCII 0x21) ; MUST be encoded; the numeric portion MUST fit ; within an unsigned 64-bit integer dmarc-record = dmarc-version dmarc-sep [dmarc-request] [dmarc-sep dmarc-srequest] [dmarc-sep dmarc-auri] [dmarc-sep dmarc-furi] [dmarc-sep dmarc-adkim] [dmarc-sep dmarc-aspf] [dmarc-sep dmarc-ainterval] [dmarc-sep dmarc-fo] [dmarc-sep dmarc-rfmt] [dmarc-sep dmarc-percent] [dmarc-sep] ; components other than dmarc-version and ; dmarc-request may appear in any order dmarc-version = "v" *WSP "=" *WSP %x44 %x4d %x41 %x52 %x43 %x31 dmarc-sep = *WSP %3b *WSP dmarc-request = "p" *WSP "=" *WSP ( "none" / "quarantine" / "reject" ) dmarc-srequest = "sp" *WSP "=" *WSP ( "none" / "quarantine" / "reject" ) dmarc-auri = "rua" *WSP "=" *WSP dmarc-uri *(*WSP "," *WSP dmarc-uri) dmarc-furi = "ruf" *WSP "=" *WSP dmarc-uri *(*WSP "," *WSP dmarc-uri) dmarc-adkim = "adkim" *WSP "=" *WSP ( "r" / "s" ) dmarc-aspf = "aspf" *WSP "=" *WSP ( "r" / "s" ) dmarc-ainterval = "ri" *WSP "=" *WSP 1*DIGIT dmarc-fo = "fo" *WSP "=" *WSP ( "0" / "1" / "d" / "s" ) *(*WSP ":" *WSP ( "0" / "1" / "d" / "s" )) dmarc-rfmt = "rf" *WSP "=" *WSP Keyword *(*WSP ":" Keyword) ; registered reporting formats only dmarc-percent = "pct" *WSP "=" *WSP 1*3DIGIT
"Keyword" is imported from Section 4.1.2 of [SMTP].
A size limitation in a dmarc-uri, if provided, is interpreted as a count of units followed by an OPTIONAL unit size ("k" for kilobytes, "m" for megabytes, "g" for gigabytes, "t" for terabytes). Without a unit, the number is presumed to be a basic byte count. Note that the units are considered to be powers of two; a kilobyte is 2^10, a megabyte is 2^20, etc.
To implement the DMARC mechanism, the only action required of a Domain Owner is the creation of the DMARC policy record in the DNS. However, in order to make meaningful use of DMARC, a Domain Owner must at minimum either establish an address to receive reports, or deploy authentication technologies and ensure identifier alignment. Most Domain Owners will want to do both.
DMARC reports will be of significant size and the addresses that receive them are publicly visible, so we encourage Domain Owners to set up dedicated email addresses to receive and process reports, and to deploy abuse countermeasures on those email addresses as appropriate.
Authentication technologies are discussed in [DKIM] (see also [DKIM-OVERVIEW] and [DKIM-DEPLOYMENT]) and [SPF].
This section describes receiver actions in the DMARC environment.
The domain in the RFC5322.From field is extracted as the domain to be evaluated by DMARC. If the domain is encoded with UTF-8, the domain name must be converted to an A-label, as described in Section 2.3 of [IDNA], for further processing.
In order to be processed by DMARC, a message typically needs to contain exactly one RFC5322 From: domain (a single From: field with a single domain in it). Not all messages meet this requirement, and handling of them is outside of the scope of this document. Typical exceptions, and they way they have been historically handled by DMARC participants, are as follows:
The case of a syntactically valid multi-valued RFC5322.From field presents a particular challenge. The process in this case is to apply the DMARC check using each of those domains found in the RFC5322.From field as the Author Domain, and apply the most strict policy selected among the checks that fail.
To arrive at a policy for an individual message, Mail Receivers MUST perform the following actions or their semantic equivalents. Steps 2-4 MAY be done in parallel, whereas steps 5 and 6 require input from previous steps.
The steps are as follows:
Heuristics applied in the absence of use by a Domain Owner of either SPF or DKIM (e.g., [Best-Guess-SPF]) SHOULD NOT be used, as it may be the case that the Domain Owner wishes a Message Receiver not to consider the results of that underlying authentication protocol at all.
DMARC evaluation can only yield a "pass" result after one of the underlying authentication mechanisms passes for an aligned identifier. If neither passes and one or both of them fails due to a temporary error, the Receiver evaluating the message is unable to conclude that the DMARC mechanism had a permanent failure; they therefore cannot apply the advertised DMARC policy. When otherwise appropriate, Receivers MAY send feedback reports regarding temporary errors.
Handling of messages for which SPF and/or DKIM evaluation encounters a permanent DNS error is left to the discretion of the Mail Receiver.
As stated above, the DMARC mechanism uses DNS TXT records to advertise policy. Policy discovery is accomplished via a method similar to the method used for SPF records. This method and the important differences between DMARC and SPF mechanisms are discussed below.
To balance the conflicting requirements of supporting wildcarding, allowing subdomain policy overrides, and limiting DNS query load, the following DNS lookup scheme is employed:
If the set produced by the mechanism above contains no DMARC policy record (i.e., any indication that there is no such record as opposed to a transient DNS error), Mail Receivers SHOULD NOT apply the DMARC mechanism to the message.
Handling of DNS errors when querying for the DMARC policy record is left to the discretion of the Mail Receiver. For example, to ensure minimal disruption of mail flow, transient errors could result in delivery of the message ("fail open"), or they could result in the message being temporarily rejected (i.e., an SMTP 4yx reply) which invites the sending MTA to try again after the condition has possibly cleared, allowing a definite DMARC conclusion to be reached ("fail closed").
If the "pct" tag is present in the policy record, the Mail Receiver MUST NOT enact the requested policy ("p" tag or "sp" tag") on more than the stated percent of the totality of affected messages. However, regardless of whether or not the "pct" tag is present, the Mail Receiver MUST include all relevant message data in any reports produced.
If email is subject to the DMARC policy of "quarantine", the Mail Receiver SHOULD quarantine the message. If the email is not subject to the "quarantine" policy (due to the "pct" tag), the Mail Receiver SHOULD apply local message classification as normal.
If email is subject to the DMARC policy of "reject", the Mail Receiver SHOULD reject the message (see Section 10.3). If the email is not subject to the "reject" policy (due to the "pct" tag), the Mail Receiver SHOULD treat the email as though the "quarantine" policy applies. This behavior allows senders to experiment with progressively stronger policies without relaxing existing policy.
Mail receivers implement "pct" via statistical mechanisms that achieve a close approximation to the requested percentage and provide a representative sample across a reporting period.
The results of Mail Receiver-based DMARC processing should be stored for eventual presentation back to the Domain Owner in the form of aggregate feedback reports. Section 6.1 and Section 7.2 discuss aggregate feedback.
Mail Receivers MAY choose to reject or quarantine email even if email passes the DMARC mechanism check. The DMARC mechanism does not inform Mail Receivers whether an email stream is "good". Mail Receivers are encouraged to maintain anti-abuse technologies to combat the possibility of DMARC-enabled criminal campaigns.
Mail Receivers MAY choose to accept email that fails the DMARC mechanism check even if the Domain Owner has published a "reject" policy. Mail Receivers need to make a best effort not to increase the likelihood of accepting abusive mail if they choose not to comply with a Domain Owner's reject, against policy. At a minimum, addition of the Authentication-Results header field (see [AUTH-RESULTS]) is RECOMMENDED when delivery of failing mail is done. When this is done, the DNS domain name thus recorded MUST be encoded as an A-label.
Mail Receivers are only obligated to report reject or quarantine policy actions in aggregate feedback reports that are due to DMARC policy. They are not required to report reject or quarantine actions that are the result of local policy. If local policy information is exposed, abusers can gain insight into the effectiveness and delivery rates of spam campaigns.
Final disposition of a message is always a matter of local policy. An operator that wishes to favor DMARC policy over SPF policy, for example, will disregard the SPF policy since enacting an SPF-determined rejection prevents evaluation of DKIM; DKIM might otherwise pass, satisfying the DMARC evaluation. There is a trade-off to doing so, namely acceptance and processing of the entire message body in exchange for the enhanced protection DMARC provides.
DMARC-compliant Mail Receivers typically disregard any mail handling directive discovered as part of an authentication mechanism (e.g., ADSP, SPF) where a DMARC record is also discovered that specifies a policy other than "none". Deviating from this practice introduces inconsistency among DMARC operators in terms of handling of the message. However, such deviation is not proscribed.
To enable Domain Owners to receive DMARC feedback without impacting existing mail processing, discovered policies of "p=none" SHOULD NOT modify existing mail disposition processing.
Mail Receivers SHOULD also implement reporting instructions of DMARC, even in the absence of a request for DKIM reporting [AFRF-DKIM] or SPF reporting [AFRF-SPF]. Furthermore, the presence of such requests SHOULD NOT affect DMARC reporting.
Providing Domain Owners with visibility into how Mail Receivers implement and enforce the DMARC mechanism in the form of feedback is critical to establishing and maintaining accurate authentication deployments. When Domain Owners can see what effect their policies and practices are having, they are better willing and able to use quarantine and reject policies.
It is possible to specify destinations for the different reports that are outside the authority of the Domain Owner making the request. This allows domains that do not operate mail servers to request reports and have them go someplace that is able to receive and process them.
Without checks, this would allow a bad actor to publish a DMARC policy record that requests reports be sent to a victim address, and then send a large volume of mail that will fail both DKIM and SPF checks to a wide variety of destinations, which will in turn flood the victim with unwanted reports. Therefore, a verification mechanism is included.
When a Mail Receiver discovers a DMARC policy in the DNS, and the Organizational Domain at which that record was discovered is not identical to the Organizational Domain of the host part of the authority component of a [URI] specified in the "rua" or "ruf" tag, the following verification steps are to be taken:
For example, if a DMARC policy query for "blue.example.com" contained "rua=mailto:reports@red.example.net", the host extracted from the latter ("red.example.net") does not match "blue.example.com", so this procedure is enacted. A TXT query for "blue.example.com._report._dmarc.red.example.net" is issued. If a single reply comes back containing a tag of "v=DMARC1", then the relationship between the two is confirmed. Moreover, "red.example.net" has the opportunity to override the report destination requested by "blue.example.com" if needed.
Where the above algorithm fails to confirm that the external reporting was authorized by the Report Receiver, the URI MUST be ignored by the Mail Receiver generating the report. Further, if the confirming record includes a URI whose host is again different than the domain publishing that override, the Mail Receiver generating the report MUST NOT generate a report to either the original or the override URI.
A Report Receiver publishes such a record in its DNS if it wishes to receive reports for other domains.
A Report Receiver that is willing to receive reports for any domain can use a wildcard DNS record. For example, a TXT resource record at "*._report._dmarc.example.com" containing at least "v=DMARC1" confirms that example.com is willing to receive DMARC reports for any domain.
If the Report Receiver is overcome by volume, it can simply remove the confirming DNS record. However, due to positive caching, the change could take as long as the time-to-live on the record to go into effect.
A Mail Receiver might decide not to enact this procedure if, for example, it relies on a local list of domains for which external reporting addresses are permitted.
The DMARC aggregate feedback report is designed to provide Domain Owners with precise insight into:
Aggregate DMARC feedback provides visibility into real-world email streams that Domain Owners need to make informed decisions regarding the publication of DMARC policy. When Domain Owners know what legitimate mail they are sending, what the authentication results are on that mail, and what forged mail receivers are getting, they can make better decisions about the policies they need and the steps they need to take to enable those policies. When Domain Owners set policies appropriately and understand their effects, Mail Receivers can act on them confidently.
Visibility comes in the form of daily (or more frequent) Mail Receiver-originated feedback reports that contain aggregate data on message streams relevant to the Domain Owner. This information includes data about messages that passed DMARC authentication as well as those that did not.
The format for these reports is defined in Appendix C.
The report SHOULD include the following data:
Note that Domain Owners or their agents may change the published DMARC policy for a domain or subdomain at any time. From a Mail Receiver's perspective this will occur during a reporting period and may be noticed during that period, at the end of that period when reports are generated, or during a subsequent reporting period, all depending on the Mail Receiver's implementation. Under these conditions it is possible that a Mail Receiver could do any of the following:
Such policy changes are expected to be infrequent for any given domain, whereas more stringent policy monitoring requirements on the Mail Receiver would produce a very large burden at Internet scale. Therefore it is the responsibility of report consumers and Domain Owners to be aware of this situation and allow for such mixed reports during the propagation of the new policy to Mail Receivers.
Aggregate reports are most useful when they all cover a common time period. By contrast, correlation of these reports from multiple generators when they cover incongruent time periods is difficult or impossible. Report generators SHOULD, wherever possible, adhere to hour boundaries for the reporting period they are using. For example, starting a per-day report at 00:00; starting per-hour reports at 00:00, 01:00, 02:00; et cetera. Report Generators using a 24-hour report period are strongly encouraged to begin that period at 00:00 UTC, regardless of local timezone or time of report production, in order to facilitate correlation.
A Mail Receiver discovers reporting requests when it looks up a DMARC policy record that corresponds to a RFC5322 From: domain on received mail. The presence of the "rua" tag specifies where to send feedback.
Where the URI specified in an "rua" tag does not specify otherwise, a Mail Receiver generating a feedback report SHOULD employ a secure transport mechanism.
The Mail Receiver, after preparing a report, MUST evaluate the provided reporting URIs in the order given. Any reporting URI that includes a size limitation exceeded by the generated report (after compression and after any encoding required by the particular transport mechanism) MUST NOT be used. An attempt MUST be made to deliver an aggregate report to every remaining URI, up to the receiver's limits on supported URIs.
If transport is not possible because the services advertised by the published URIs are not able to accept reports (e.g., the URI refers to a service that is unreachable, or all provided URIs specify size limits exceeded by the generated record), the Mail Receiver SHOULD send a short report (see Section 7.2.2) indicating that a report is available but could not be sent. The Mail Receiver MAY cache that data and try again later, or MAY discard data that could not be sent.
The message generated by the Mail Receiver MUST be a [MIME] formatted [MAIL] message. The aggregate report itself MUST be included in one of the parts of the message. A human-readable portion MAY be included as a MIME part (such as a text/plain part).
filename = receiver "!" policy-domain "!" begin-timestamp "!" end-timestamp [ "!" unique-id ] "." extension unique-id = 1*(ALPHA | DIGIT) receiver = domain ; imported from [MAIL] policy-domain = domain begin-timestamp = 1*DIGIT ; seconds since 00:00:00 UTC January 1, 1970 ; indicating start of the time range contained ; in the report end-timestamp = 1*DIGIT ; seconds since 00:00:00 UTC January 1, 1970 ; indicating end of the time range contained ; in the report extension = "xml" / "xml.gz"
The aggregate data MUST be an XML file that SHOULD be subjected to GZIP compression. Declining to apply compression can cause the report to be too large for a receiver to process (a commonly-observed receiver limit is ten megabytes); doing the compression increases the chances of acceptance of the report at some compute cost. The aggregate data SHOULD be present using the media type "application/gzip" if compressed (see [GZIP]), and "text/xml" otherwise. The filename is typically constructed using the following ABNF:
The extension MUST be "xml" for a plain XML file, or "xml.gz" for an XML file compressed using GZIP.
"unique-id" allows an optional unique ID generated by the Mail Receiver to distinguish among multiple reports generated simultaneously by different sources within the same Domain Owner.
mail.receiver.example!example.com!1013662812!1013749130.gz
For example, this is a possible filename for the gzip file of a report to the Domain Owner "example.com" from the Mail Receiver "mail.receiver.example".
No specific MIME message structure is required. It is presumed that the aggregate reporting address will be equipped to extract MIME parts with the prescribed media type and filename and ignore the rest.
Email streams carrying DMARC feedback data MUST conform to the DMARC mechanism, thereby resulting in an aligned "pass" (see Section 3.1). This practice minimizes the risk of report consumers processing fraudulent reports.
dmarc-subject = %x52.65.70.6f.72.74 1*FWS ; "Report" %x44.6f.6d.61.69.6e.3a 1*FWS ; "Domain:" domain-name 1*FWS ; from RFC6376 %x53.75.62.6d.69.74.74.65.72.3a ; "Submitter:" 1*FWS domain-name 1*FWS %x52.65.70.6f.72.74.2d.49.44.3a ; "Report-ID:" msg-id ; from RFC5322
The RFC5322.Subject field for individual report submissions SHOULD conform to the following ABNF:
The first domain-name indicates the DNS domain name about which the report was generated. The second domain-name indicates the DNS domain name representing the Mail Receiver generating the report. The purpose of the Report-ID: portion of the field is to enable the Domain Owner to identify and ignore duplicate reports that might be sent by a Mail Receiver.
Subject: Report Domain: example.com Submitter: mail.receiver.example Report-ID: <2002.02.15.1>
For instance, this is a possible Subject field for a report to the Domain Owner "example.com" from the Mail Receiver "mail.receiver.example". It is line-wrapped as allowed by [MAIL].
This transport mechanism potentially encounters a problem when feedback data size exceeds maximum allowable attachment sizes for either the generator or the consumer. See Section 7.2.2 for further discussion.
The specification as written allows for the addition of other registered URI schemes to be supported in later versions.
When a Mail Receiver is unable to complete delivery of a report via any of the URIs listed by the Domain Owner, the Mail Receiver SHOULD generate an error message. An attempt MUST be made to send this report to all listed "mailto" URIs and it MAY also be sent to any or all other listed URIs.
The error report MUST be formatted per [MIME]. A text/plain part MUST be included that contains field-value pairs such as those found in Section 2 of [DSN]. The fields required, which may appear in any order, are:
An additional text/plain part MAY be included that gives a human-readable explanation of the above, and MAY also include a URI that can be used to seek assistance.
Failure reports are normally generated and sent almost immediately after the Mail Receiver detects a DMARC failure. Rather than waiting for an aggregate report, these reports are useful for quickly notifying the Domain Owners when there is an authentication failure. Whether the failure is due to an infrastructure problem or the message is inauthentic, failure reports also provide more information about the failed message than is available in an aggregate report.
These reports SHOULD include any URI(s) from the message that failed authentication. These reports SHOULD include as much of the message and message header as is reasonable to support the Domain Owner's investigation into what caused the message to fail authentication and track down the sender.
When a Domain Owner requests failure reports for the purpose of forensic analysis, and the Mail Receiver is willing to provide such reports, the Mail Receiver generates and sends a message using the format described in [AFRF]. This document updates the AFRF format as described in Section 7.3.1.
The destination(s) and nature of the reports are defined by the "ruf" and "fo" tags as defined in Section 6.3.
Where multiple URIs are selected to receive failure reports the report generator MUST make an attempt to deliver to each of them.
An obvious consideration is the denial of service attack that can be perpetrated by an attacker who sends numerous messages purporting to be from the intended victim Domain Owner but which fail both SPF and DKIM; this would cause participating Mail Receivers to send failure reports to the Domain Owner or its delegate in potentially huge volumes. Accordingly, participating Mail Receivers are encouraged to aggregate these reports as much as is practical, using the Incidents field of the Abuse Reporting Format ([ARF]). Various aggregation techniques are possible, including:
id-align = "Identity-Alignment:" [CFWS] ( "none" / dmarc-method *( [CFWS] "," [CFWS] dmarc-method ) ) [CFWS] dmarc-method = ( "dkim" / "spf" ) ; each may appear at most once in an id-align
Operators implementing this specification also implement an augmented version of [AFRF] as follows:
A minimum implementation of DMARC has the following characteristics:
This section discusses security issues specific to private data that may be included in the interactions that are part of DMARC.
Aggregate reports are limited in scope to DMARC policy and disposition results, to information pertaining to the underlying authentication mechanisms, and to the identifiers involved in DMARC validation.
Failed message reporting provides message-specific details pertaining to authentication failures. Individual reports can contain message content as well as trace header fields. Domain Owners are able to analyze individual reports and attempt to determine root causes of authentication mechanism failures, gain insight into misconfigurations or other problems with email and network infrastructure, or inspect messages for insight into abusive practices.
Both report types may expose sender and recipient identifiers (e.g., RFC5322.From addresses), and although the [AFRF] format used for failed message reporting supports redaction, failed message reporting is capable of exposing the entire message to the report recipient.
Domain Owners requesting reports will receive information about mail claiming to be from them, which includes mail that was not, in fact, from them. Information about the final destination of mail where it might otherwise be obscured by intermediate systems will therefore be exposed.
When message forwarding arrangements exist, Domain Owners requesting reports will also receive information about mail forwarded to domains that were not originally part of their messages' recipient lists. This means destination domains previously unknown to the Domain Owner may now become visible.
Disclosure of information about the messages is being requested by the entity generating the email in the first place, i.e., the Domain Owner and not the Mail Receiver, so this may not fit squarely within existing privacy policy provisions. For some providers, aggregate and failed message reporting are viewed as a function similar to complaint reporting about spamming or phishing, and treated similarly under the privacy policy. Report generators (i.e., Mail Receivers) are encouraged to review their reporting limitations under such policies before enabling DMARC reporting.
A DMARC record can specify that reports should be sent to an intermediary operating on behalf of the Domain Owner. This is done when the Domain Owner contracts with an entity to monitor mail-streams for abuse and performance issues. Receipt by third parties of such data may or may not be permitted by the Mail Receiver's privacy policy, terms of use, or other similar governing document. Domain Owners and Mail Receivers should both review and understand if their own internal policies constrain the use and transmission of DMARC reporting.
Some potential exists for report recipients to perform traffic analysis, making it possible to obtain metadata about the receiver's traffic. In addition to verifying compliance with policies, receivers need to consider that before sending reports to a third party.
This section discusses some topics regarding choices made in the development of DMARC, largely to commit the history to record.
Though DMARC does not inherently change the semantics of an SPF policy record, historically lax enforcement of such policies has led many to publish extremely broad records containing many large network ranges. Domain Owners are strongly encouraged to carefully review their SPF records to understand which networks are authorized to send on behalf of the Domain Owner before publishing a DMARC record.
Some receiver architectures might implement SPF in advance of any DMARC operations. This means a "-" prefix on a Sender's SPF mechanism, such as "-all", could cause that rejection go into effect early in handling, causing message rejection before any DMARC processing takes place. Operators choosing to use "-all" should be aware of this.
DMARC policies are communicated using the DNS, and therefore inherit a number of considerations related to DNS caching. The inherent conflict between freshness and the impact of caching on the reduction of DNS-lookup overhead should be considered from the Mail Receiver's point of view. Should Domain Owners publish a DNS record with a very short TTL, Mail Receivers can be provoked through the injection of large volumes of messages to overwhelm the Domain Owner's DNS. Although this is not a concern specific to DMARC, the implications of a very short TTL should be considered when publishing DMARC policies.
Conversely, long TTLs will cause records to be cached for long periods of time. This can cause a critical change to DMARC parameters advertised by a Domain Owner to go unnoticed for the length of the TTL (while waiting for DNS caches to expire). Avoiding this problem can mean shorter TTLs, with the potential problems described above. A balance should be sought to maintain responsiveness of DMARC preference changes while preserving the benefits of DNS caching.
This proposal calls for rejection of a message during the SMTP session under certain circumstances. This is preferable to generation of a Delivery Status notification ([DSN]) since fraudulent messages caught and rejected using DMARC would then result in annoying generation of such failure reports that go back to the RFC5321.MailFrom address.
This synchronous rejection is typically done in one of two ways:
Each of these has a cost. For instance, a silent discard can help to prevent backscatter, but it also effectively means the SMTP server has to be programmed to give a false result, which can confound external debugging efforts.
Similarly, the text portion of the SMTP reply may be important to consider. For example, when rejecting a message, revealing the reason for the rejection might give an attacker enough information to bypass those efforts on a later attempt, though it might also assist a legitimate client to determine the source of some local issue that caused the rejection.
550 5.7.1 Email rejected per DMARC policy for example.com
In the latter case, when doing an SMTP rejection, providing a clear hint can be useful in resolving issues. A receiver might indicate in plain text the reason for the rejection by using the word "DMARC" somewhere in the reply text. Many systems are able to scan the SMTP reply text to determine the nature of the rejection, thus providing a machine-detectable reason for rejection allows automated sorting of rejection causes so they can be properly addressed. For example:
If a Mail Receiver elects to defer delivery due to inability to retrieve or apply DMARC policy, this is best done with a 4xy SMTP reply code.
The DMARC mechanism allows both DKIM and SPF-authenticated identifiers to authenticate email on behalf of a Domain Owner and, possibly, on behalf of different subdomains. If malicious or unaware users can gain control of the SPF record or DKIM selector records for a subdomain, the subdomain can be used to generate DMARC-passing email on behalf of the Organizational Domain.
For example, an attacker who controls the SPF record for "evil.example.com" can send mail with an RFC5322.From field containing "foo@example.com" that can pass both authentication and the DMARC check against "example.com".
The Organizational Domain administrator should be careful not to delegate control of sub-domains if this is an issue, and to consider using the "strict" Identifier Alignment option if appropriate.
DMARC limits which end-to-end scenarios can achieve a "pass" result.
Because DMARC relies on [SPF] and/or [DKIM] to achieve a "pass", their limitations also apply.
Additional DMARC constraints occur when a message is processed by some Mediators, such as mailing lists. Transiting a Mediator often causes either the authentication to fail or identity alignment to be lost. These transformations may conform to standards but will still prevent a DMARC "pass".
In addition to Mediators, mail that is sent by authorized, independent third-parties might not be sent with Identifier Alignment, also preventing a "pass" result.
Issues specific to the use of policy mechanisms alongside DKIM are further discussed in [DKIM-LISTS], particularly Section 5.2.
This section describes actions requested of IANA.
IANA is requested to add the following to the Email Authentication Method Name Registry:
IANA has added the following in the Email Authentication Result Name Registry:
The following is added to the Feedback Report Header Fields Registry:
A new registry tree called "Domain-based Message Authentication, Reporting and Conformance (DMARC) Parameters" is to be created. Within it, a new sub-registry called the "DMARC Tag Registry" is also to be created.
Names of DMARC tags must be registered with IANA in this new sub-registry. New entries are assigned only for values that have been documented in a manner that satisfies the terms of Specification Required, per [IANA-CONSIDERATIONS]. Each registration must include the tag name, the specification that defines it, a brief description, and its status which must be one of "current", "experimental" or "historic". The Designated Expert needs to confirm that the provided specification adequately describes the new tag and clearly presents how it would be used within the DMARC context by Domain Owners and Mail Receivers.
To avoid version compatibility issues, tags added to the DMARC specification are to avoid changing the semantics of existing records when processed by implementations conforming to prior specifications.
+----------+-------------+---------+------------------------------+ | Tag Name | Defined | Status | Description | +----------+-------------+---------+------------------------------+ | adkim | [THIS MEMO] | current | DKIM alignment mode | +----------+-------------+---------+------------------------------+ | aspf | [THIS MEMO] | current | SPF alignment mode | +----------+-------------+---------+------------------------------+ | fo | [THIS MEMO] | current | Failure reporting options | +----------+-------------+---------+------------------------------+ | pct | [THIS MEMO] | current | Sampling rate | +----------+-------------+---------+------------------------------+ | p | [THIS MEMO] | current | Requested handling policy | +----------+-------------+---------+------------------------------+ | rf | [THIS MEMO] | current | Failure reporting format(s) | +----------+-------------+---------+------------------------------+ | ri | [THIS MEMO] | current | Aggregate Reporting interval | +----------+-------------+---------+------------------------------+ | rua | [THIS MEMO] | current | Reporting URI(s) for | | | | | aggregate data | +----------+-------------+---------+------------------------------+ | ruf | [THIS MEMO] | current | Reporting URI(s) for | | | | | failure data | +----------+-------------+---------+------------------------------+ | sp | [THIS MEMO] | current | Requested handling policy | | | | | for subdomains | +----------+-------------+---------+------------------------------+ | v | [THIS MEMO] | current | Specification version | +----------+-------------+---------+------------------------------+
The initial set of entries in this registry is as follows:
Also within "Domain-based Message Authentication, Reporting and Conformance (DMARC) Parameters", a new sub-registry called "DMARC Report Format Registry" is to be created.
Names of DMARC failure reporting formats must be registered with IANA in this registry. New entries are assigned only for values that satisfy the definition of Specification Required, per [IANA-CONSIDERATIONS]. In addition to a reference to a permanent specification, each registration must include the tag name, the specification that defines it, a brief description, and its status which must be one of "current", "experimental" or "historic". The Designated Expert needs to confirm that the provided specification adequately describes the report format and clearly presents how it would be used within the DMARC context by Domain Owners and Mail Receivers.
+--------+-------------+---------+-----------------------------+ | Format | Defined | Status | Description | | Name | | | | +--------+-------------+---------+-----------------------------+ | afrf | [THIS MEMO] | current | Authentication Failure | | | | | Reporting Format (see | | | | | [AFRF]) | +--------+-------------+---------+-----------------------------+
The initial set of entries in this registry is as follows:
This section discusses security issues and possible remediations (where available) for DMARC.
Security considerations from the authentication methods used by DMARC are incorporated here by reference.
URIs published in DNS TXT records are well-understood possible targets for attack. Specifications such as [DNS] and [ROLES] either expose or cause the exposure of email addresses that could be flooded by an attacker, for example; MX, NS and other records found in the DNS advertise potential attack destinations; common DNS names such as "www" plainly identify the locations at which particular services can be found, providing destinations for targeted denial-of-service or penetration attacks.
Thus, Domain Owners will need to harden these addresses against various attacks, including but not limited to:
The DMARC mechanism and its underlying technologies (SPF, DKIM) depend on the security of the DNS. To reduce the risk of subversion of the DMARC mechanism due to DNS-based exploits, serious consideration should be given to the deployment of DNSSEC in parallel with the deployment of DMARC by both Domain Owners and Mail Receivers.
Publication of data using DNSSEC is relevant to Domain Owners and third-party Report Receivers. DNSSEC-aware resolution is relevant to Mail Receivers and Report Receivers.
A common attack in messaging abuse is the presentation of false information in the display-name portion of the RFC5322.From field. For example, it is possible for the email address in that field to be an arbitrary address or domain name, while containing a well-known name (a person, brand, role, etc.) in the display name, intending to fool the end user into believing that the name is used legitimately. The attack is predicated on the notion that most common MUAs will show the display name and not the email address when both are available.
Generally, display name attacks are out of scope for DMARC as further exploration of possible defenses against these attacks needs to be undertaken.
From: "user@example.org via Bug Tracker" <support@example.com>
There are a few possible mechanisms that attempt mitigation of these attacks, such as:
To avoid abuse by bad actors, reporting addresses generally have to be inside the domains about which reports are requested. In order to accommodate special cases such as a need to get reports about domains that cannot actually receive mail, Section 7.1 describes a DNS-based mechanism for verifying approved external reporting.
The obvious consideration here is an increased DNS load against domains that are claimed as external recipients. Negative caching will mitigate this problem, but only to a limited extent, mostly dependent on the default time-to-live in the domain's SOA record.
Where possible, external reporting is best achieved by having the report be directed to domains that can receive mail and simply having it automatically forwarded to the desired external destination.
Note that the addresses shown in the "ruf" tag receive more information that might be considered private data, since it is possible for actual email content to appear in the failure reports. The URIs identified there are thus more attractive targets for intrusion attempts than those found in the "rua" tag. Moreover, attacking the DNS of the subject domain to cause failure data to be routed fraudulently to an attacker's systems may be an attractive prospect. Deployment of [DNSSEC] is advisable if this is a concern.
The verification mechanism presented in Section 7.1 is currently not mandatory ("MUST") but strongly recommended ("SHOULD"). It is possible that it would be elevated to a "MUST" by later security review.
This document encourages use of secure transport mechanisms to prevent loss of private data to third parties that may be able to monitor such transmissions. Unencrypted mechanisms should be avoided.
In particular, a message that was originally encrypted or otherwise secured might appear in a report that is not sent securely, which could reveal private information.
This section documents some design decisions that were made in the development of DMARC. Specifically, addressed here are some suggestions that were considered but not included in the design. This text is included to explain why they were considered and not included in this version.
S/MIME, or Secure Multipurpose Internet Mail Extensions, is a standard for encryption and signing of MIME data in a message. This was suggested and considered as a third security protocol for authenticating the source of a message.
DMARC is focused on authentication at the domain level (i.e., the Domain Owner taking responsibility for the message), while S/MIME is really intended for user-to-user authentication and encryption. This alone appears to make it a bad fit for DMARC's goals.
S/MIME also suffers from the heavyweight problem of Public Key Infrastructure, which means distribution of keys used to verify signatures needs to be incorporated. In many instances, this alone is a showstopper. There have been consistent promises that PKI usability and deployment will improve, but these have yet to materialize. DMARC can revisit this choice after those barriers are addressed.
S/MIME has extensive deployment in specific market segments (government, for example), but does not enjoy similar widespread deployment over the general Internet, and this shows no signs of changing. DKIM and SPF both are deployed widely over the general Internet and their adoption rates continue to be positive.
Finally, experiments have shown that including S/MIME support in the initial version of DMARC would neither cause nor enable a substantial increase in the accuracy of the overall mechanism.
It was suggested that DMARC include a mechanism by which a Domain Owner could tell Message Receivers not to attempt validation by one of the supported methods (e.g., "check DKIM, but not SPF").
Specifically, consider a Domain Owner that has deployed one of the technologies, and that technology fails for some messages, but such failures don't cause enforcement action. Deploying DMARC would cause enforcement action for policies other than "none", which would appear to exclude participation by that Domain Owner.
The DMARC development team evaluated the idea of policy exception mechanisms on several occasions and invariably concluded that there was not a strong enough use case to include them. The specific target audience for DMARC does not appear to have concerns about the failure modes of one or the other being a barrier to DMARC's adoption.
In the scenario described above, the Domain Owner has a few options:
It has been suggested in several message authentication efforts that the Sender header field be checked for an identifier of interest, as the standards indicate this as the proper way to indicate a re-mailing of content such as through a mailing list. Most recently, it was a protocol-level option for DomainKeys, but on evolution to DKIM, this property was removed.
The DMARC development team considered this and decided not to include support for doing so, for the following reasons:
A common practice among MTA operators, and indeed one documented in [ADSP], is a test to determine domain existence prior to any more expensive processing. This is typically done by querying the DNS for MX, A or AAAA resource records for the name being evaluated, and assuming the domain is non-existent if it could be determined that no such records were published for that domain name.
The original pre-standardization version of this protocol included a mandatory check of this nature. It was ultimately removed, as the method's error rate was too high without substantial manual tuning and heuristic work. There are indeed use cases this work needs to address where such a method would return a negative result about a domain for which reporting is desired, such as a registered domain name that never sends legitimate mail and thus has none of these records present in the DNS.
DMARC has been characterized as a "super-ADSP" of sorts.
Contributors to DMARC have compiled a list of issues associated with ADSP, gained from operational experience, that have influenced the direction of DMARC:
Although protocols like ADSP are useful for "protecting" a specific domain name, they are not helpful at protecting subdomains. If one wished to protect "example.com" by requiring via ADSP that all mail bearing an RFC5322.From domain of "example.com" be signed, this would "protect" that domain; however, one could then craft an email whose RFC5322.From domain is "security.example.com", and ADSP would not provide any protection. One could use a DNS wildcard, but this can undesirably interfere with other DNS activity; one could add ADSP records as fraudulent domains are discovered, but this solution does not scale and is a purely reactive measure against abuse.
The DNS does not provide a method by which the "domain of record", or the domain that was actually registered with a domain registrar, can be determined given an arbitrary domain name. Suggestions have been made that attempt to glean such information from SOA or NS resource records, but these too are not fully reliable as the partitioning of the DNS is not always done at administrative boundaries.
When seeking domain-specific policy based on an arbitrary domain name, one could "climb the tree", dropping labels off the left end of the name until the root is reached or a policy is discovered, but then one could craft a name that has a large number of nonsense labels; this would cause a Mail Receiver to attempt a large number of queries in search of a policy record. Sending many such messages constitutes an amplified denial-of-service attack.
The Organizational Domain mechanism is a necessary component to the goals of DMARC. The method described in Section 3.2 is far from perfect, but serves this purpose reasonably well without adding undue burden or semantics to the DNS. If a method is created to do so that is more reliable and secure than the use of a public suffix list, DMARC should be amended to use that method as soon as it is generally available.
A public suffix list for the purposes of determining the Organizational Domain can be obtained from various sources. The most common one is maintained by the Mozilla Foundation and made public at http://publicsuffix.org. License terms governing the use of that list are available at that URI.
Note that if operators use a variety of public suffix lists, interoperability will be difficult or impossible to guarantee.
This section illustrates both the Domain Owner side and the Mail Receiver side of a DMARC exchange.
The following examples illustrate the DMARC mechanism's use of Identifier Alignment. For brevity's sake, only message headers are shown as message bodies are not considered when conducting DMARC checks.
The following SPF examples assume that SPF produces a passing result.
Example 1: SPF in alignment:
MAIL FROM: <sender@example.com> From: sender@example.com Date: Fri, Feb 15 2002 16:54:30 -0800 To: receiver@example.org Subject: here's a sample
SPF In Alignment
In this case, the RFC5321.MailFrom parameter and the RFC5322.From field have identical DNS domains. Thus, the identifiers are in alignment.
Example 2: SPF in alignment (parent):
MAIL FROM: <sender@child.example.com> From: sender@example.com Date: Fri, Feb 15 2002 16:54:30 -0800 To: receiver@example.org Subject: here's a sample
SPF In Alignment (Parent)
In this case, the RFC5322.From parameter includes a DNS domain that is a parent of the RFC5321.MailFrom domain. Thus, the identifiers are in alignment if "relaxed" SPF mode is requested by the Domain Owner, and not in alignment if "strict" SPF mode is requested.
Example 3: SPF not in alignment:
MAIL FROM: <sender@example.net> From: sender@child.example.com Date: Fri, Feb 15 2002 16:54:30 -0800 To: receiver@example.org Subject: here's a sample
SPF Not In Alignment
In this case, the RFC5321.MailFrom parameter includes a DNS domain that is neither the same as nor a parent of the RFC5322.From domain. Thus, the identifiers are not in alignment.
The examples below assume the DKIM signatures pass verification. Alignment cannot exist with a DKIM signature that does not verify.
Example 1: DKIM in alignment:
DKIM-Signature: v=1; ...; d=example.com; ... From: sender@example.com Date: Fri, Feb 15 2002 16:54:30 -0800 To: receiver@example.org Subject: here's a sample
DKIM In Alignment
In this case, the DKIM "d=" parameter and the RFC5322.From field have identical DNS domains. Thus, the identifiers are in alignment.
Example 2: DKIM in alignment (parent):
DKIM-Signature: v=1; ...; d=example.com; ... From: sender@child.example.com Date: Fri, Feb 15 2002 16:54:30 -0800 To: receiver@example.org Subject: here's a sample
DKIM In Alignment (Parent)
In this case, the DKIM signature's "d=" parameter includes a DNS domain that is a parent of the RFC5322.From domain. Thus, the identifiers are in alignment for "relaxed" mode, but not for "strict" mode.
Example 3: DKIM not in alignment:
DKIM-Signature: v=1; ...; d=sample.net; ... From: sender@child.example.com Date: Fri, Feb 15 2002 16:54:30 -0800 To: receiver@example.org Subject: here's a sample
DKIM Not In Alignment
In this case, the DKIM signature's "d=" parameter includes a DNS domain that is neither the same as nor a parent of the RFC5322.From domain. Thus, the identifiers are not in alignment.
A Domain Owner that wants to use DMARC should have already deployed and tested SPF and DKIM. The next step is to publish a DNS record that advertises a DMARC policy for the Domain Owner's organizational domain.
The owner of the domain "example.com" has deployed SPF and DKIM on its messaging infrastructure. The owner wishes to begin using DMARC with a policy that will solicit aggregate feedback from receivers without affecting how the messages are processed, in order to:
The Domain Owner accomplishes this by constructing a policy record indicating that:
% dig +short TXT _dmarc.example.com. "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com"
The DMARC policy record might look like this when retrieved using a common command-line tool:
; DMARC record for the domain example.com _dmarc IN TXT ( "v=DMARC1; p=none; " "rua=mailto:dmarc-feedback@example.com" )
To publish such a record, the DNS administrator for the Domain Owner creates an entry like the following in the appropriate zone file (following the conventional zone file format):
The Domain Owner from the previous example has used the aggregate reporting to discover some messaging systems that had not yet implemented DKIM correctly, but they are still seeing periodic authentication failures. In order to diagnose these intermittent problems they wish to request per-message failure reports when authentication failures occur.
Not all Receivers will honor such a request, but the Domain Owner feels that any reports it does receive will be helpful enough to justify publishing this record. The default per-message report format ([AFRF]) meets the Domain Owner's needs in this scenario.
The Domain Owner accomplishes this by adding the following to its policy record from Appendix B.2):
% dig +short TXT _dmarc.example.com. "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com; ruf=mailto:auth-reports@example.com"
The DMARC policy record might look like this when retrieved using a common command-line tool (the output shown would appear on a single line, but is wrapped here for publication):
; DMARC record for the domain example.com _dmarc IN TXT ( "v=DMARC1; p=none; " "rua=mailto:dmarc-feedback@example.com; " "ruf=mailto:auth-reports@example.com" )
To publish such a record, the DNS administrator for the Domain Owner might create an entry like the following in the appropriate zone file (following the conventional zone file format):
The Domain Owner from the previous example is maintaining the same policy, but now wishes to have a third party receive and process the per-message failure reports. Again, not all Receivers will honor this request, but those that do may implement additional checks to validate that the third party wishes to receive the failure reports for this domain.
The Domain Owner needs to alter its policy record from Appendix B.2.2 as follows:
% dig +short TXT _dmarc.example.com. "v=DMARC1; p=none; rua=mailto:dmarc-feedback@example.com; ruf=mailto:auth-reports@thirdparty.example.net"
The DMARC policy record might look like this when retrieved using a common command-line tool (the output shown would appear on a single line, but is wrapped here for publication):
; DMARC record for the domain example.com _dmarc IN TXT ( "v=DMARC1; p=none; " "rua=mailto:dmarc-feedback@example.com; " "ruf=mailto:auth-reports@thirdparty.example.net" )
To publish such a record, the DNS administrator for the Domain Owner might create an entry like the following in the appropriate zone file (following the conventional zone file format):
Because the address used in the "ruf" tag is outside the Organizational Domain in which this record is published, conforming Receivers will implement additional checks as described in Section 7.1 of this document. In order to pass these additional checks, the third party will need to publish an additional DNS record as follows:
% dig +short TXT example.com._report._dmarc.thirdparty.example.net "v=DMARC1"
The resulting DNS record might look like this when retrieved using a common command-line tool (the output shown would appear on a single line, but is wrapped here for publication):
; zone file for thirdparty.example.net ; Accept DMARC failure reports on behalf of example.com example.com._report._dmarc IN TXT "v=DMARC1"
To publish such a record, the DNS administrator for example.net might create an entry like the following in the appropriate zone file (following the conventional zone file format):
Intermediaries and other third parties should refer to Section 7.1 for the full details of this mechanism.
The Domain Owner has implemented SPF and DKIM in a sub-domain used for pre-production testing of messaging services. It now wishes to request that participating receivers act to reject messages from this sub-domain that fail to authenticate.
As a first step it will ask that a portion (1/4 in this example) of failing messages be quarantined, enabling examination of messages sent to mailboxes hosted by participating receivers. Aggregate feedback reports will be sent to a mailbox within the Organizational Domain, and to a mailbox at a third party selected and authorized to receive same by the Domain Owner. Aggregate reports sent to the third party are limited to a maximum size of ten megabytes.
The Domain Owner will accomplish this by constructing a policy record indicating that:
% dig +short TXT _dmarc.test.example.com "v=DMARC1; p=quarantine; rua=mailto:dmarc-feedback@example.com, mailto:tld-test@thirdparty.example.net!10m; pct=25"
The DMARC policy record might look like this when retrieved using a common command-line tool (the output shown would appear on a single line, but is wrapped here for publication):
; DMARC record for the domain example.com _dmarc IN TXT ( "v=DMARC1; p=quarantine; " "rua=mailto:dmarc-feedback@example.com," "mailto:tld-test@thirdparty.example.net!10m; " "pct=25" )
To publish such a record, the DNS administrator for the Domain Owner might create an entry like the following in the appropriate zone file:
A Mail Receiver that wants to use DMARC should already be checking SPF and DKIM, and possess the ability to collect relevant information from various email processing stages to provide feedback to Domain Owners (possibly via Report Receivers).
An optimal DMARC-enabled Mail Receiver performs authentication and identifier alignment checking during the [SMTP] conversation.
Prior to returning a final reply to the DATA command, the Mail Receiver's MTA has performed:
The presence of an Author Domain DMARC record indicates that the Mail Receiver should continue with DMARC-specific processing before returning a reply to the DATA command.
Given a DMARC record and the set of Authenticated Identifiers, the Mail Receiver checks to see if the Authenticated Identifiers align with the Author Domain (taking into consideration any "strict" vs "relaxed" options found in the DMARC record).
Author Domain: example.com SPF-authenticated Identifier: mail.example.com DKIM-authenticated Identifier: example.com DMARC record: "v=DMARC1; p=reject; aspf=r; rua=mailto:dmarc-feedback@example.com"
For example, the following sample data is considered to be from a piece of email originating from the Domain Owner of "example.com":
In the above sample, both the SPF and the DKIM-authenticated Identifiers align with the Author Domain. The Mail Receiver considers the above email to pass the DMARC check, avoiding the "reject" policy that is to be applied to email that fails to pass the DMARC check.
If no Authenticated Identifiers align with the Author Domain, then the Mail Receiver applies the DMARC-record-specified policy. However, before this action is taken, the Mail Receiver can consult external information to override the Domain Owner's policy. For example, if the Mail Receiver knows that this particular email came from a known and trusted forwarder (that happens to break both SPF and DKIM), then the Mail Receiver may choose to ignore the Domain Owner's policy.
The Mail Receiver is now ready to reply to the DATA command. If the DMARC check yields that the message is to be rejected, then the Mail Receiver replies with a 5xy code to inform the sender of failure. If the DMARC check cannot be resolved due to transient network errors, then the Mail Receiver replies with a 4xy code to inform the sender as to the need to reattempt delivery later. If the DMARC check yields a passing message, then the Mail Receiver continues on with email processing, perhaps using the result of the DMARC check as an input to additional processing modules such as a domain reputation query.
Before exiting DMARC-specific processing, the Mail Receiver checks to see if the Author Domain DMARC record requests AFRF-based reporting. If so, then the Mail Receiver can emit an AFRF to the reporting address supplied in the DMARC record.
At the exit of DMARC-specific processing, the Mail Receiver captures (through logging or direct insertion into a data store) the result of DMARC processing. Captured information is used to build feedback for Domain Owner consumption. This is not necessary if the Domain Owner has not requested aggregate reports, i.e., no "rua" tag was found in the policy record.
Aggregate feedback is consumed by Domain Owners to verify the Domain Owners understanding of how the Domain Owner's Domain is being processed by the Mail Receiver. Aggregate reporting data on emails that pass all DMARC-supporting authentication checks is used by Domain Owners to verify that authentication practices remain accurate. For example, if a third party is sending on behalf of a Domain Owner, the Domain Owner can use aggregate report data to verify ongoing authentication practices of the third party.
Data on email that only partially passes underlying authentication checks provides visibility into problems that need to be addressed by the Domain Owner. For example, if either SPF or DKIM fail to pass, the Domain Owner is provided with enough information to either directly correct the problem or to understand where authentication-breaking changes are being introduced in the email transmission path. If authentication-breaking changes due to email transmission path cannot be directly corrected, then the Domain Owner at least maintains an understanding of the effect of DMARC-based policies upon the Domain Owner's email.
Data on email that fails all underlying authentication checks provides baseline visibility on how the Domain Owner's Domain is being received at the Mail Receiver. Based on this visibility, the Domain Owner can begin deployment of authentication technologies across uncovered email sources. Additionally, the Domain Owner may come to an understanding of how its Domain is being misused.
mailto:dmarc-feedback@example.com
A DMARC record can contain a "mailto" reporting address, such as:
DKIM-Signature: v=1; ...; d=mail.receiver.example; ... From: dmarc-reporting@mail.receiver.example Date: Fri, Feb 15 2002 16:54:30 -0800 To: dmarc-feedback@example.com Subject: Report Domain: example.com Submitter: mail.receiver.example Report-ID: <2002.02.15.1> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_024E_01CC9B0A.AFE54C00" Content-Language: en-us This is a multipart message in MIME format. ------=_NextPart_000_024E_01CC9B0A.AFE54C00 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit This is an aggregate report from mail.receiver.example. ------=_NextPart_000_024E_01CC9B0A.AFE54C00 Content-Type: application/gzip Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="mail.receiver.example!example.com! 1013662812!1013749130.gz" <gzipped content of report> ------=_NextPart_000_024E_01CC9B0A.AFE54C00--
A sample aggregate report from the Mail Receiver at mail.receiver.example follows:
Not shown in the above example is that the Mail Receiver's feedback should be authenticated using SPF. Also, the value of the "filename" MIME parameter is wrapped for printing in this specification but would normally appear as one continuous string.
The following is the proposed initial schema for producing XML formatted aggregate reports as described in this document.
<?xml version="1.0"?> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://dmarc.org/dmarc-xml/0.1"> <!-- The time range in UTC covered by messages in this report, specified in seconds since epoch. --> <xs:complexType name="DateRangeType"> <xs:all> <xs:element name="begin" type="xs:integer"/> <xs:element name="end" type="xs:integer"/> </xs:all> </xs:complexType> <!-- Report generator metadata --> <xs:complexType name="ReportMetadataType"> <xs:sequence> <xs:element name="org_name" type="xs:string"/> <xs:element name="email" type="xs:string"/> <xs:element name="extra_contact_info" type="xs:string" minOccurs="0"/> <xs:element name="report_id" type="xs:string"/> <xs:element name="date_range" type="DateRangeType"/> <xs:element name="error" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- Alignment mode (relaxed or strict) for DKIM and SPF. --> <xs:simpleType name="AlignmentType"> <xs:restriction base="xs:string"> <xs:enumeration value="r"/> <xs:enumeration value="s"/> </xs:restriction> </xs:simpleType> <!-- The policy actions specified by p and sp in the DMARC record. --> <xs:simpleType name="DispositionType"> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="quarantine"/> <xs:enumeration value="reject"/> </xs:restriction> </xs:simpleType> <!-- The DMARC policy that applied to the messages in this report. --> <xs:complexType name="PolicyPublishedType"> <xs:all> <!-- The domain at which the DMARC record was found. --> <xs:element name="domain" type="xs:string"/> <!-- The DKIM alignment mode. --> <xs:element name="adkim" type="AlignmentType" minOccurs="0"/> <!-- The SPF alignment mode. --> <xs:element name="aspf" type="AlignmentType" minOccurs="0"/> <!-- The policy to apply to messages from the domain. --> <xs:element name="p" type="DispositionType"/> <!-- The policy to apply to messages from subdomains. --> <xs:element name="sp" type="DispositionType"/> <!-- The percent of messages to which policy applies. --> <xs:element name="pct" type="xs:integer"/> <!-- Failure reporting options in effect. --> <xs:element name="fo" type="xs:string"/> </xs:all> </xs:complexType> <!-- The DMARC-aligned authentication result. --> <xs:simpleType name="DMARCResultType"> <xs:restriction base="xs:string"> <xs:enumeration value="pass"/> <xs:enumeration value="fail"/> </xs:restriction> </xs:simpleType> <!-- Reasons that may affect DMARC disposition or execution thereof. --> <xs:simpleType name="PolicyOverrideType"> <xs:restriction base="xs:string"> <xs:enumeration value="forwarded"/> <xs:enumeration value="sampled_out"/> <xs:enumeration value="trusted_forwarder"/> <xs:enumeration value="mailing_list"/> <xs:enumeration value="local_policy"/> <xs:enumeration value="other"/> </xs:restriction> </xs:simpleType> <!-- How do we allow report generators to include new classes of override reasons if they want to be more specific than "other"? --> <xs:complexType name="PolicyOverrideReason"> <xs:all> <xs:element name="type" type="PolicyOverrideType"/> <xs:element name="comment" type="xs:string" minOccurs="0"/> </xs:all> </xs:complexType> <!-- Taking into account everything else in the record, the results of applying DMARC. --> <xs:complexType name="PolicyEvaluatedType"> <xs:sequence> <xs:element name="disposition" type="DispositionType"/> <xs:element name="dkim" type="DMARCResultType"/> <xs:element name="spf" type="DMARCResultType"/> <xs:element name="reason" type="PolicyOverrideReason" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- Credit to Roger L. Costello for IPv4 regex http://mailman.ic.ac.uk/pipermail/xml-dev/1999-December/ 018018.html --> <!-- Credit to java2s.com for IPv6 regex http://www.java2s.com/Code/XML/XML-Schema/ IPv6addressesareeasiertodescribeusingasimpleregex.htm --> <xs:simpleType name="IPAddress"> <xs:restriction base="xs:string"> <xs:pattern value="((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]).){3} (1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])| ([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}"/> </xs:restriction> </xs:simpleType> <xs:complexType name="RowType"> <xs:all> <!-- The connecting IP. --> <xs:element name="source_ip" type="IPAddress"/> <!-- The number of matching messages --> <xs:element name="count" type="xs:integer"/> <!-- The DMARC disposition applying to matching messages. --> <xs:element name="policy_evaluated" type="PolicyEvaluatedType" minOccurs="1"/> </xs:all> </xs:complexType> <xs:complexType name="IdentifierType"> <xs:all> <!-- The envelope recipient domain. --> <xs:element name="envelope_to" type="xs:string" minOccurs="0"/> <!-- The envelope from domain. --> <xs:element name="envelope_from" type="xs:string" minOccurs="1"/> <!-- The payload From domain. --> <xs:element name="header_from" type="xs:string" minOccurs="1"/> </xs:all> </xs:complexType> <!-- DKIM verification result, according to RFC 5451 Section 2.4.1. --> <xs:simpleType name="DKIMResultType"> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="pass"/> <xs:enumeration value="fail"/> <xs:enumeration value="policy"/> <xs:enumeration value="neutral"/> <xs:enumeration value="temperror"/> <xs:enumeration value="permerror"/> </xs:restriction> </xs:simpleType> <xs:complexType name="DKIMAuthResultType"> <xs:all> <!-- The d= parameter in the signature --> <xs:element name="domain" type="xs:string" minOccurs="1"/> <!-- The s= parameter in the signature --> <xs:element name="selector" type="xs:string" minOccurs="0"/> <!-- The DKIM verification result --> <xs:element name="result" type="DKIMResultType" minOccurs="1"/> <!-- Any extra information (e.g., from Authentication-Results --> <xs:element name="human_result" type="xs:string" minOccurs="0"/> </xs:all> </xs:complexType> <!-- SPF domain scope --> <xs:simpleType name="SPFDomainScope"> <xs:restriction base="xs:string"> <xs:enumeration value="helo"/> <xs:enumeration value="mfrom"/> </xs:restriction> </xs:simpleType> <!-- SPF result --> <xs:simpleType name="SPFResultType"> <xs:restriction base="xs:string"> <xs:enumeration value="none"/> <xs:enumeration value="neutral"/> <xs:enumeration value="pass"/> <xs:enumeration value="fail"/> <xs:enumeration value="softfail"/> <!-- "TempError" commonly implemented as "unknown" --> <xs:enumeration value="temperror"/> <!-- "PermError" commonly implemented as "error" --> <xs:enumeration value="permerror"/> </xs:restriction> </xs:simpleType> <xs:complexType name="SPFAuthResultType"> <xs:all> <!-- The checked domain. --> <xs:element name="domain" type="xs:string" minOccurs="1"/> <!-- The scope of the checked domain. --> <xs:element name="scope" type="SPFDomainScope" minOccurs="1"/> <!-- The SPF verification result --> <xs:element name="result" type="SPFResultType" minOccurs="1"/> </xs:all> </xs:complexType> <!-- This element contains DKIM and SPF results, uninterpreted with respect to DMARC. --> <xs:complexType name="AuthResultType"> <xs:sequence> <!-- There may be no DKIM signatures, or multiple DKIM signatures. --> <xs:element name="dkim" type="DKIMAuthResultType" minOccurs="0" maxOccurs="unbounded"/> <!-- There will always be at least one SPF result. --> <xs:element name="spf" type="SPFAuthResultType" minOccurs="1" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> <!-- This element contains all the authentication results that were evaluated by the receiving system for the given set of messages. --> <xs:complexType name="RecordType"> <xs:sequence> <xs:element name="row" type="RowType"/> <xs:element name="identifiers" type="IdentifierType"/> <xs:element name="auth_results" type="AuthResultType"/> </xs:sequence> </xs:complexType> <!-- Parent --> <xs:element name="feedback"> <xs:complexType> <xs:sequence> <xs:element name="version" type="xs:decimal"/> <xs:element name="report_metadata" type="ReportMetadataType"/> <xs:element name="policy_published" type="PolicyPublishedType"/> <xs:element name="record" type="RecordType" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>
NOTE: Per the definition of XML, unless otherwise specified in the schema below, the minOccurs and maxOccurs values for each element is set to 1.
Descriptions of the PolicyOverrideTypes:
The "version" for reports generated per this specification MUST be the value 1.0.
Public discussion of the DMARC proposal documents is taking place on the dmarc-discuss@dmarc.org mailing list. Subscription is available at http://www.dmarc.org/mailman/listinfo/dmarc-discuss.
[RFC Editor: Please remove this section prior to publication.]
DMARC and the version of this document submitted to the IETF were the result of lengthy efforts by an informal industry consortium: DMARC.org. Participating companies included: Agari, American Greetings, AOL, Bank of America, Cloudmark, Comcast, Facebook, Fidelity Investments, Google, JPMorgan Chase & Company, LinkedIn, Microsoft, Netease, PayPal, ReturnPath, The Trusted Domain Project, and Yahoo!. Although the number of contributors and supporters are too numerous to mention, notable individual contributions were made by J. Trent Adams, Michael Adkins, Monica Chew, Dave Crocker, Tim Draegen, Steve Jones, Franck Martin, Brett McDowell, and Paul Midgen. The contributors would also like to recognize the invaluable input and guidance that was provided early on by J.D. Falk.
Additional contributions within the IETF context were made by Kurt Anderson, Les Barstow, Jim Fenton, J. Gomez, Mike Jones, Scott Kitterman, Eliot Lear, John Levine, S. Moonesamy, Rolf Sonneveld, Henry Timmes, and Stephen J. Turnbull.