Internet DRAFT - draft-tdraegen-dmarc-usage-guide
draft-tdraegen-dmarc-usage-guide
DMARC Working Group T. Draegen, Ed.
Internet-Draft June 17, 2017
Intended status: Best Current Practice
Expires: December 19, 2017
DMARC Interoperability Usage Guide
draft-tdraegen-dmarc-usage-guide-00
Abstract
Domain-based Message Authentication, Reporting, and Conformance
(DMARC) allows for the expression of domain-level policies and
preferences for message validation, disposition, and reporting
between mail-originating and mail-receiving organizations. This
usage guide presents strategies for successful interoperation of
historically disparate mail systems in the presence of domain-level
policies.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 19, 2017.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Draegen Expires December 19, 2017 [Page 1]
Internet-Draft DMARC Interoperability Usage Guide June 2017
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Domain Owners . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Mail-Originating Organizations . . . . . . . . . . . . . . . 3
4. Mail-Receiving Organizations . . . . . . . . . . . . . . . . 4
5. Internet Mail Architecture, DMARC, and Domain-level Policies 6
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
9.1. Normative References . . . . . . . . . . . . . . . . . . 7
9.2. Informative References . . . . . . . . . . . . . . . . . 7
Appendix A. Additional Usage Notes . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
DMARC [RFC7489] allows for the expression of domain-level policies
and preferences for message validation, disposition, and reporting
between mail-originating and mail-receiving organizations. Aside
from documented interoperability issues between DMARC and indirect
email flows [RFC7960], mail-originating and mail-receiving
organizations can benefit from operational experience collected
during the initial years of Internet-wide DMARC deployment.
Within mail-originating organizations, domain-level policies can
introduce challenges between domain operators and historically
disparate mail systems. Domain-level policies require a degree of
coordination and management across mail systems involved in sending
email on behalf of domains.
Mail-receiving organizations can face challenges when handling mail
flows that fall under the auspices of domain-level DMARC policies.
Indirect mail flows [RFC7960], legitimate but unauthorized sources of
mail, and overly broad authorization by domain owners all present
unique mail handling challenges that result in trade offs between
implementing a requested domain-level policy and possible disruption
of the delivery of desired mail.
Variance in processing of mail and the significance of stable domain-
level identifiers raises further issues between organizations. This
usage guide presents strategies for successful mail handling
operation in the presence of domain-level policies.
Draegen Expires December 19, 2017 [Page 2]
Internet-Draft DMARC Interoperability Usage Guide June 2017
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
The terms "Organizational Domain", "Authenticated Identifiers", and
"Domain Owner" are specified in Section 3 of DMARC [RFC7489].
2. Domain Owners
o How does new scope of domain-level policies influence
organization?
o DMARC Report Processing and Analysis
o DMARC Policy
* Implementation of compliance to allow for policy
* Steady state operations
* Monitoring for ongoing compliance
* Remediation of discovered issues
* Doing all the work but not moving to p=reject; decision point
o DNS Management to achieve Identifier Alignment
o SPF Considerations
o DKIM Considerations
3. Mail-Originating Organizations
o Default authentication ala how MS and Google do 'customer-domain-
com.microogle-service.com'
o Sending on Behalf of Others
* When "Other" is within same company
* XXX Where does ADMD come from?
* DNS Management
Draegen Expires December 19, 2017 [Page 3]
Internet-Draft DMARC Interoperability Usage Guide June 2017
* Does new scope of domain-level policies create new
requirements?
* Identifier Alignment
o SPF Considerations
* See M3AAWG documents?
o DKIM Considerations
* See M3AAWG documents?
o Policy implications
* Monitoring of potential policy
* Operational reporting for ongoing compliance
4. Mail-Receiving Organizations
o Processing inputs to DMARC check:
* Dealing with malformed email
* Processing SPF
+ MFROM vs HELO checks
+ Reporting implications
* Processing DKIM
+ Multiple signatures
+ Reporting implications
+ Insufficient key lengths
- Communication of weak key back to DO?
* Passing inputs between gateways within same organization
+ Intra ADMD
+ Inter ADMD
+ Extra ADMD
Draegen Expires December 19, 2017 [Page 4]
Internet-Draft DMARC Interoperability Usage Guide June 2017
o Mailbox Hosting
* Issues delivering into mbox hosting environment?
+ Is anything enforcing policy at MDA level?
* Issues accepting email from mbox hosting env?
+ Should MSA be performing DMARC compliance checks to prevent
injection of doomed email?
- EG, cable company's MSA accepting email to deliver using
customers @aol.com address
- Would it make sense to enumerate and standardize error
codes?
o Presentation of DMARC disposition to MUAs
* Big gulf between operators doing things and MUAs talking to
clients
* Are you only an operator or an operator + MUA?
* MUA portion seems huge
o Reintroducing mail to Message Handling Systems
* Mediators (see RFC7960 3.2.)
* Mailbox forwarding
* SMTP relay/security services
* Mailing Lists
* XXX Need easy way to test if message will remain DMARC
compliant?
o Generating DMARC feedback
* Aggregate
+ Add additional notes/issues back to domain owner? Needed?
- Embed X-ARF style notification?
Draegen Expires December 19, 2017 [Page 5]
Internet-Draft DMARC Interoperability Usage Guide June 2017
- Embed reporting address for Domain Owner into DMARC
record?
o Just use existing notification? postmaster@?
(postmaster might != DO)
* Forensic
+ Different levels of redaction today
+ Purpose to inform accurate deployment vs supply threat
intelligence? Does posture make a difference?
+ Considerations around implementation of various options (eg
"fo=")
* DMARC records with no reporting address. What to do with them?
o Overriding requested DMARC policy
o Handling inquiries to DMARC contact address (as found in DMARC
XML)
5. Internet Mail Architecture, DMARC, and Domain-level Policies
o MUA: check if user is authorized to send using domain. Create UX
to inform user that unauthorized domain usage will likely not
work. Likely involves communication with aMSA to determine
authorization.
o Message Handling System
* MSA: before accepting submission, aMSA can determine if hMSA
will be able to successfully meet DMARC compliance. Other 1/2
of MUA.
* MSA: check to see if submitter is authorized to send on behalf
of domain. Disallow unauthorized usage of domains especially
if infrastructure uses shared-IPs (prevent neighbor-IP
attacks).
o MTA: detect if transfered email falls under a DMARC policy. If
so, preserve.
o MDA: policy enforcement at MDA discouraged. Potential for MDA to
act as Mediator.ReSender with all associated considerations.
Draegen Expires December 19, 2017 [Page 6]
Internet-Draft DMARC Interoperability Usage Guide June 2017
o MS: Reintroduction of mail from MS should be considered against
any published domain policies
o Mediators: all mediator share common consideration wrt domain-
level policies. Handing off email that falls under a DMARC policy
to an MTA should be carefully considered
6. Acknowledgements
This document was developed initially through encouragement on the
DMARC Working Group email list, then through the willingness of DMARC
implementors to share and refine their operational experience.
7. IANA Considerations
This memo includes no request to IANA.
All drafts are required to have an IANA considerations section (see
Guidelines for Writing an IANA Considerations Section in RFCs
[RFC5226] for a guide). If the draft does not require IANA to do
anything, the section contains an explicit statement that this is the
case (as above). If there are no requirements for IANA, the section
will be removed during conversion into an RFC by the RFC Editor.
8. Security Considerations
All drafts are required to have a security considerations section.
See RFC 3552 [RFC3552] for a guide.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
9.2. Informative References
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552,
DOI 10.17487/RFC3552, July 2003,
<http://www.rfc-editor.org/info/rfc3552>.
Draegen Expires December 19, 2017 [Page 7]
Internet-Draft DMARC Interoperability Usage Guide June 2017
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>.
[RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
Message Authentication, Reporting, and Conformance
(DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
<http://www.rfc-editor.org/info/rfc7489>.
[RFC7960] Martin, F., Ed., Lear, E., Ed., Draegen. Ed., T., Zwicky,
E., Ed., and K. Andersen, Ed., "Interoperability Issues
between Domain-based Message Authentication, Reporting,
and Conformance (DMARC) and Indirect Email Flows",
RFC 7960, DOI 10.17487/RFC7960, September 2016,
<http://www.rfc-editor.org/info/rfc7960>.
Appendix A. Additional Usage Notes
This is an Appendix.
Author's Address
Tim Draegen (editor)
PO Box 1007
Brevard, NC 28712
USA
Phone: +1 831 227 8002
Email: tim@eudaemon.net
Draegen Expires December 19, 2017 [Page 8]