Internet DRAFT - draft-akagiri-mail-divide
draft-akagiri-mail-divide
Network Working Group T. Akagiri
Internet-Draft Regumi, Inc.
Intended status: Experimental G. Yasutaka
Expires: January 28, 2018 Rakuten, Inc.
K. Okada
T. Hayashi
Lepidum Co. Ltd.
M. Kase
Individual Contributor
July 27, 2017
Mail Divide Framework
draft-akagiri-mail-divide-01
Abstract
Mail Divide Framework (MDF) is a recipient driven partitioning
framework for E-Mail delivery. A protocol to divide mail delivery at
the source of the message is defined in this draft. A mechanism
called Reputation Service Provider is also introduced so that a
third-party authority can assure senders' trust. With MDF,
subdomaining is used for category-specific MTA designation. Senders
decide which category the outgoing mail belongs. It then looks up
DNS TXT record to find whether the recipient advertises a specific
server for that category. The specified server puts the received
mail into a corresponding per-category inbox for the user.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 28, 2018.
Akagiri, et al. Expires January 28, 2018 [Page 1]
�
Internet-Draft MDF July 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Key Words . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Mail Divide Framework (MDF) . . . . . . . . . . . . . . . 3
1.3. Mail Category . . . . . . . . . . . . . . . . . . . . . . 3
1.4. Reputation Service Provider (RSP) . . . . . . . . . . . . 4
1.5. DIVIDE record . . . . . . . . . . . . . . . . . . . . . . 4
1.6. Imported Definitions . . . . . . . . . . . . . . . . . . 4
1.7. Message Handling Agent Definitions . . . . . . . . . . . 4
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Operational Overview . . . . . . . . . . . . . . . . . . . . 6
3.1. Preparation . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.1. Advertise Receiver Policy . . . . . . . . . . . . . . 7
3.2. Sending in MDF . . . . . . . . . . . . . . . . . . . . . 7
3.2.1. Submission with category . . . . . . . . . . . . . . 7
3.2.2. Looking Up DIVIDE Records . . . . . . . . . . . . . . 7
3.2.3. Subdomaining Recipient Domain . . . . . . . . . . . . 8
3.2.4. Transmitting Mail . . . . . . . . . . . . . . . . . . 8
3.3. Receiving in MDF . . . . . . . . . . . . . . . . . . . . 8
3.3.1. Sender Authentication . . . . . . . . . . . . . . . . 8
3.3.2. Reputation Lookup . . . . . . . . . . . . . . . . . . 8
3.3.3. Headers and Envelope Handling . . . . . . . . . . . . 9
3.3.4. Deliver to Specific Inbox . . . . . . . . . . . . . . 9
3.3.5. Read the mail . . . . . . . . . . . . . . . . . . . . 9
4. Mail Categories . . . . . . . . . . . . . . . . . . . . . . . 9
5. DIVIDE Records . . . . . . . . . . . . . . . . . . . . . . . 11
5.1. DNS Resource Records Syntax . . . . . . . . . . . . . . . 11
5.2. Multiple DNS Records . . . . . . . . . . . . . . . . . . 12
5.3. Record Size . . . . . . . . . . . . . . . . . . . . . . . 12
6. Reputation Service Providers . . . . . . . . . . . . . . . . 12
6.1. White-list Management . . . . . . . . . . . . . . . . . . 13
6.2. Reputation Query and Result Caching . . . . . . . . . . . 13
Akagiri, et al. Expires January 28, 2018 [Page 2]
�
Internet-Draft MDF July 2017
6.3. Evaluation and Feedback . . . . . . . . . . . . . . . . . 14
7. Result Handling . . . . . . . . . . . . . . . . . . . . . . . 14
8. Mailing-list . . . . . . . . . . . . . . . . . . . . . . . . 14
9. Multi-hop Delivery . . . . . . . . . . . . . . . . . . . . . 14
10. Security Considerations . . . . . . . . . . . . . . . . . . . 15
10.1. DNS Spoofing . . . . . . . . . . . . . . . . . . . . . . 15
11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 15
11.1. DNS queries . . . . . . . . . . . . . . . . . . . . . . 15
11.2. Reputation queries . . . . . . . . . . . . . . . . . . . 15
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
12.1. Normative References . . . . . . . . . . . . . . . . . . 16
12.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 17
Appendix B. Contributors and Acknowledgements . . . . . . . . . 18
Appendix C. IANA Considerations . . . . . . . . . . . . . . . . 18
C.1. The DIVIDE DNS Resoruce Record Type . . . . . . . . . . . 18
C.2. Email Authentication Methods . . . . . . . . . . . . . . 18
C.3. Email Authentication Property Types . . . . . . . . . . . 18
C.4. Reputation Applications Registry . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Terminology
1.1. Key Words
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described
[RFC2119].
1.2. Mail Divide Framework (MDF)
A recipient driven partitioning framework for E-Mail delivery.
Receivers advertise that it prepares a separate delivery path, or
receiving MTA, for a specific category of mail messages. MDF
provides a mechanism to advertise and lookup category specific
settings, and evaluate conformance of senders via RSPs.
1.3. Mail Category
The intended purpose of each mail message, such as communication,
notification, etc. MDF requires that the definition of a Mail
Category is agreed upon among senders, receivers, and RSPs.
Akagiri, et al. Expires January 28, 2018 [Page 3]
�
Internet-Draft MDF July 2017
1.4. Reputation Service Provider (RSP)
Reputation Service Provider keeps track of a white list of MDF-
conforming senders. Receiving party can perform a query to see how a
specific sender is conforming to MDF.
1.5. DIVIDE record
A DNS TXT resource record that advertises receiver's trust policy.
DIVIDE record specifies that a mail message under a category is
received by a specific subdomain.
1.6. Imported Definitions
ABNF (Augmented Backus-Naur Form) ABNF is defined in [RFC5234], as
are the tokens "ALPHA", "DIGIT", and "SP" (space).
The tokens "Local-part", "Domain", "address-literal" and "Mailbox"
are defined in [RFC5321].
"dot-atom", "quoted-string", "comment", "CFWS" (comment folded white
space), "FWS" (folded white space), and "CRLF" (carriage-return/
line-feed) are defined in [RFC5322].
1.7. Message Handling Agent Definitions
This document is concerned with message delivery and handling. The
following agents are defined in [RFC6409]:
o Message Submission Agent (MSA)
o Message Transfer Agent (MTA)
o Message User Agent (MUA)
Message Delivery Agent (MDA) receives messages and put them into
users' mailbox. (non-normative reference [RFC5598])
2. Introduction
Current E-Mail traffic is flooded with Unsolicited Bulk E-Mail (UBE,
aka spam). Traditional approaches against them were detecting and
filtering them out from the network and user inboxes. In this
document, another approach is presented. Instead of removing SPAM
from the mail delivery network, we introduce a new partitioned
delivery network for messages that are not SPAM.
Akagiri, et al. Expires January 28, 2018 [Page 4]
�
Internet-Draft MDF July 2017
It is possible to categorize E-Mail messages by their purposes. For
example, communication messages usually expect replies. Typical
communication messages thus show bi-directional exchange between
peers. On the other hand, notification messages such as order
confirmations or development activity updates are uni-directional.
E-Mail traffic in each categories may show different characteristics.
For example, communication messages have problems like outbound bulk
messages from a compromised account. Notification messages have
risks of sender spoofing and phishing. Therefore, E-Mail abuse can
be efficiently detected and filtered out if we have a different
message delivery path per category.
This document defines a protocol by which domain owners may assign
separate MTAs for each category of mail. This is done by
subdomaining the receiving domain, while keeping the Local-part of
the recipient. Subdomaining have an advantage that the separation
can happen in transport layer. This effectively separates mail
delivery paths at the source of the messages, as if a drainage divide
does for water.
Compliant domain holders publish DIVIDE records that specify a
subdomain for each mail category that it is willing to receive.
DIVIDE records are defined as DNS TXT Resource Records similar to SPF
[RFC7208] records. Compliant mail senders use the published DIVIDE
records to find the destination MTA according to the category of the
mail being sent. Receiver also specifies which method is used to
authenticate the sender: DMARC [RFC7489], DKIM [RFC6376], SenderID
[RFC4406], PRF [RFC4407], or SPF [RFC7208].
To make this framework effective, senders must label outgoing
messages with correct categories. Senders that abusively categorize
messages should be detected and removed from the network. A
mechanism called Reputation Service Provider is also introduced so
that a third-party authority can assure senders' trust. This enables
per-category white-listing at the receivers' desired level of
strictness.
MDF provides the following advantages:
o a separate message delivery network per message category
o a separate message inbox per message category
o trust-based messaging
o receivers may advertise preferred sender authentication mechanism
per category
Akagiri, et al. Expires January 28, 2018 [Page 5]
�
Internet-Draft MDF July 2017
o reputation based sender white-listing
o senders pay for trust, not receivers
3. Operational Overview
Figure 1 shows the overview of a mail transmission with Mail Divide
Framework.
In this figure, solid lines indicate the flow of a message. Double
lines indicate communications other than message deliveries (DNS
queries, reputation queries over HTTPS).
.
Sender side <-- . --> Receiver side
. beta.example.com
.
alpha.example.org .
. c.beta.example.com
. +-------+ (4) Reputation rsp.example.org
(3) Add subdomain . | | Query +------------+
and transmit +-------> MTA +=================> Reputation |
RCPT: bob@c.beta.example.com | +------+ | Service |
| . +-------+ | | Provider |
| . | +------------+
| . | (5) Add Authentication-
| . | Results Header
(1) | . beta.example.com |
Submit +-------+ | . +-------+ | +-------+
+----+ | MSA/ | | . | | | | |
|User+----> MTA +--+ . | MTA | +--> MDA |
+----+ | | . | | | |
+---++--+ . +--++---+ +---+---+
|| . || |
(2) Lookup || . || | (7) Read
MDF || . || (0) Advertise | +-----+ +----+
|| . || Receiver | |Inbox| +->User|
|| . +--vv---+ Policy | +-----+ | +----+
|| . | | | |
+==============> DNS | | +-----+ |
. | | +-->Comm +--+
. +-------+ +-----+
_divide.beta.example.com (6) Store in category
specific inbox
Akagiri, et al. Expires January 28, 2018 [Page 6]
�
Internet-Draft MDF July 2017
3.1. Preparation
3.1.1. Advertise Receiver Policy
Step (0): the receiver advertises its divide path per category with a
DIVIDE record.
Administrator of the mail-receiving domain designs per-category path
partition. For example, "beta.example.com" separates communication
and notification to "c.beta.example.com" and "n.beta.example.com",
respectively. All other categories should go to "beta.example.com".
"beta.example.com" builds a DNS TXT Resource Record to express these,
as described in Section 5.1. It puts the record in its DNS under
"_divide.beta.example.com".
v=DIVIDE1\; a=DMARC p=comm:c rsp=rsp.example.org;
a=DMARC p=notif:n rsp=reputation.example.com
The "rsp=" part specifies an RSP associated for each category.
Sender's reputation should be managed by this RSP so that the
receiver can decide whether it trusts the sender.
3.2. Sending in MDF
3.2.1. Submission with category
Step (1): a user submits a mail message.
MUA/MSA assigns a category to the message according to the context.
If the user is a notification sender system, assign "notification".
If the user is a human and the message is a reply, assign
"communication".
For example, when "alice@alpha.example.org" sends a communication
message to "bob@beta.example.com", the MSA of
"alice@alpha.example.org" assigns "communication" to the message.
3.2.2. Looking Up DIVIDE Records
Step (2): Sender's MTA looks up MDF policy of the recipient domain.
The final MTA in "alpha.example.org" is going to transmit the message
to "beta.example.com".
It first looks up DNS under "_divide.beta.example.com" and finds a
DNS TXT Resource Record with "v=DIVIDE1". It now knows that
beta.example.com uses Mail Divide Framework.
Akagiri, et al. Expires January 28, 2018 [Page 7]
�
Internet-Draft MDF July 2017
3.2.3. Subdomaining Recipient Domain
Step (3): Set destination to the divided mail server.
The record has entries for "p=comm:c" and "p=notif:n". This
specifies messages in category "communication" should be sent to
recipient's subdomain "c", namely, "c.beta.example.com"; similarly
category "notification" to "n.beta.example.com".
Since the message from alice to bob has the category "communication",
sender's MTA SHOULD choose "c" as target subdomain. It creates a new
envelope RCPT address (as defined in [RFC5321])
"bob@c.beta.example.com".
Note that the header To: (as defined in [RFC5322]) MUST stay intact.
3.2.4. Transmitting Mail
Now the mail is sent from "alpha.example.org" to
"c.beta.example.com". This is done with ordinary mail transfer
protocol, SMTP [RFC5321].
The sender's MTA authenticates itself with DMARC, in this example,
according to the DIVIDE record specifies.
3.3. Receiving in MDF
When "c.beta.example.com" receives the mail, it verifies the sender's
identity and reputation. The result of the verification is added to
the message as Authentication-Results header.
3.3.1. Sender Authentication
Sender's identity is verified by DMARC, DKIM, SPF, etc. according to
the authentication method specified in the DIVIDE record.
3.3.2. Reputation Lookup
Step (4): Reputation Lookup
The recipient MTA "c.beta.example.com" is specifically configured to
receive messages that are categorized as "communication" according to
MDF. It should verify whether the sender complies with MDF, i.e. not
sending spam mail under a category label "communication".
The recipient MTA makes a query to a reputation server as defined in
Repute protocol [RFC7072]. New assertion-types are introduced to
specify MDF mail categories. If the obtained reputation rate is
Akagiri, et al. Expires January 28, 2018 [Page 8]
�
Internet-Draft MDF July 2017
acceptable, the recipient MTA continue processing the message.
Otherwise it should reject the message and return a 5xx status.
3.3.3. Headers and Envelope Handling
Step (5): Add Headers and revert RCPT
At this point, the receiver MTA has verified that the sender conforms
to MDF. The mail message is transmitted to the MDA with an
Authentication-Results header, which is defined in [RFC7410]. MDF
specific parameters are added to the Authentication-Results header.
Authentication-Results: c.beta.example.com;
dkim=pass (good signature) header.d=alpha.example.org;
divide=pass policy.category=communication
Upon forwarding the mail message to the MDA, the receiver MTA MAY
remove the category subdomain from the envelope RCPT. This reverts
the final recipient to "bob@beta.example.com".
3.3.4. Deliver to Specific Inbox
Step (6): Put the message into a specific inbox for the category
MDA looks at Authentication-Results header of the mail message and
will find "divide=pass" field that indicates this mail has been
transported via MDF-conformed partitioned delivery path. The MDA
puts the message into a separate inbox for the user. In this
example, it is "Comm" folder in the user bob's IMAP server.
3.3.5. Read the mail
Step (7): Find the mail as partitioned
The user reads the newly received mail in the "Comm" folder. The MUA
looks at the Authentication-Results header to know this is a
partitioned mail. It displays a prominent sign to the user that the
sender is trusted.
4. Mail Categories
For the purpose of MDF, mail messages are categorized into the
following types:
Akagiri, et al. Expires January 28, 2018 [Page 9]
�
Internet-Draft MDF July 2017
+---------------+---------+-----------------------------------------+
| Category | Label | Description |
+---------------+---------+-----------------------------------------+
| communication | comm | A message intended to become a part of |
| | | a bidirectional conversation. |
| | | |
| transaction | trans | A message regarding money |
| | | transaction/purchase confirmation. |
| | | |
| notification | notif | An one-way message to report an event. |
| | | No reply is usually expected. |
| | | |
| promotion | promo | An advertisement message. |
| | | |
| mailing-list | ml | A message delivered from a mailing-list |
| | | server to the members of that list. |
| | | |
| multi-hop | mh | A message is delivered through multi- |
| | | hop path. |
| | | |
| default | default | Fallback category when none of the |
| | | above is applicable, or specified. |
+---------------+---------+-----------------------------------------+
In MDF, the definition of a category SHOULD be agreed upon among
senders, receivers, and RSPs so that the reputation feedback works
well. DIVIDE records express the receiver's view what categories of
message it is willing to receive by separate servers. Each category
is advertised in the DIVIDE record with corresponding label.
The sender decides whether the mail message to be sent falls into any
of the receiver-designated categories. If a category is found
suitable to describe the message, it is used for subdomaining the
recipient address.
"default" category is used as a fallback. When the message category
is "communication" and the sender does not advertise "p=comm" in the
DIVIDE record, the sender looks for "p=default". If an entry
corresponding "default" is found, it is used. Otherwise, the message
is sent without MDF.
Mail Category for a message MAY be decided by user-interaction, by
MSA's context analysis, or by other means. For example, when an
outgoing MTA is configured specifically for notification, it can use
"notification" for all messages.
Akagiri, et al. Expires January 28, 2018 [Page 10]
�
Internet-Draft MDF July 2017
"mailing-list" and "multi-hop" do not describe the contents of a
message. These instead correspond to delivery mechanisms. See
sections Section 8 and Section 9 for details.
5. DIVIDE Records
Domain administrators declare DIVIDE specific DNS TXT records to
specify DIVIDE configurations similar to SPF and DMARC.
Henceforward, we call this TXT records as "DIVIDE records" in this
document. We will show the details of the DIVIDE record in this
section.
5.1. DNS Resource Records Syntax
A DIVIDE record is a DNS record that declares separated receiving
servers for each Mail Categories, together with sender authentication
policy and RSPs.
A DIVIDE record is declared to the "_divide" subdomain of target
domains. The MSAs in the mail source domains query the TXT records
for the mail destination domains to obtain the appropriate subdomains
to deliver the mail messages. For example, if the destination domain
of a mail message is "example.com", the MSA located inside the source
domain of the message make a query to find the TXT record for
"_divide.example.com".
The generic formats of DIVIDE records are:
_divide IN TXT "divide specific text"
_divide.example.com. IN TXT "divide specific text"
Multiple parts separated with semicolons compose the "divide specific
text". These parts are called "Entry" in this document. Each Entry
has several tags detailed in the following part of this section.
Amongst each Entry in a DIVIDE record, the first Entry MUST be the
one containing only a v (Version) tag. Currently, the only available
value for the v tags is DIVIDE1.
The table below shows tag parameters of a DIVIDE Entry. Every tag in
this table is mandatory for each DIVIDE Entry.
Akagiri, et al. Expires January 28, 2018 [Page 11]
�
Internet-Draft MDF July 2017
+-----+-----------+-----------------------+-------------------------+
| Tag | Format | Value | Notes |
+-----+-----------+-----------------------+-------------------------+
| a | a=XXX | SPF, PRA, SenderID, | to declare the |
| | | DKIM, DMARC | authentication method |
| | | | |
| p | p=XXX:YYY | XXX=comm, trans, | bind DIVIDE category |
| | | notif, promo, ml, mh, | and mail destination |
| | | default | subdomains. |
| | | | |
| | | YYY="subdomain name | "none" to specify no |
| | | to be added", or | subdomaining. |
| | | "none" | |
| | | | |
| rsp | rsp=XXX | FQDN or IP address of | specify an RSP for this |
| | | an RSP | DIVIDE entry. |
+-----+-----------+-----------------------+-------------------------+
Note that a DIVIDE record does not cover subdomains under the
declared domain. For example, when an operator desires to add a
DIVIDE record for "_divide.a.example.com." in addition to the one for
"_divide.example.com.", the operator MUST add a new record for
"_divide.a.example.com.".
5.2. Multiple DNS Records
Operators MUST NOT declare more than one DIVIDE record for each (sub)
domain.
5.3. Record Size
As discussed in section 3.4 of [RFC7208], a DIVIDE record size SHOULD
be small enough to fit in a single UDP packet of a DNS answer. When
a DNS answer data size becomes greater than 512 octets, old DNS
server implementations might fallback to TCP. The fallbacks may
cause the performance degradations to the DNS answer procedures. In
[RFC7208], it is recommended to adjust the length of the DNS name and
the TXT record bound to it SHOULD be under 450 octets. The DIVIDE
records SHOULD follow this guideline.
6. Reputation Service Providers
Reputation Service Provider keeps track of a white list of MDF-
conforming senders. Receiving party can perform a query to see how a
specific sender is conforming to MDF. Reputation reporting
architecture [RFC7070] is adopted in MDF.
Akagiri, et al. Expires January 28, 2018 [Page 12]
�
Internet-Draft MDF July 2017
6.1. White-list Management
MDF's effectiveness depends on whether the senders correctly label
mail messages for the purpose of DIVIDE record lookup and selecting
the receiving servers. If an abusive server sends SPAM messages to
"c.beta.example.com", the advantage of the traffic separation is
diluted. When a sender labels a message as "communication", the
degree of how this labeling is correct is evaluated and accumulated
as a reputation of this sender for the category "communication". An
RSP maintain reputation for sending domains associated with a set of
Mail Categories.
When a sending party is not known to the RSP that the recipient
trusts, the sender SHOULD NOT be treated as MDF-conforming in the
message handling. This is to prevent abusive senders from sending
messages to MDF specific inboxes, by always using a new name and
expect that a bad reputation would not be built in the RSP.
After looking up the DIVIDE record, the sending MTA SHOULD check
whether it has already registered itself to the RSP specified by the
recipient. If it has not, it SHOULD fall back to non-MDF mail
delivery. In the meantime it registers itself to the specified RSP.
Once it is recognized as MDF-conforming by the RSP, it can use MDF
for the message delivery.
Methods to register a sender to an RSP are beyond the scope of this
document.
Note that a receiver MAY specify itself as the RSP. In that case,
MDF is applied only by an explicit consent between the sender and the
receiver.
6.2. Reputation Query and Result Caching
Receiving MTA can make a reputation query for the sender domain for
the category of the received message, to the RSP that it trust. The
query can be performed as defined in [RFC7072].
[RFC7072] defines a URL template for a query as follows:
https://{service}/{application}/{subject}/{assertion}
For the purpose of MDF, the application context "email-divide" is
used. Mail Category is used for assertion.
The query result can be cached according to "expires" field in the
response, as described in Section 5 in [RFC7071].
Akagiri, et al. Expires January 28, 2018 [Page 13]
�
Internet-Draft MDF July 2017
An "https" URL with an HTTP over TLS transport SHOULD be used for
privacy reasons. See Section 11.2.
6.3. Evaluation and Feedback
Abuse or improper categorization of received message SHOULD be
reported to RSPs. ARF format [RFC6650] can be used for this purpose.
Methods of evaluating how the received message is correctly labeled
for the Mail Category are beyond the scope of this document.
7. Result Handling
When the receiver MTA verified the sender is MDF-conforming, it
generates an Authentication-Results header [RFC7410]. The header is
added as the message is transmitted to the MDA.
MDA looks at Authentication-Results header of the mail message and
see whether the message is delivered via MDF partitioned delivery
network. The MDA puts the message into a separate inbox for the
user.
The MUA identify the Authentication-Results header and make prominent
sign on the display that the mail is delivered via MDF and verified
its trust. For example, it MAY display a green icon to show that the
mail message is verified in MDF.
8. Mailing-list
Mailing-list servers reformat the posted message and deliver it to
list members. SPF can be used to authenticate the resending sender.
Mail Category "ml" is reserved for this purpose, to accommodate a
specifically configured authentication policy. Receiving server can
advertise a separate RSP that is used for mailing-list senders than
for communication.
For example the following DIVIDE Entry declares the mailing-list
servers MUST authenticate itself with SPF and the trust is managed by
"ml.repute.example.org".
a=SPF p=ml:ml rsp=ml.repute.example.org
9. Multi-hop Delivery
Mail Category "multi_hop" is reserved so that the recipient can
express a policy for multi-hop messages.
For example,
Akagiri, et al. Expires January 28, 2018 [Page 14]
�
Internet-Draft MDF July 2017
o "a=spf p=multi_hop:mh" expresses that the receiving server rejects
multi-hop messages.
o "a=dkim p=multi_hop:mh" expresses it accepts multi-hop messages
only if DKIM authentication is used.
10. Security Considerations
10.1. DNS Spoofing
[TBD] Use DNSSEC if necessary.
11. Privacy Considerations
11.1. DNS queries
Sender MTA looks up a DIVIDE record under the subdomain "_divide" of
the recipient domain. Watching for DNS queries can reveal that the
sender is going to use MDF for the following outgoing mail. However,
a "_divide" query does not reveal which category is in question.
After a successful DIVIDE lookup, the sender looks up the recipient
subdomain's MX records. When MDF is in use, the domain depends on
the category of the mail. This indicates that watching on MX queries
can reveal the category of the mail that the sender is going to
transmit. This is inevitable unless DNS queries are encrypted. A
BoF on this topic was held in IETF-89, Encryption of DNS requests for
confidentiality (dnse). Future works from that group can mitigate
this risk.
11.2. Reputation queries
Queries for reputation server is performed according to [RFC7072].
[RFC7072] defines HTTP based query and optionally HTTPS can be used.
When a recipient MTA receives a mail for a category subdomain, it
does a query to the corresponding reputation server. The query
indicates the category of the mail in question in the "{assertion}"
part of the URL. Thus there is a risk that the category can be
observed by watching the traffic between sender and the receiver,
combined with reputation queries.
To mitigate this risk, reputation query SHOULD be performed over
HTTPS (HTTP over TLS), for the purpose of MDF.
Akagiri, et al. Expires January 28, 2018 [Page 15]
�
Internet-Draft MDF July 2017
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4406] Lyon, J. and M. Wong, "Sender ID: Authenticating E-Mail",
RFC 4406, DOI 10.17487/RFC4406, April 2006,
<http://www.rfc-editor.org/info/rfc4406>.
[RFC4407] Lyon, J., "Purported Responsible Address in E-Mail
Messages", RFC 4407, DOI 10.17487/RFC4407, April 2006,
<http://www.rfc-editor.org/info/rfc4407>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008,
<http://www.rfc-editor.org/info/rfc5321>.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008,
<http://www.rfc-editor.org/info/rfc5322>.
[RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
"DomainKeys Identified Mail (DKIM) Signatures", STD 76,
RFC 6376, DOI 10.17487/RFC6376, September 2011,
<http://www.rfc-editor.org/info/rfc6376>.
[RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail",
STD 72, RFC 6409, DOI 10.17487/RFC6409, November 2011,
<http://www.rfc-editor.org/info/rfc6409>.
[RFC7070] Borenstein, N. and M. Kucherawy, "An Architecture for
Reputation Reporting", RFC 7070, DOI 10.17487/RFC7070,
November 2013, <http://www.rfc-editor.org/info/rfc7070>.
[RFC7071] Borenstein, N. and M. Kucherawy, "A Media Type for
Reputation Interchange", RFC 7071, DOI 10.17487/RFC7071,
November 2013, <http://www.rfc-editor.org/info/rfc7071>.
Akagiri, et al. Expires January 28, 2018 [Page 16]
�
Internet-Draft MDF July 2017
[RFC7072] Borenstein, N. and M. Kucherawy, "A Reputation Query
Protocol", RFC 7072, DOI 10.17487/RFC7072, November 2013,
<http://www.rfc-editor.org/info/rfc7072>.
[RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for
Authorizing Use of Domains in Email, Version 1", RFC 7208,
DOI 10.17487/RFC7208, April 2014,
<http://www.rfc-editor.org/info/rfc7208>.
[RFC7410] Kucherawy, M., "A Property Types Registry for the
Authentication-Results Header Field", RFC 7410,
DOI 10.17487/RFC7410, December 2014,
<http://www.rfc-editor.org/info/rfc7410>.
[RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
Message Authentication, Reporting, and Conformance
(DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
<http://www.rfc-editor.org/info/rfc7489>.
12.2. Informative References
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598,
DOI 10.17487/RFC5598, July 2009,
<http://www.rfc-editor.org/info/rfc5598>.
[RFC6650] Falk, J. and M. Kucherawy, Ed., "Creation and Use of Email
Feedback Reports: An Applicability Statement for the Abuse
Reporting Format (ARF)", RFC 6650, DOI 10.17487/RFC6650,
June 2012, <http://www.rfc-editor.org/info/rfc6650>.
[RFC7073] Borenstein, N. and M. Kucherawy, "A Reputation Response
Set for Email Identifiers", RFC 7073,
DOI 10.17487/RFC7073, November 2013,
<http://www.rfc-editor.org/info/rfc7073>.
Appendix A. Collected ABNF
The following syntax specification of the DIVIDE record uses ABNF
[RFC5234]. Terms not defined here are taken from [RFC5321].
Akagiri, et al. Expires January 28, 2018 [Page 17]
�
Internet-Draft MDF July 2017
divide-record = divide-version
[divide-sep divide-authentication]
[divide-sep divide-policy]
[divide-sep divide-provider]
; components other than divide-version
; may appear in any order
divide-version = "v" *WSP "=" *WSP
%x44 %x49 %x56 %x49 %x44 %x45 %x31
divide-sep = *WSP %x3b *WSP
divide-authentication = "a" *WSP "=" *WSP
( "SPF" / "PRA" / "SenderID" /
"DKIM" / "DMARC" )
divide-policy = "P" *WSP "=" *WSP
( "comm" / "trans" /
"notif"/ "promo" / "ml" / "mh" )
%x3a Domain
divide-provider = "rsp" *WSP "=" *WSP ( Domain / address-literal )
Appendix B. Contributors and Acknowledgements
Appendix C. IANA Considerations
C.1. The DIVIDE DNS Resoruce Record Type
[TBD]
C.2. Email Authentication Methods
[TBD]
C.3. Email Authentication Property Types
[TBD]
C.4. Reputation Applications Registry
[TBD]
Authors' Addresses
Akagiri, et al. Expires January 28, 2018 [Page 18]
�
Internet-Draft MDF July 2017
Takehito Akagiri
Regumi, Inc.
Email: akagiri@regumi.net
Genki Yasutaka
Rakuten, Inc.
Email: genki.yasutaka@rakuten.com
Kouji Okada
Lepidum Co. Ltd.
Email: okd@lepidum.co.jp
Tatsuya Hayashi
Lepidum Co. Ltd.
Email: hayashi@lepidum.co.jp
Masaki Kase
Individual Contributor
Email: kase.masaki@softest.jp
Akagiri, et al. Expires January 28, 2018 [Page 19]
