TOC 
DMARC.orgM. Kucherawy, Ed.
 Cloudmark
 December 16, 2011


Domain-based Message Authentication, Reporting and Conformance (DMARC)

Abstract

The email ecosystem currently lacks a cohesive mechanism through which email senders and receivers can make use of multiple authentication protocols in an attempt to establish reliable domain identifiers. This lack of cohesion prevents receivers from providing domain-specific feedback to senders regarding the accuracy of authentication deployments. Inaccurate authentication deployments preclude receivers from safely taking deterministic action against email that fails authentication checks. Finally, email senders do not have the ability to publish policies specifying actions that should be taken against email that fails multiple authentication checks.

This memo presents a proposal for a scalable mechanism by which an organization can express, using the Domain Name System, domain-level policies and preferences for message validation, disposition, and reporting with predictable and accurate results.

The enclosed proposal is not intended to introduce mechanisms that provide elevated delivery privilege of authenticated email. The proposal presents a mechanism for policy distribution that enables a continuum of increasingly strict handling of messages that fail multiple authentication checks, from no action, through silent reporting, up to message rejection.



Table of Contents

1.  License
2.  Introduction
    2.1.  Scalability
    2.2.  Anti-Phishing
    2.3.  Towards An Authenticated Future
    2.4.  Experiment Team
3.  Requirements
    3.1.  High-Level Requirements
    3.2.  Security Dependencies
    3.3.  Detailed Requirements
    3.4.  Out Of Scope
4.  Terminology and Definitions
    4.1.  Summary
    4.2.  Identifier Alignment
        4.2.1.  DKIM-authenticated Identifiers
        4.2.2.  SPF-authenticated Identifiers
        4.2.3.  Alignment and Extension Technologies
5.  Policy
6.  DMARC Policy Record
    6.1.  General Record Format
    6.2.  Formal Definition
7.  Policy Enforcement Considerations
8.  DMARC Feedback
    8.1.  Aggregate Reports
    8.2.  Failure Reports
9.  Policy Discovery
10.  Domain Owner Actions
11.  Mail Receiver Actions
    11.1.  Extract Author Domain
    11.2.  Determine Domain Existence
    11.3.  Determine Handling Policy
    11.4.  Message Sampling
    11.5.  Store Results of DMARC Processing
12.  Feedback Mechanism
    12.1.  Discovery
    12.2.  Transport
        12.2.1.  Email
        12.2.2.  HTTP
        12.2.3.  Other Methods
        12.2.4.  Error Reports
13.  Minimum Implementations
14.  IANA Considerations
    14.1.  Authentication-Results Method Registry Update
    14.2.  Authentication-Results Result Registry Update
    14.3.  DMARC Tag Registry
    14.4.  DMARC Report Format Registry
15.  Security Considerations
    15.1.  Use of RFC5322.From
    15.2.  Display Name Attacks
    15.3.  Attacks on Reporting URIs
    15.4.  Issues Specific to SPF
    15.5.  DNS Load
    15.6.  External Reporting Addresses
    15.7.  Rejecting Messages
    15.8.  Capacity Planning
    15.9.  Privacy Considerations
        15.9.1.  Data Exposure Considerations
        15.9.2.  Report Recipients
        15.9.3.  Report Generators
        15.9.4.  Secure Protocols
    15.10.  Identifier Alignment Considerations
16.  References
    16.1.  Normative References
    16.2.  Informative References
Appendix A.  Examples
    A.1.  Identifier Alignment examples
        A.1.1.  SPF
        A.1.2.  DKIM
    A.2.  Domain Owner example
        A.2.1.  Entire Domain, Monitoring Only
        A.2.2.  Entire Domain, Monitoring Only, Per-Message Reports
        A.2.3.  Sub-Domain, Sampling, and Multiple Aggregate Report URIs
        A.2.4.  Third Party Sender and Identifier Alignment
        A.2.5.  Sub-Domain Policy, Reporting Interval
    A.3.  Mail Receiver Example
        A.3.1.  SMTP-time Processing
        A.3.2.  Real-time Feedback Processing
    A.4.  Utilization of Aggregate Feedback example
    A.5.  mailto Transport example
    A.6.  https Transport example
Appendix B.  Organizational Domain Discovery Issues
Appendix C.  Issues With ADSP In Operation
Appendix D.  DMARC Discovery Requirements
Appendix E.  DMARC XML Schema
Appendix F.  Public Suffix Lists
Appendix G.  Public Discussion
§  Author's Address




 TOC 

1.  License

As of the date shown at the top right of this page, the Contributors have made this Specification available under the Open Web Foundation Contributor License Agreement Version 1.0, which is available at: http://www.dmarc.org/cla.html

You can review the signed copies of the Open Web Foundation Contributor License Agreement Version 1.0 for this Specification at: http://www.dmarc.org/CLAs/

The current list of Contributors can be found at: http://www.dmarc.org/contributors.html

Your use of this Specification may be subject to other third party rights. THIS SPECIFICATION IS PROVIDED "AS IS". The contributors expressly disclaim any warranties (express, implied, or otherwise), including implied warranties of merchantability, non-infringement, fitness for a particular purpose, or title, related to the Specification. The entire risk as to implementing or otherwise using the Specification is assumed by the Specification implementer and user. IN NO EVENT WILL ANY PARTY BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS SPECIFICATION OR ITS GOVERNING AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



 TOC 

2.  Introduction

For years, various receivers have tried to protect senders who are known to authenticate their outbound email from phishing by using [DKIM] (Crocker, D., Hansen, T., and M. Kucherawy, “DomainKeys Identified Mail (DKIM) Signatures,” September 2011.) and/or [SPF] (Wong, M. and W. Schlitt, “Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” April 2006.) results to detect and block unauthorized email. At the same time, senders have leveraged SPF-authorized and DKIM-signed messages to achieve domain-level email authentication. However, a broadly accepted mechanism to assert domain-specific message-disposition policies, or to request reporting of same, has been lacking.

The fundamental idea behind these approaches is that if a sender authenticates all legitimate outbound mail using the authentication protocols SPF and DKIM, then receivers can quarantine or reject unauthenticated mail purporting to be from that sender. Over time, one-on-one relationships were established between select senders and receivers with privately communicated means to assert policy and receive message traffic and authentication disposition reporting. Although these ad hoc practices have been generally successful, they require significant manual coordination between parties.

This memo defines Domain-based Message Authentication, Reporting and Compliance (DMARC), a mechanism by which email operators leverage existing authentication and policy advertisement technologies to enable both message-stream feedback and enforcement of policies against unauthenticated email.

DMARC encourages senders and receivers to collaborate by monitoring message authentication and disposition, building confidence in the coverage and accuracy of email authentication, and moving -- one domain at a time -- towards the goal of deploying the strongest possible message handling policies.

For the purpose of discussion, this document defines the word "authentication" to be inclusive of techniques used to verify message integrity and/or sending-entity authorization. Exceptions to this convention are expressly noted.

The DMARC method involves evaluation of messages during an SMTP session on entry to a specific receiving Administrative Management Domain (ADMD; see [EMAIL‑ARCH] (Crocker, D., “Internet Mail Architecture,” July 2009.)). DMARC is thus applied by message transport software and not by user agents or their respective protocols such as POP or IMAP.

DMARC operates as a policy layer atop implementations of DKIM and SPF. These technologies are the building blocks of DMARC as each technology is widely deployed, supported by mature tools, and is readily available to both senders and receivers.

DMARC differs from previous approaches to policy advertisement (e.g., [SPF] (Wong, M. and W. Schlitt, “Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” April 2006.) and [ADSP] (Allman, E., Fenton, J., Delany, M., and J. Levine, “DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP),” August 2009.)) in that:



 TOC 

2.1.  Scalability

DMARC is designed to support the extreme scalability requirements that characterize the systemic problem of identifying the origination and legitimacy of email. DMARC seeks to preserve the positive aspects of the current email infrastructure, such as the ability for anyone to communicate with anyone else without introduction.

The DMARC mechanism specifically does not introduce third-party policy publishers or feedback consumers. Third parties are not prevented, however, from using these mechanisms in private and/or public contexts.



 TOC 

2.2.  Anti-Phishing

This document is significantly informed by ongoing efforts to enact large-scale, Internet-wide, anti-phishing measures. Whereas DMARC can only be used to combat specific forms of exact-domain phishing directly, the DMARC mechanism is viewed more importantly as a substantial step forward in terms of creating reliable and defensible message streams.

Specifically, DMARC does not attempt to solve problems related to use of Cousin Domains or abuse of the RFC5322.From "display name".



 TOC 

2.3.  Towards An Authenticated Future

The DMARC mechanism is designed to enable highly accurate Internet-scale deployments of email authentication technologies. Anti-phishing measures are a compelling instance of what widely-deployed authenticated messaging streams can enable. As email authentication deployments continue to mature, additional authentication-enabled services are expected to be developed.



 TOC 

2.4.  Experiment Team

[NOTE TO RFC EDITOR: Remove this section prior to publication.]

The contributors to DMARC share the view that layering security on top of Internet Mail requires a partnership between those who send mail (who sign messages with DKIM, authorize email servers with SPF, and consume feedback to achieve highly-accurate deployments) and those who receive mail (who test the authenticity assertions from senders and report authentication results back to senders to enable authentication accuracy and domain-usage intelligence). The team that produced this specification acknowledges that this new security layer is optional for the Internet community in general, though of increasing value to our peers due to the urgent need to respond to the persistent threats of phishing and malware distribution.

If this first public informational draft addresses your use cases for improved messaging security, please contact the authors expressing your interest to work with us on implementation testing and rolling implementation experience back into future versions of DMARC. It is the intention of the contributors to submit DMARC into a new IETF Working Group on a formal standards track, but only after gaining significant implementation experience. Please join us in making Internet messaging more secure.



 TOC 

3.  Requirements

Specification of DMARC is guided by the following high-level requirements, security dependencies, detailed requirements, and items that are documented as out-of-scope.



 TOC 

3.1.  High-Level Requirements

At a high level, DMARC is designed to satisfy the following requirements:



 TOC 

3.2.  Security Dependencies

Security issues DMARC observes:



 TOC 

3.3.  Detailed Requirements

DMARC's specification requirements, in detail:

  1. The RFC5322.From domain is the identifier used for all message validation operations, as it is the single identifier in the message likely to be visible to the user.
  2. Senders can specify a "strict" or "relaxed" mode in terms of enforcing identifier checks (see Section 4.2 (Identifier Alignment)). In "strict" mode, all identifiers from authentication systems upon which DMARC is predicated must match the RFC5322.From domain. In "relaxed" mode, the organizational domains (see Section 4 (Terminology and Definitions)) must match. The "relaxed" mode shall be the default.
  3. A sender's policy must be discoverable via DNS queries.
  4. It must be possible to specify reject or quarantine policies when none of the underlying authentication systems succeed.
  5. It must be possible to specify a "no action" policy in order to collect authentication statistics without impacting delivery.
  6. Senders can specify a policy that is in effect for subdomains of its organizational domain that is different for the policy of the organizational domain itself.
  7. Message disposition requests via DMARC override those requested by any other mechanism.
  8. Senders should be able to specify a percentage of their messages to which their policies should be applied, with the rest unaffected, in order to experiment and to understand and minimize deployment risk.
  9. Receivers should endeavour to reject or quarantine email if the RFC5322.From purports to be from a domain that appears to be either non-existent or incapable of receiving mail.
  10. Reporting configuration in DMARC should override any such options specified by DKIM or SPF or extensions to them.
  11. The sender must be able to to specify independent reporting addresses for failed message reporting and aggregate data feeds.
  12. The aggregate report must contain enough information for the report consumer to re-calculate DMARC disposition based on the published policy, message dispositon, and SPF, DKIM, and identifier alignment results.
  13. The aggregate report must still contain data for each sender subdomain separately from mail from the sender's organizational domain, even if no subdomain policy is applied. The report must indicate any policy applied to subdomains.
  14. It must be possible to specify a minimum reporting interval. Reporting sites should make a best effort to accommodate that request.
  15. The sender can specify a time-to-live for policy records.
  16. The sender can indicate which domains under its control never send email, either by omitting them from the DNS entirely or by declaring specific use of DKIM and SPF that no email will ever fulfill.
  17. The sending and receiving domains should be included in the aggregate report.
  18. The policy request and the one applied (if different) should be included in the aggregate report.
  19. The number of successful authentications should be included in the aggregate report.
  20. The report should be generated based on all messages even if filtering agents such as anti-virus or anti-spam engines ultimately block delivery.
  21. For real-time reporting of failed messages, including a [URI] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) to identify phishing sites and diagnostics on DKIM and SPF failures will be recommended.
  22. Static conformance requirements shall be documented to enable testing programs to help ensure consitency of results. (This will be done in a separate Best Current Practices document.)
  23. Aggregate reports should communicate DMARC message disposition regardless of any subsequent action that affects message disposition or delivery.
  24. The mechanism overall should be flexible enough to swap in or out any authentication technology.

Tags throughout the specification part of this document indicate conformance to the above requirements. For example "{R1}" indicates a component of the protocol that addresses requirement #1 in the list above.



 TOC 

3.4.  Out Of Scope

Items specifically not in scope for this work include:



 TOC 

4.  Terminology and Definitions

This section defines terms used in the rest of the document.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).

For the purpose of establishing context, readers are encouraged to be familiar with the contents of [EMAIL‑ARCH] (Crocker, D., “Internet Mail Architecture,” July 2009.). In particular, that document defines various roles in the messaging infrastructure that can appear the same or separate in various contexts. For example, a Domain Owner could, via the messaging security mechanisms on which DMARC is based, delegate the ability to send mail as the Domain Owner to some third party. This memo does not address the distinctions among such roles; the reader is encouraged to become familiar with that material before continuing.

The following terms are also used:

Authenticated Identifiers:
Authentication technologies allow MTAs to associate email with domain-level identifiers. Domain-level identifiers that are established using authentication technologies are referred to as "Authenticated Identifiers". The following Authenticated Identifiers are considered in this document:
Cousin Domain:
A DNS domain that, when rendered by a Mail User Agent (MUA), looks similar to, or can lead users to believe the domain is associated with, another name. For instance, "vendor5.example" would be a Cousin Domain of "vendors.example". This is a common tool in a homograph attack.
Domain Owner:
The entity or organization that "owns" a DNS domain. The term "owns" here indicates that the entity or organization being referenced holds the registration of that DNS domain. Domain Owners range from complex, globally-distributed organizations, to individuals responsible for maintaining vanity domains, to service providers working on behalf of non-technical clients.
Mail Receiver:
The entity or organization that receives and processes email. Mail Receivers operate one or more Internet-facing Mail Transport Agents (MTAs).
Organizational Domain:
For the purposes of this document, an Organizational Domain is a top-level DNS domain plus one component (e.g., "example.com", where "com" is a top-level domain). This is also sometimes referred to as "second-level domain". The Organization Domain for a given domain is determined by applying the following algorithm:
  1. Acquire a "public suffix" list, i.e., a list of DNS domain names reserved for registrations. Some country TLDs make specific registration requirements, e.g. the United Kingdom places company registrations under ".co.uk"; other TLDs such as ".com" appear in the IANA registry of top-level DNS domains. A public suffix list is the union of all of these. Appendix F (Public Suffix Lists) contains some discussion about obtaining a public suffix list.
  2. Break the subject DNS domain name into a set of "n" ordered labels. Number these labels from right-to-left; e.g. for "example.com", "com" would be label 1 and "example" would be label 2.
  3. Search the public suffix list for the name that matches the largest number of labels found in the subject DNS domain. Let that number be "x".
  4. Construct a new DNS domain name using the name that matched from the public suffix list and prefixing to it the "x+1"th label from the subject domain. This new name is the Organizational Domain.
Thus, since "com" is an IANA-registered TLD, a subject domain of "a.b.c.d.example.com" would have an Organizational Domain of "example.com".
The process of determining a suffix is currently a heuristic one. No list is guaranteed to be accurate or current.



 TOC 

4.1.  Summary

DMARC's filtering component is based on whether or not SPF or DKIM can provide an authenticated -- and relevant -- identifier for any given message. Messages that purport to be from a Domain Owner's domain and arrive from servers that are not authorized by SPF and do not contain an appropriate DKIM signature can be affected by DMARC policies.

DMARC's feedback component involves the collection of information pertaining to received messages, in the aggregate, for periodic reporting back to the Domain Owner. The parameters and format for such reports are discussed in later sections of this document.

A DMARC-enabled Mail Receiver might also generate per-message reports that contain information related to individual messages which fail SPF and/or DKIM. Per-message reports are useful for forensic use in debugging deployments (if messages can be determined to be legitimate albeit failing authentication) or in analyzing attacks. The capability for such services is enabled by DMARC but defined in other referenced material.

It is important to note that the authentication mechanisms employed by DMARC authenticate only a DNS domain, and do not authenticate the local-part of any email address identifier found in a message.



 TOC 

4.2.  Identifier Alignment

Email authentication technologies authenticate various (and disparate) aspects of an individual message. For example, [DKIM] (Crocker, D., Hansen, T., and M. Kucherawy, “DomainKeys Identified Mail (DKIM) Signatures,” September 2011.) authenticates the domain that affixed a signature to the message, while [SPF] (Wong, M. and W. Schlitt, “Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” April 2006.) authenticates the domain that appears in the RFC5321.MailFrom portion of [SMTP] (Klensin, J., “Simple Mail Transfer Protocol,” October 2008.). The DMARC mechanism introduces the concept of Identifier Alignment to address the possible discrepancy of Authenticated Identifiers supplied by underlying authentication technologies.

DMARC uses the RFC5322.From domain to tie together Authenticated Identifiers {R1}. The selection of the RFC5322.From domain as the central identity of the DMARC mechanism is due to the ubiquity of this identity and the behavior of most MUAs to represent the RFC5322.From field as the originator of the message and to render some or all of this header's content to end users.

To be considered "in alignment" for the purposes of the DMARC mechanism, implementors MUST observe the considerations described in the following sections. Domain names in this context are to be compared in a case-insensitive manner, per [DNS‑CASE] (Eastlake, D., “Domain Name System (DNS) Case Insensitivity Clarification,” January 2006.).



 TOC 

4.2.1.  DKIM-authenticated Identifiers

DMARC provides the option of applying DKIM in a strict mode or a relaxed mode {R2}.

In relaxed mode, the Organizational Domain of the [DKIM] (Crocker, D., Hansen, T., and M. Kucherawy, “DomainKeys Identified Mail (DKIM) Signatures,” September 2011.)-authenticated signing domain (taken from the value of the "d=" tag in the signature) and that of the RFC5322.From domain must be equal. In strict mode, only an exact match is considered to produce identifier alignment.

To illustrate, in relaxed mode, if a validated DKIM signature successfully verifies with a "d=" domain of "example.com", and the RFC5322.From domain is "alerts@news.example.com", the DKIM "d=" domain and the RFC5322.From domain are considered to be "in alignment". In strict mode, this test would fail.

However, a DKIM signature bearing a value of "d=com" would never allow an "in alignment" result as "com" should appear on all public suffix lists, and therefore cannot be an Organizational Domain.

Identifier alignment is required to prevent abuse by phishers that send DKIM-signed email using an arbitrary "d=" domain (such as a Cousin Domain) to pass authentication checks.



 TOC 

4.2.2.  SPF-authenticated Identifiers

DMARC provides the option of applying SPF in a strict mode or a relaxed mode {R2}.

In relaxed mode, the [SPF] (Wong, M. and W. Schlitt, “Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” April 2006.)-authenticated RFC5321.MailFrom (commonly called the "envelope sender") domain and RFC5322.From domain must match or share the same Organizational Domain. The SPF-authenticated RFC5321.MailFrom domain may be a parent domain or child domain of the RFC5322.From domain. In strict mode, only an exact DNS domain match is considered to produce identifier alignment.

For example, if a message passes an SPF check with an RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address portion of the RFC5322.From field contains "payments@example.com", the Authenticated RFC5321.MailFrom domain identifier and the RFC5322.From domain are considered to be "in alignment" in relaxed mode, but not in strict mode.

For purposes of identifier alignment, in relaxed mode, Organizational Domains of RFC5321.MailFrom domains that are a parent domain of the RFC5322.From domain are acceptable as many large organizations perform more efficient bounce processing by mapping the RFC5321.MailFrom domain to specific mailstreams.



 TOC 

4.2.3.  Alignment and Extension Technologies

If DMARC is extended to include the use of other authentication mechanisms, the extensions will need to allow for domain identifier extraction so that alignment against the RFC5322.From domain can be verified.



 TOC 

5.  Policy

DMARC policies are published by Domain Owners and applied by Mail Receivers.

A Domain Owner advertises DMARC participation by adding a DNS TXT record (described in Section 6) {R3, R15, R16} to one or more sending domains under its direct or indirect control (e.g. operated by a delegate by agreement with the Domain Owner). In doing so, senders make specific requests of Mail Receivers regarding the disposition of, and feedback on, messages purporting to be from one of the Domain Owner's domains.

A Mail Receiver MUST consider an arriving message to fail the DMARC test if none of the underlying message authentication mechanisms pass.

A Mail Receiver implementing the DMARC mechanism MUST make a best-effort to adhere to the Domain Owner's published DMARC policy when a message fails the DMARC test. Recognizing that email streams can be complicated (due to forwarding, existing RFC5322.From domain-spoofing services, etc.), Mail Receivers MAY deviate from a Domain Owner's published policy during message processing and SHOULD make available the fact and reason of the deviation to the Domain Owner via feedback reporting.



 TOC 

6.  DMARC Policy Record

Domain Owner DMARC preferences are stored as DNS TXT records in subdomains named "_dmarc". For example, the Domain Owner of "example.com" would post DMARC preferences in a TXT record at "_dmarc.example.com". Similarly, a Mail Receiver wishing to query for DMARC preferences regarding mail with an RFC5322.From domain of "example.com" would issue a TXT query to the DNS for the subdomain of "_dmarc.example.com". The DNS-located DMARC preference data will hereafter be called the "DMARC record".

DMARC records are stored in the DNS for three key engineering reasons:

Wildcarding:
DNS natively supports wildcarding, enabling child domains to inherit parent domain policy easily.
Overrides:
DMARC records published at child domains explicitly override extant parent policy.
Efficiency:
DNS caching is a common practice, reducing operational overhead of a new DNS-based mechanism.

Per [DNS] (Mockapetris, P., “Domain names - implementation and specification,” November 1987.), a TXT record can comprise several "character-string" objects. Where this is the case, the module performing DMARC evaluation MUST concatenate these strings by joining together the objects in order and parsing the result as a single string.



 TOC 

6.1.  General Record Format

DMARC records follow the extensible "tag-value" syntax for DNS-based key records defined in [DKIM] (Crocker, D., Hansen, T., and M. Kucherawy, “DomainKeys Identified Mail (DKIM) Signatures,” September 2011.). {R24}

Section 14 (IANA Considerations) creates a registry for known DMARC tags and registers the initial set defined in this memo. Only tags defined in this memo or in later extensions, and thus added to that registry, are to be processed; unknown tags MUST be ignored. To avoid version compatibility issues, tags added to the DMARC specification SHOULD NOT change the semantics of existing records when processed by implementations conforming to prior specifications.

The following tags are introduced as the initial valid DMARC tags:

adkim:
(plain-text; OPTIONAL, default is "r".) Indicates whether or not strict DKIM identifier alignment is required by the Domain Owner. If and only if the value of the string is "s", strict mode is in use. See Section 4.2.1 (DKIM-authenticated Identifiers) for details.
aspf:
(plain-text; OPTIONAL, default is "r".) Indicates whether or not strict SPF identifier alignment is required by the Domain Owner. If and only if the value of the string is "s", strict mode is in use. See Section 4.2.2 (SPF-authenticated Identifiers) for details.
p:
Requested Mail Receiver policy (plain-text; REQUIRED). Indicates the policy to be enacted by the Receiver at the request of the Domain Owner. Policy applies to the domain queried and to sub-domains unless sub-domain policy is explicitly described using the "sp" tag. Possible values are as follows:
none:
{R5} The Domain Owner requests no specific action be taken regarding delivery of messages.
quarantine:
{R4} The Domain Owner wishes to have email that fails the DMARC mechanism check to be treated by Mail Receivers as suspicious. Depending on the capabilities of the Mail Receiver, this can mean "place into spam folder", "scrutinize with additional intensity", and/or "flag as suspicious".
reject:
{R4} The Domain Owner wishes for Mail Receivers to reject email that fails the DMARC mechanism check. Rejection SHOULD occur during the SMTP transaction. See Section 15.7 (Rejecting Messages) for some discussion of SMTP rejection methods and their implications.
pct:
(plain-text integer between 0 and 100, inclusive; OPTIONAL; default is 100). {R8} Percentage of messages from the DNS domain's mail stream to which the DMARC mechanism is to be applied. However, this MUST NOT be applied to the DMARC-generated reports, all of which must be sent and received unhindered. The purpose of the "pct" tag is to allow Domain Owners to slowly roll out enforcement of the DMARC mechanism. The prospect of "all or nothing" is recognized as preventing many organizations from experimenting with strong authentication-based mechanisms.
rf:
Format to be used for message-specific forensic information reports (comma-separated plain-text list of values; OPTIONAL; default "afrf"). The value of this tag is a list of one or more report formats as requested by the Domain Owner to be used when a message fails both [SPF] (Wong, M. and W. Schlitt, “Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” April 2006.) and [DKIM] (Crocker, D., Hansen, T., and M. Kucherawy, “DomainKeys Identified Mail (DKIM) Signatures,” September 2011.) tests to report details of the individual failure. The values MUST be present in the registry of reporting formats defined in Section 14 (IANA Considerations); a Mail Receiver observing a different value SHOULD ignore it, or MAY ignore the entire DMARC record. Initial default values are "afrf" (defined in [AFRF] (Fontana, H., “Authentication Failure Reporting using the Abuse Report Format,” September 2011.)) and "iodef" (defined in [IODEF] (Danyliw, R., Meijer, J., and Y. Demchenko, “The Incident Object Description Exchange Format,” December 2007.)).
ri:
Interval requested between aggregate reports (plain-text, 32-bit unsigned integer; OPTIONAL; default 86400). {R14} Indicates a request to Receivers to generate aggregate reports separated by no more than the requested number of seconds. DMARC implementations MUST be able to provide daily reports and SHOULD be able to provide hourly reports when requested. However, anything other than a daily report is understood to be accommodated on a best-effort basis.
rua:
Addresses to which aggregate feedback is to be sent (comma-separated plain-text list of URIs; OPTIONAL). {R11} A comma that is part of such a URI MUST be encoded per Section 2.1 of [URI] (Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” January 2005.) so as to distinguish it from the list delimiter. Domain Owners MAY request feedback sent to locations outside of the subject domain name, and Mail Receivers MAY enact or ignore such requests as per local policy. See Section 15.6 (External Reporting Addresses) for additional consideration. Any valid URI can be specified. A Mail Receiver MUST implement support for a "mailto:" URI, i.e. the ability to send a DMARC report via electronic mail. If not provided, Mail Receivers MUST NOT generate aggregate feedback reports. URIs not supported by Mail Receivers MUST be ignored.
ruf:
Addresses to which message-specific forensic information is to be reported (comma-separated plain-text list of URIs; OPTIONAL). {R11} If present, the Domain Owner is requesting Mail Receivers to send detailed forensic reports about messages that fail [SPF] (Wong, M. and W. Schlitt, “Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” April 2006.) and/or [DKIM] (Crocker, D., Hansen, T., and M. Kucherawy, “DomainKeys Identified Mail (DKIM) Signatures,” September 2011.) evaluation. The format of the message to be generated MUST follow that specified in the "rf" tag.
sp:
{R6} Requested Mail Receiver policy for subdomains (plain-text; OPTIONAL). Indicates the policy to be enacted by the Receiver at the request of the Domain Owner. It applies only to subdomains of the domain queried and not to the domain itself. Its syntax is identical to that of the "p" tag defined above. If absent, the policy specified by the "p" tag MUST be applied for subdomains.
v:
(plain-text; REQUIRED, default is "DMARC1".) Identifies the record retrieved as a DMARC record. The value of this tag MUST match precisely; if it does not or it is absent, the entire retrieved record MUST be ignored.

Note that addition of a new tag into the registered list of tags does not itself require a new version of DMARC to be generated (with a corresponding change to the "v" tag's value), but a change to any existing tags does require a new version of DMARC.



 TOC 

6.2.  Formal Definition

The formal definition of the DMARC format using [ABNF] (Crocker, D. and P. Overell, “Augmented BNF for Syntax Specifications: ABNF,” January 2008.) is as follows:

  dmarc-record = dmarc-version dmarc-sep
                 dmarc-request
                 [dmarc-sep dmarc-srequest]
                 [dmarc-sep dmarc-auri]
                 [dmarc-sep dmarc-furi]
                 [dmarc-sep dmarc-adkim]
                 [dmarc-sep dmarc-aspf]
                 [dmarc-sep dmarc-ainterval]
                 [dmarc-sep dmarc-rfmt]
                 [dmarc-sep dmarc-percent]
                 ; components other than dmarc-version and
                 ; dmarc-request may appear in any order

  dmarc-sep = *WSP %3b *WSP

  dmarc-version = %x76 *WSP "=" %x44.4d.41.52.43

  dmarc-request = %3b *WSP %x70 *WSP "=" *WSP ( "none" / "discard" /
                                       "quarantine" / "reject" )

  dmarc-srequest = *WSP %x73.70 *WSP "=" *WSP ( "none" / "discard" /
                                           "quarantine" / "reject" )

  dmarc-auri = *WSP %x3b *WSP %x72.75.61 *WSP "=" *WSP
                URI *(*WSP "," *WSP URI)
                ; "URI" is imported from [URI]

  dmarc-ainterval = *WSP %x3b *WSP %x72.69 *WSP "=" *WSP

  dmarc-furi = *WSP %x3b *WSP %x72.75.66 *WSP "=" *WSP
                URI *(*WSP "," *WSP URI)
                ; "URI" is imported from [URI]

  dmarc-rfmt = *WSP %x3b *WSP %x72.66 *WSP "=" *WSP
               ( "afrf" / "iodef" )

  dmarc-percent = *WSP %x3b *WSP %x70.63.74 *WSP "=" *WSP
                  1*3DIGIT

  dmarc-adkim = *WSP %x3b *WSP %x61.64.6b.69.6d  *WSP "=" *WSP
                ( "r" / "s" )

  dmarc-aspf = *WSP %x3b *WSP %x61.73.70.66  *WSP "=" *WSP
               ( "r" / "s" )


 TOC 

7.  Policy Enforcement Considerations

Mail Receivers MAY choose to reject or quarantine email even if email passes the DMARC mechanism check. The DMARC mechanism does not inform Mail Receivers whether an email stream is "good". Mail Receivers are encouraged to maintain anti-abuse technologies to combat the possibility of DMARC-enabled criminal campaigns.

Mail Receivers MAY choose to accept email that fails the DMARC mechanism check even if the Domain Owner has published a "reject" policy. Mail Receivers SHOULD make a best effort not to increase the likelihood of phishing if it chooses not to reject, against policy.

Mail Receivers are not obligated to report reject or quarantine policy actions in aggregate feedback reports that are not due to DMARC policy, but are instead the result of local policy. If local policy information is exposed, abusers can gain insight into the effectiveness and delivery rates of spam campaigns.

DMARC-compliant Mail Receivers MUST disregard any mail directive discovered as part of an authentication mechanism (e.g., ADSP, SPF) where a DMARC policy is also discovered. {R7} Mail Receivers SHOULD also implement reporting instructions of DMARC in place of any extensions to SPF or DKIM that might enable such reporting. {R10}



 TOC 

8.  DMARC Feedback

The DMARC mechanism requires highly accurate authentication deployments to allow Mail Receivers to safely and scalably enforce Domain Owner policies. Providing Domain Owners with visibility into how Mail Receivers implement and enforce the DMARC mechanism in the form of feedback is critical to establishing and maintaining accurate authentication deployments.



 TOC 

8.1.  Aggregate Reports

Visibility comes in the form of daily (or more frequent) Mail Receiver-originated feedback reports that contain aggregate data on message streams relevant to the Domain Owner. This information includes data about messages that passed DMARC authentication as well as those that did not.

The format for these reports is defined in Appendix E (DMARC XML Schema).

The report SHOULD include the following data:



 TOC 

8.2.  Failure Reports

Message-specific authentication-failure-related forensic reporting can be used to identify problems with Domain-Owner-controlled infrastructure and to investigate the sources and methods of fraudulent messages.

The format for these reports is defined in [AFRF] (Fontana, H., “Authentication Failure Reporting using the Abuse Report Format,” September 2011.).

These reports SHOULD include the "call-to-action" URI(s) from inside messages that failed to authenticate. {R21}



 TOC 

9.  Policy Discovery

As stated above, the DMARC mechanism utilizes DNS TXT records to advertise policy. Policy discovery is accomplished similar to the way SPF records are discovered. Important differences are discussed below.

To balance the conflicting requirements of supporting wildcarding, subdomain policy overrides, and limiting DNS query load, the following DNS lookup scheme is employed:

  1. Mail Receivers MUST query the DNS for a DMARC TXT record at the DNS domain matching the one found in the RFC5322.From domain in the message. A possibly empty set of records is returned.
  2. Records that do not include a "v=" tag that identifies the current version of DMARC are discarded.
  3. If the set is now empty, the Mail Receiver MUST query the DNS for a DMARC TXT record at the DNS domain matching the Organizational Domain in place of the RFC5322.From domain in the message (if different). This record can contain policy to be asserted for subdomains of the Organizational Domain.
  4. Records that do not include a "v=" tag that identifies the current version of DMARC are discarded.
  5. If the remaining set contains multiple records, processing terminates and the Mail Receiver takes no action.
  6. If a retrieved policy record does not contain a valid "p" tag, or contains an "sp" tag that is not valid, then:
    A.
    if an "rua" tag is present and contains at least one syntactically valid reporting URI, the Mail Receiver SHOULD act as if a record containing a valid "v" tag and "p=none" was retrieved, and continue processing;
    B.
    otherwise, the Mail Receiver SHOULD take no action.

If the set produced by the mechanism above contains no DMARC policy record (i.e., any indication that there is no such record as opposed to a transient DNS error), Mail Receivers SHOULD NOT apply the DMARC mechanism to the message.

If the RFC5322.From domain does not exist in the DNS, Mail Receivers SHOULD direct the receiving SMTP server to reject the message {R9}. The choice of mechanism for such rejection and the implications of those choices are discussed in Section 11 (Mail Receiver Actions) and Section 15.7 (Rejecting Messages).



 TOC 

10.  Domain Owner Actions

To implement the DMARC mechanism, Domain Owners perform the actions enumerated in this section. For a trial operation, a Domain Owner might at first deploy DMARC to cover only a subdomain.

  1. Deploy authentication technologies [DKIM] (Crocker, D., Hansen, T., and M. Kucherawy, “DomainKeys Identified Mail (DKIM) Signatures,” September 2011.) (see also [DKIM‑OVERVIEW] (Hansen, T., Crocker, D., and P. Hallam-Baker, “DomainKeys Identified Mail (DKIM) Service Overview,” July 2009.) and [DKIM‑DEPLOYMENT] (Hansen, T., Crocker, D., and P. Hallam-Baker, “DomainKeys Identified Mail (DKIM) Development, Deployment, and Operations,” May 2010.)) and [SPF] (Wong, M. and W. Schlitt, “Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” April 2006.).
  2. Align identifiers; i.e., audit internal systems so that mail received by Mail Receivers will observe that Authenticated Identifiers within such messages will be in alignment.
  3. Prepare to receive feedback. Create dedicated email addresses to receive and process feedback from the Mail Receivers. This reporting address SHOULD be serviced by an MTA equipped to perform both DKIM and SPF checks.
  4. Publish a DMARC policy of "none" with a feedback reporting address to receive aggregate feedback data from Mail Receivers.
  5. Review and tune authentication deployments. Use the provided feedback data to remediate unauthenticated email streams and correct identifier alignment issues. This is a good opportunity to discover email that, for example, passes SPF checks but is missing DKIM signatures, since such email will inevitably fail authentication when forwarded.
  6. Increase policy strength. When confidence of authentication accuracy is gained, publish a DMARC policy of "quarantine" with a reasonably small value for "pct". Debug false positives (due to missed unsigned mailstreams) while gradually increasing the value of "pct" to 100.
  7. Fully secure mail streams. When "pct" reaches 100 with no observed ill effects, publish a DMARC policy of "reject" with a reasonably small value for "pct". Repeat debugging and corrective process as necessary.


 TOC 

11.  Mail Receiver Actions

This section describes receiver actions in the DMARC environment.



 TOC 

11.1.  Extract Author Domain

The domain in the RFC5322.From field is extracted as the domain to be evaluated by DMARC.

A message bearing multiple RFC5322.From identifiers is ambiguous under DMARC, and MUST be ignored with respect to all DMARC processing. This includes messages with multiple RFC5322.From fields (which is also forbidden under [MAIL] (Resnick, P., Ed., “Internet Message Format,” October 2008.)) and a message with a single RFC5322.From field containing multiple entities. Such messages SHOULD be rejected.



 TOC 

11.2.  Determine Domain Existence

Before undertaking DMARC evaluation itself, a DMARC participant SHOULD make an attempt to determine whether or not the DNS domain found in the RFC5322.From field actually exists. For the purposes of this test, that domain exists if either an MX, A or AAAA record can be found in the DNS, implying it makes available a possible destination for replies to messages it sends. If none of those can be found, the Mail Receiver SHOULD reject the message (see Section 15.7 (Rejecting Messages)). To be specific, a record does not exist if the header section of the DNS reply indicates an RCODE of 0 and an ANCOUNT of 0 (the requested name exists, but no record of the requested type is present), or if the DNS reply indicates an RCODE of 3 (the requested name does not exist at all).

A Mail Receiver MAY also elect to compute the Organizational Domain and repeat the existence test against that domain (if different from the RFC5322.From domain). If that domain also fails, the message MUST be rejected. The process for computing the Organizational Domain is described in Section 4 (Terminology and Definitions).

An example in which these tests may be skipped would be local knowledge (from logs, reputation systems, allow lists, or other historical records maintained by the Mail Receiver) that the RFC5322.From field contains a domain known to exist.



 TOC 

11.3.  Determine Handling Policy

To arrive at a policy disposition for an individual message, Mail Receivers MUST perform the following actions or their semantic equivalents. The first four steps MAY be done in parallel, whereas steps 5 and 6 require input from previous steps.

The steps are as follows:

  1. Extract the RFC5322.From domain from the message.
  2. Query the DNS for a DMARC policy record. Continue if one is found, or abort DMARC evaluation otherwise. See Section 9 (Policy Discovery) for details.
  3. Perform DKIM signature verification checks. The results of this step are passed to the remainder of the algorithm and MUST include the value of the "d=" tag from all DKIM signatures that successfully validated.
  4. Perform SPF validation checks. The results of this step are passed to the remainder of the algorithm and MUST include the domain name from the RFC5321.MailFrom if SPF evaluation returned a "pass" result.
  5. Conduct identifier alignment checks. With authentication checks and policy discovery performed, the Mail Receiver checks if Authenticated Identifiers fall into alignment as decribed in Section 4 (Terminology and Definitions). If one or more of the Authenticated Identifiers align with the RFC5322.From domain, the message is considered to pass the DMARC mechanism check. All other conditions (authentication failures, identifier mismatches) are considered to be DMARC mechanism check failures.
  6. Apply policy. Emails that fail the DMARC mechanism check are disposed of in accordance with the discovered DMARC policy of the Domain Owner. See Section 6.1 (General Record Format) for details.



 TOC 

11.4.  Message Sampling

Attention must be paid to the possible presence of the "pct" tag in the DMARC policy record. If the tag is present, the Mail Receiver MUST NOT enact the requested policy ("p" tag or "sp" tag") on more than the stated percent of the totality of affected messages. However, regardless of whether or not the "pct" tag is present, the Mail Receiver MUST include all relevant message data in any reports produced.

If email is subject to the DMARC policy of "quarantine", the Mail Receiver SHOULD quarantine the message. If the email is not subject to the "quarantine" policy (e.g., due to the "pct" tag), the Mail Receiver SHOULD apply local spam classification as normal.

If email is subject to the DMARC policy of "reject", the Mail Receiver SHOULD reject the message (see Section 15.7 (Rejecting Messages)). If the email is not subject to the "reject" policy (due to the "pct" tag), the Mail Receiver SHOULD treat the email as though the "quarantine" policy applies. This behavior allows senders to experiment with progressively stronger policies without relaxing existing policy.



 TOC 

11.5.  Store Results of DMARC Processing

The results of Mail Receiver-based DMARC processing should be stored for eventual presentation back to the Domain Owner in the form of aggregate feedback reports. Section 6 (DMARC Policy Record) and Section 12 (Feedback Mechanism) discuss aggregate feedback.

See Section 15.8 (Capacity Planning) for a discussion of security matters regarding aggregation of such data.



 TOC 

12.  Feedback Mechanism

The DMARC aggregate feedback report is designed to provide Domain Owners with precise insight into authentication results, where corrective action needs to be taken by Domain Owners, and the effect of Domain Owner DMARC policy on email streams processed by Mail Receivers. The format of the original payload comprising the report can be found in Appendix E (DMARC XML Schema).

The availability, publication, and consumption of aggregate DMARC feedback provides visibility into real-world email streams that Domain Owners need to make informed decisions regarding the publication of DMARC policy. Based on this visibility, Domain Owners can publish DMARC policies and be fully cognizant of the resulting effect of policy enforcement by Mail Receivers. This feedback mechanism significantly reduces the cost and risk of enforcing policies by Mail Receivers.



 TOC 

12.1.  Discovery

Discovery of a request to receive feedback data is made when a Mail Receiver looks up a DMARC policy record. The presence of the "rua" tag specifies where to send feedback. URI schemes found in "rua" tag that are not implemented by a Mail Receiver MUST be ignored.

For on the considerations given to DMARC discovery, see Appendix D (DMARC Discovery Requirements).



 TOC 

12.2.  Transport

Where the URI specified in an "rua" tag does not specify otherwise, a Mail Receiver generating a feedback report SHOULD apply a secure transport mechanism.

If transport is not possible because the services advertised by the published URIs are not able to accept reports, the Mail Receiver SHOULD send a short report (see Section 12.2.4 (Error Reports)) indicating that a report is available but could not be sent. The Mail Receiver MAY cache that data and try again later, or MAY discard data that could not be sent.



 TOC 

12.2.1.  Email

In the case of a "mailto" URI, the Mail Receiver SHOULD communicate reports using the method described in [STARTTLS] (Hoffman, P., “SMTP Service Extension for Secure SMTP over Transport Layer Security,” February 2002.).

The message generated by the Mail Receiver must be a [MIME] (Freed, N. and N. Borenstein, “Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies,” November 1996.) formatted [MAIL] (Resnick, P., Ed., “Internet Message Format,” October 2008.) message. The aggregate report itself MUST be included in one of the parts of the message. A human-readable portion MAY be included as a MIME part (such as a text/plain part).

The aggregate data MUST be an XML file contained within a ZIP file. The aggregate data MUST be present using the media type "application/zip", and the filenames SHOULD be constructed using the following ABNF:

  filename = receiver "!" policy-domain "!" begin-timestamp "!"
             end-timestamp "." extension

  receiver = domain
           ; imported from [MAIL]

  policy-domain = domain

  begin-timestamp = 1*DIGIT
                  ; seconds since 00:00:00 UTC January 1, 1970
                  ; indicating start of the time range contained
                  ; in the report

  end-timestamp = 1*DIGIT
                ; seconds since 00:00:00 UTC January 1, 1970
                ; indicating end of the time range contained
                ; in the report

  extension = "xml" / "zip"

For the ZIP file itself, the extension MUST be "zip"; for the XML report, the extension MUST be "xml".

Email streams carrying DMARC feedback data MUST conform to the DMARC mechanism. That is, the message comprising the report should be DKIM-signed and originate from a source for which an SPF test would pass. This practice minimizes the risk of report consumers processing fraudulent reports.

The RFC5322.Subject field for individual report submissions SHOULD conform to the following ABNF:

  dmarc-subject = %x52.65.70.6f.72.74 1*FWS    ; "Report"
                  %x44.6f.6d.61.69.6e.3a 1*FWS ; "Domain:"
                  domain-name 1*FWS            ; from RFC6376
                  %x53.75.62.6d.69.74.74.65.72.3a ; "Submitter:"
                  1*FWS domain-name 1*FWS
                  %x52.65.70.6f.72.74.2d.49.44.3a ; "Report-ID:"
                  msg-id                       ; from RFC5322

The first domain-name indicates the DNS domain name about which the report was generated. The second domain-name indicates the DNS domain name representing the Mail Receiver generating the report. The purpose of the Report-ID: portion of the field is to enable the Domain Owner to identify and ignore duplicate reports that might be sent by a Mail Receiver.

This transport mechanism potentially encounters a problem when feedback data size exceeds maximum allowable attachment sizes for either the generator or the consumer. See Section 12.2.4 (Error Reports) for further discussion.



 TOC 

12.2.2.  HTTP

Where an "http" or "https" method is requested in a Domain Owner's URI list, the Mail Receiver MAY encode the data using the "application/zip" media type or MAY send the Appendix E (DMARC XML Schema) data uncompressed or unencoded.

The header portion of the POST or PUT request SHOULD contain a Subject field as described in Section 12.2.1 (Email).



 TOC 

12.2.3.  Other Methods

Other registered URI schemes may be explicitly supported in later versions.



 TOC 

12.2.4.  Error Reports

When a Mail Receiver is unable to complete delivery of a report via any of the URIs listed by the Domain Owner, the Mail Receiver SHOULD generate an error message. An attempt MUST be made to send this report to all listed "mailto" URIs and MAY also be sent to any or all other listed URIs.

The error report MUST be formatted per [MIME] (Freed, N. and N. Borenstein, “Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies,” November 1996.). A text/plain part MUST be included that contains field-value pairs such as those found in Section 2 of [DSN] (Moore, K. and G. Vaudreuil, “An Extensible Message Format for Delivery Status Notifications,” January 2003.). The fields required, which may appear in any order, are:

Report-Date:
A [MAIL] (Resnick, P., Ed., “Internet Message Format,” October 2008.)-formatted date expression indicating when the transport failure occurred.
Report-Domain:
The domain-name about which the failed report was generated.
Report-ID:
The Report-ID: that the report tried to use.
Report-Size:
The size, in bytes, of the report that was unable to be sent. This MUST represent the number of bytes that the Mail Receiver attempted to send. Where more than one transport system was attempted, the sizes may be different; in such cases, separate error reports MUST be generated so that this value matches the actual attempt that was made. For example, a "mailto" error report would be sent to the "mailto" URIs with one size, while the "https" reports might be POSTed to those URIs with a different size, as they have different transport and encoding requirements.
Submitter:
The domain-name representing the Mail Receiver that generated, but was unable to submit, the report.
Submitting-URI:
The URI(s) to which the Mail Receiver tried, but failed, to submit the report.

An additional text/plain part MAY be included that gives a human-readable explanation of the above, and MAY also include a URI that can be used to seek assistance.

[NOTE: A more rigorous syntax specification, including ABNF and possible registration of a new media type, will be added here when more operational experience is acquired.]



 TOC 

13.  Minimum Implementations

A minimum implementation of DMARC has the following characteristics:



 TOC 

14.  IANA Considerations

This section describes actions requested of IANA.



 TOC 

14.1.  Authentication-Results Method Registry Update

IANA is requested to add the following to the Email Authentication Method Name Registry:

Method:
dmarc
Defined In:
[this memo]
ptype:
header
property:
from
value:
the domain portion of the RFC5322.From field



 TOC 

14.2.  Authentication-Results Result Registry Update

IANA has added the following in the Email Authentication Result Name Registry:

Code:
none
Existing/New Code:
existing
Defined In:
[AUTH‑RESULTS] (Kucherawy, M., “Message Header Field for Indicating Message Authentication Status,” April 2009.)
Auth Method:
dmarc (added)
Meaning:
No DMARC policy record was published for the aligned identifier, or no aligned identifier could be extracted.

Code:
pass
Existing/New Code:
existing
Defined In:
[AUTH‑RESULTS] (Kucherawy, M., “Message Header Field for Indicating Message Authentication Status,” April 2009.)
Auth Method:
dmarc (added)
Meaning:
A DMARC policy record was published for the aligned identifier, and at least one of the authentication mechanisms passed.

Code:
fail
Existing/New Code:
existing
Defined In:
[AUTH‑RESULTS] (Kucherawy, M., “Message Header Field for Indicating Message Authentication Status,” April 2009.)
Auth Method:
dmarc (added)
Meaning:
A DMARC policy record was published for the aligned identifier, and none of the authentication mechanisms passed.

Code:
temperror
Existing/New Code:
existing
Defined In:
[AUTH‑RESULTS] (Kucherawy, M., “Message Header Field for Indicating Message Authentication Status,” April 2009.)
Auth Method:
dmarc (added)
Meaning:
A temporary error occurred during DMARC evaluation. A later attempt might produce a final result.

Code:
permerror
Existing/New Code:
existing
Defined In:
[AUTH‑RESULTS] (Kucherawy, M., “Message Header Field for Indicating Message Authentication Status,” April 2009.)
Auth Method:
dmarc (added)
Meaning:
A permanent error occurred during DMARC evaluation, such as encountering a syntactically incorrect DMARC record. A later attempt is unlikely to produce a final result.



 TOC 

14.3.  DMARC Tag Registry

Names of DMARC tags must be registered with IANA. New entries are assigned only for values that have been documented in a published RFC that has had IETF Review, per [IANA‑CONSIDERATIONS] (Narten, T. and H. Alvestrand, “Guidelines for Writing an IANA Considerations Section in RFCs,” May 2008.). Each registration must include the tag name, the specification that defines it, a brief description, and its status which must be one of "current", "experimental" or "historic".

The initial set of entries in this registry is as follows:

 +----------+-------------+---------+------------------------------+
 | Tag Name | Defined     | Status  | Description                  |
 +----------+-------------+---------+------------------------------+
 |  adkim   | [THIS MEMO] | current | DKIM alignment mode          |
 +----------+-------------+---------+------------------------------+
 |   aspf   | [THIS MEMO] | current | SPF alignment mode           |
 +----------+-------------+---------+------------------------------+
 |   pct    | [THIS MEMO] | current | Sampling rate                |
 +----------+-------------+---------+------------------------------+
 |    p     | [THIS MEMO] | current | Requested handling policy    |
 +----------+-------------+---------+------------------------------+
 |    rf    | [THIS MEMO] | current | Forensic reporting format(s) |
 +----------+-------------+---------+------------------------------+
 |    ri    | [THIS MEMO] | current | Aggregate Reporting interval |
 +----------+-------------+---------+------------------------------+
 |   rua    | [THIS MEMO] | current | Reporting URI(s) for         |
 |          |             |         | aggregate data               |
 +----------+-------------+---------+------------------------------+
 |   ruf    | [THIS MEMO] | current | Reporting URI(s) for         |
 |          |             |         | forensic data                |
 +----------+-------------+---------+------------------------------+
 |    sp    | [THIS MEMO] | current | Requested handling policy    |
 |          |             |         | for subdomains               |
 +----------+-------------+---------+------------------------------+
 |    v     | [THIS MEMO] | current | Specification version        |
 +----------+-------------+---------+------------------------------+



 TOC 

14.4.  DMARC Report Format Registry

Names of DMARC forensic reporting formats must be registered with IANA. New entries are assigned only for values that have been documented in a published RFC that has had IETF Review, per [IANA‑CONSIDERATIONS] (Narten, T. and H. Alvestrand, “Guidelines for Writing an IANA Considerations Section in RFCs,” May 2008.). Each registration must include the tag name, the specification that defines it, a brief description, and its status which must be one of "current", "experimental" or "historic".

The initial set of entries in this registry is as follows:

 +--------+-------------+---------+-----------------------------+
 | Format | Defined     | Status  | Description                 |
 |  Name  |             |         |                             |
 +--------+-------------+---------+-----------------------------+
 | afrf   | [THIS MEMO] | current | Authentication Failure      |
 |        |             |         | Reporting Format (see       |
 |        |             |         | [AFRF])                     |
 +--------+-------------+---------+-----------------------------+
 | iodef  | [THIS MEMO] | current | Incident Object Description |
 |        |             |         | Exchange Format (see        |
 |        |             |         | [IODEF])                    |
 +--------+-------------+---------+-----------------------------+



 TOC 

15.  Security Considerations

This section discusses security-specific issues related to the DMARC mechanism.



 TOC 

15.1.  Use of RFC5322.From

One of the most obvious points of security scrutiny for DMARC is the choice to focus on an identifier, namely the RFC5322.From, which is part of a body of data trivially forged throughout the history of email.

Several points suggest it is the most correct and safest thing to do in this context:



 TOC 

15.2.  Display Name Attacks

A common attack in messaging abuse is the presentation of false information in the "display name" portion of the RFC5322.From field. For example, it is possible for the email address in that field to be an arbitrary address or domain name, while containing a well-known name (a person, brand, role, etc.) in the display name, intending to fool the end user into believing that the name is used legitimately. The attack is predicated on the notion that most common Mail User Agents (MUAs) will show the display name and not the email address when both are available.

There are a few possible mechanisms that attempt mitigation of these attacks, such as:



 TOC 

15.3.  Attacks on Reporting URIs

URIs published in DNS TXT records are well-understood possible targets for attack. Specifications such as [DNS] (Mockapetris, P., “Domain names - implementation and specification,” November 1987.) and [ROLES] (Crocker, D., “Mailbox Names for Common Services, Roles and Functions,” May 1997.) either expose or cause the exposure of email addresses that could be flooded by an attacker, for example; MX, NS and other records found in the DNS advertise potential attack destinations; common DNS names such as "www" plainly identify the locations at which particular services can be found, providing destinations for targeted denial-of-service or penetration attacks.

Thus, Domain Owners will need to harden these addresses against various attacks, including but not limited to:



 TOC 

15.4.  Issues Specific to SPF

SPF results are honored as a backup mechanism, even if DKIM verification fails or the signature is absent. Senders with internal policies that require all of their mail to be signed may not express a need for this backup mechanism. However, both senders and receivers benefit in significantly reduced support costs if unsigned mail-streams are discovered through aggregate feedback reports as opposed to rejection of legitimate email that otherwise passes with a valid SPF result.

Though DMARC does not inherently change the semantics of an SPF policy record, historically lax enforcement of such policies has led many to publish extremely broad records containing many large network ranges. Domain Owners are strongly encouraged to carefully review their SPF records to understand which networks are authorized to send on behalf of the Domain Owner before publishing a DMARC record.



 TOC 

15.5.  DNS Load

DMARC policies are communicated using the DNS, and therefore inherit a number of considerations related to DNS caching. The inherent conflict between freshness and the impact of caching on the reduction of DNS-lookup overhead should be considered from the Mail Receiver's point of view. Should Domain Owners publish a DNS record with a very short TTL, Mail Receivers can be provoked through the injection of large volumes of messages to overwhelm the Domain Owner's DNS. Although this is not a concern specific to DMARC, the implications of a very short TTL should be considered when publishing DMARC policies.

Conversely, long TTLs will cause records to be cached for long periods of time. This can prevent a critical change to DMARC parameters advertised by a Domain Owner to go unnoticed for the length of the TTL (while waiting for DNS caches to expire). Avoiding this problem can mean shorter TTLs, with the potential problems described above. A balance should be sought to maintain responsiveness of DMARC preference changes while preserving the benefits of DNS caching.



 TOC 

15.6.  External Reporting Addresses

To reduce burdens on Domain Owners, the "rua" tag is allowed to contain references to report consumers outside of the subject DNS domain. Thus, the feedback reporting mechanism can be abused by malicious Domain Owners to cause large volumes of reports to be sent to unsuspecting report consumers. To abuse this mechanism, a malicious Domain Owner must create a DMARC record with an "rua" field that contains a reference to a victim report consumer and then send email to report-generating Mail Receivers. The victim would then receive unwanted reports from each DMARC-aware Mail Receiver.

Although a possible nuisance, due to the long intervals between Mail-Receiver-generated aggregate reports, the possibility of introducing an exploitable Denial of Service mechanism is small. Furthermore, an artifact of such an attack would be feedback reports that describe exactly where an attacker introduced email into each Mail Receiver. Such an artifact would link an attack directly to a Domain Owner and to the network resources utilized to perform the attack.

To further reduce the possibility of abuse, Mail Receivers will want to place controls on report generation to mitigate report generation spikes due to spurious Domain Owner requests for reports.

In addition, the addresses shown in the "ruf" tag receive more information that might be considered private data, since it is possible for actual email content to appear in the forensic reports. The URIs identified there are thus more attractive targets for intrusion attempts than those found in the "rua" tag. Moreover, attacking the DNS of the subject domain to cause forensic data to be routed fraudulently to an attacker's systems may be an attractive prospect. Deployment of DNSSEC is advisable if this is a concern.



 TOC 

15.7.  Rejecting Messages

This proposal calls for rejection of a message during the SMTP session under certain circumstances. This is typically done in one of two ways:

Each of these has a cost. For instance, a silent discard may prevent "backscatter" (the annoying generation of delivery failure reports, which go back to the RFC5321.MailFrom address, about messages that were fraudulently generated), but effectively means the SMTP server has to be programmed to give a false result, which can confound external debugging efforts.

Similarly, the text portion of the SMTP reply may be important to consider. For example, when rejecting a message, revealing the reason for the rejection might give an attacker enough information to bypass those efforts on a later attempt, though it might also assist a legitimate client to determine the source of some local issue that caused the rejection.

If a Mail Receiver elects to defer delivery due to inability to retrieve or apply DMARC policy, this SHOULD be done with a 450 SMTP reply code.



 TOC 

15.8.  Capacity Planning

DMARC participants will need to perform capacity planning to support their implementations. Some factors to consider include:

Storage:
As Mail Receivers process increasing numbers of messages -- from increasingly disparate sources -- claiming to be from DMARC-enabled domains, additional storage of information must be considered to support the generation of feedback reports. Storage needs will also increase as the number of Domain Owners for which the Mail Receiver agrees to provide service increases. Similarly, Domain Owners will need to plan based on how long they wish to store the data found in received reports. When Domain Owners enter exceptional situations and are unable to accept reports, Mail Receivers, as a matter of policy, might discard undelivered reports.
Frequency:
Sending reports more frequently increases processing costs at both the Mail Receiver and the Domain Owner, but can decrease Mail Receiver storage requirements as data are consumed and storage is freed through report generation and transmission. At the same time, less frequent report generation may lead to somewhat stale feedback. An appropriate balance should be sought.
DNS:
DMARC imposes up to two additional DNS queries per arriving message, namely the TXT queries to try to locate a policy statement. For Mail Receivers, these are queries sent; for Domain Owners, these are queries that must be handled. Both sides will need to plan for the additional DNS load.



 TOC 

15.9.  Privacy Considerations

This section discusses security issues specific to private data that may be included in the interactions that are part of DMARC.



 TOC 

15.9.1.  Data Exposure Considerations

Aggregate reports are limited in scope to DMARC policy and disposition results, to information pertaining to the underlying authentication mechanisms, and to the identifiers involved in DMARC validation.

Failed message reporting provides message-specific details pertaining to authentication failures. Individual reports can contain message content as well as trace header fields. Domain Owners are able to analyze individual reports and attempt to determine root causes of authentication mechanism failures, gain insight into misconfigurations or other problems with email and network infrastructure, or inspect messages for insight into abusive practices.

Both report types may expose sender and recipient identifiers (e.g., RFC5322.From fields), and though the [AFRF] (Fontana, H., “Authentication Failure Reporting using the Abuse Report Format,” September 2011.) format used for failed message reporting supports redaction, it is capable of exposing the entire message to the report recipient.



 TOC 

15.9.2.  Report Recipients

A DMARC record can specify for reports to be sent to an intermediary operating on behalf of the Domain Owner. This is done when the Domain Owner contracts with an entity to monitor mail-streams for abuse and performance issues. Receipt by third parties of such data may or may not be permitted by the Mail Receiver's privacy policy, terms of use, or other similar governing document. Domain Owners and Mail Receivers should both review and understand if their own internal policies constrain the use and transmission of DMARC reporting.



 TOC 

15.9.3.  Report Generators

The entity (e.g., mailbox provider, Internet service provider) receiving emails is typically responsible for generating DMARC reports. Such entities are typically charged with protecting accidental disclosure of their users' data. In this case, disclosure is being requested by the entity generating the email in the first place, i.e., the Domain Owner, so this may not fit squarely within existing privacy policy provisions. For some providers, aggregate and failed message reporting are viewed as a function similar to complaint reporting about spamming or phishing, and treated similarly under the privacy policy. Report generators (i.e., Mail Receivers) are encouraged to review their reporting limitations under such policies before enabling DMARC reporting.



 TOC 

15.9.4.  Secure Protocols

This document encourages use of secure transport mechanisms to prevent loss of private data to third parties that may be able to monitor such transmissions. Open transport mechanisms should be avoided.



 TOC 

15.10.  Identifier Alignment Considerations

The DMARC mechanism allows both DKIM and SPF-authenticated identifiers to authenticate email on behalf of a Domain Owner, and, in the case of SPF, on behalf of different subdomains. If malicious or unaware users can gain control of the SPF record or signing practices for a sub-domain, the sub-domain can be used to generate DMARC-passing email on behalf of the Organizational Domain.

For example, an attacker who controls the SPF record for "evil.example.com" can send mail with an RFC5322.From containing "foo@example.com" that can pass both authentication and the DMARC check against "example.com".

The Organizational Domain administrator should be careful not to cede control of sub-domains if this is an issue, and to consider using the "strict" Identifier Alignment option if appropriate.



 TOC 

16.  References



 TOC 

16.1. Normative References

[ABNF] Crocker, D. and P. Overell, “Augmented BNF for Syntax Specifications: ABNF,” RFC 5234, January 2008.
[AFRF] Fontana, H., “Authentication Failure Reporting using the Abuse Report Format,” I-D draft-ietf-marf-authfailure-report, September 2011.
[DKIM] Crocker, D., Hansen, T., and M. Kucherawy, “DomainKeys Identified Mail (DKIM) Signatures,” RFC 6376, September 2011.
[DNS] Mockapetris, P., “Domain names - implementation and specification,” STD 13, RFC 1035, November 1987.
[DNS-CASE] Eastlake, D., “Domain Name System (DNS) Case Insensitivity Clarification,” RFC 4343, January 2006.
[KEYWORDS] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997.
[MAIL] Resnick, P., Ed., “Internet Message Format,” RFC 5322, October 2008.
[MIME] Freed, N. and N. Borenstein, “Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies,” RFC 2045, November 1996.
[SMTP] Klensin, J., “Simple Mail Transfer Protocol,” RFC 5321, October 2008.
[SPF] Wong, M. and W. Schlitt, “Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” RFC 4408, April 2006.
[STARTTLS] Hoffman, P., “SMTP Service Extension for Secure SMTP over Transport Layer Security,” RFC 3207, February 2002.
[URI] Berners-Lee, T., Fielding, R., and L. Masinter, “Uniform Resource Identifier (URI): Generic Syntax,” RFC 3986, January 2005.


 TOC 

16.2. Informative References

[ADSP] Allman, E., Fenton, J., Delany, M., and J. Levine, “DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP),” RFC 5617, August 2009.
[AUTH-RESULTS] Kucherawy, M., “Message Header Field for Indicating Message Authentication Status,” RFC 5451, April 2009.
[DKIM-DEPLOYMENT] Hansen, T., Crocker, D., and P. Hallam-Baker, “DomainKeys Identified Mail (DKIM) Development, Deployment, and Operations,” RFC 5863, May 2010.
[DKIM-OVERVIEW] Hansen, T., Crocker, D., and P. Hallam-Baker, “DomainKeys Identified Mail (DKIM) Service Overview,” RFC 5598, July 2009.
[DSN] Moore, K. and G. Vaudreuil, “An Extensible Message Format for Delivery Status Notifications,” RFC 3464, January 2003.
[EMAIL-ARCH] Crocker, D., “Internet Mail Architecture,” RFC 5598, July 2009.
[IANA-CONSIDERATIONS] Narten, T. and H. Alvestrand, “Guidelines for Writing an IANA Considerations Section in RFCs,” BCP 26, RFC 5226, May 2008.
[IODEF] Danyliw, R., Meijer, J., and Y. Demchenko, “The Incident Object Description Exchange Format,” RFC 5070, December 2007.
[ROLES] Crocker, D., “Mailbox Names for Common Services, Roles and Functions,” RFC 2142, May 1997.


 TOC 

Appendix A.  Examples

This section illustrates both the Domain Owner side and the Mail Receiver side of a DMARC exchange.



 TOC 

A.1.  Identifier Alignment examples

The following examples illustrate the DMARC mechanism's use of Identifier Alignment. For brevity's sake, only message headers are shown as message bodies are not considered when conducting DMARC checks.



 TOC 

A.1.1.  SPF

The following SPF examples assume that SPF produces a passing result.

Example 1: SPF in alignment:

     MAIL FROM: <sender@example.com>

     From: sender@example.com
     Date: Fri, Feb 15 2002 16:54:30 -0800
     To: receiver@example.org
     Subject: here's a sample

SPF In Alignment

In this case, the RFC5321.MailFrom parameter and the RFC5322.From field have identical DNS domains. Thus, the identifiers are in alignment.

Example 2: SPF in alignment (parent):

     MAIL FROM: <sender@example.com>

     From: sender@child.example.com
     Date: Fri, Feb 15 2002 16:54:30 -0800
     To: receiver@example.org
     Subject: here's a sample

SPF In Alignment (Parent)

In this case, the RFC5321.MailFrom parameter includes a DNS domain that is a parent of the RFC5322.From domain. Thus, the identifiers are in alignment if "relaxed" SPF mode is requested by the Domain Owner, and not in alignment if "strict" SPF mode is requested.

Example 3: SPF not in alignment:

     MAIL FROM: <sender@sample.net>

     From: sender@child.example.com
     Date: Fri, Feb 15 2002 16:54:30 -0800
     To: receiver@example.org
     Subject: here's a sample

SPF Not In Alignment

In this case, the RFC5321.MailFrom parameter includes a DNS domain that is neither the same as nor a parent of the RFC5322.From domain. Thus, the identifiers are not in alignment.



 TOC 

A.1.2.  DKIM

The examples below assume the DKIM signatures pass verification. Alignment cannot exist with a DKIM signature that does not verify.

Example 1: DKIM in alignment:

     DKIM-Signature: v=1; ...; d=example.com; ...
     From: sender@example.com
     Date: Fri, Feb 15 2002 16:54:30 -0800
     To: receiver@example.org
     Subject: here's a sample

DKIM In Alignment

In this case, the DKIM "d=" parameter and the RFC5322.From field have identical DNS domains. Thus, the identifiers are in alignment.

Example 2: DKIM in alignment (parent):

     DKIM-Signature: v=1; ...; d=example.com; ...
     From: sender@child.example.com
     Date: Fri, Feb 15 2002 16:54:30 -0800
     To: receiver@example.org
     Subject: here's a sample

DKIM In Alignment (Parent)

In this case, the DKIM signature's "d=" parameter includes a DNS domain that is a parent of the RFC5322.From domain. Thus, the identfiers are in alignment.

Example 3: DKIM not in alignment:

     DKIM-Signature: v=1; ...; d=sample.net; ...
     From: sender@child.example.com
     Date: Fri, Feb 15 2002 16:54:30 -0800
     To: receiver@example.org
     Subject: here's a sample

DKIM Not In Alignment

In this case, the DKIM signature's "d=" parameter includes a DNS domain that is neither the same as nor a parent of the RFC5322.From domain. Thus, the identifiers are not in alignment.



 TOC 

A.2.  Domain Owner example

A Domain Owner that wants to use DMARC should have already deployed and tested SPF and DKIM. The next step is to publish a DNS record that advertises a DMARC policy for the Domain Owner's organizational domain.



 TOC 

A.2.1.  Entire Domain, Monitoring Only

The owner of the domain "example.com" has deployed SPF and DKIM on its messaging infrastructure. The owner wishes to begin using DMARC with a policy that will solicit aggregate feedback from receivers without affecting how the messages are processed, in order to:

The Domain Owner accomplishes this by constructing a policy record indicating that:

The DMARC policy record might look like this when retrieved using a common command-line tool:

  % dig +short TXT _dmarc.example.com.
  "v=DMARC1\; p=none\; rua=mailto:dmarc-feedback@example.com"

To publish such a record, the DNS administrator for the Domain Owner creates an entry like the following in the appropriate zone file (following the conventional zone file format):

  ; DMARC record for the domain example.com

  _dmarc  IN TXT ( "v=DMARC1; p=none; "
                   "rua=mailto:dmarc-feedback@example.com" )



 TOC 

A.2.2.  Entire Domain, Monitoring Only, Per-Message Reports

The Domain Owner from the previous example has used the aggregate reporting to discover some messaging systems that had not yet implemented DKIM correctly, but they are still seeing periodic authentication failures. In order to diagnose these intermittent problems they wish to request per-message forensic reports when authentication failures occur.

Not all Receivers will honor such a request, but the Domain Owner feels that any reports it does receive will be helpful enough to justify publishing this record. The default per-message report format ([AFRF] (Fontana, H., “Authentication Failure Reporting using the Abuse Report Format,” September 2011.)) meets the Domain Owner's needs in this scenario.

The Domain Owner accomplishes this by adding the following to its policy record from Appendix A.2 (Domain Owner example)):

The DMARC policy record might look like this when retrieved using a common command-line tool (the output shown would appear on a single line, but is wrapped here for publication):

  % dig +short TXT _dmarc.example.com.
  "v=DMARC1\; p=none\; rua=mailto:dmarc-feedback@example.com\;
   ruf=mailto:auth-reports@example.com"

To publish such a record, the DNS administrator for the Domain Owner might create an entry like the following in the appropriate zone file (following the conventional zone file format):

 ; DMARC record for the domain example.com

 _dmarc  IN TXT ( "v=DMARC1; p=none; "
                  "rua=mailto:dmarc-feedback@example.com; "
                  "ruf=mailto:auth-reports@example.com" )



 TOC 

A.2.3.  Sub-Domain, Sampling, and Multiple Aggregate Report URIs

The Domain Owner has implemented SPF and DKIM in a sub-domain used for pre-production testing of messaging services. It now wishes to request that participating receivers act to reject messages from this sub-domain that fail to authenticate.

As a first step it will ask that a portion (1/4 in this example) of failing messages be quarantined, enabling examination of messages sent to mailboxes hosted by participating receivers. Aggregate feedback reports will be sent to a mailbox within the Organizational Domain, and to a mailbox at a third party selected and authorized to receive same by the Domain Owner.

The Domain Owner will accomplish this by constructing a policy record indicating that:

The DMARC policy record might look like this when retrieved using a common command-line tool (the output shown would appear on a single line, but is wrapped here for publication):

  % dig +short TXT _dmarc.test.example.com
  "v=DMARC1\; p=quarantine\; rua=mailto:dmarc-feedback@example.com,
   mailto:example-tld-test@thirdparty.example.net\; pct=25"

To publish such a record, the DNS administrator for the Domain Owner might create an entry like the following in the appropriate zone file:

  ; DMARC record for the domain example.com

  _dmarc IN  TXT  ( "v=DMARC1; p=quarantine; "
                    "rua=mailto:dmarc-feedback@example.com,"
                    "mailto:example-tld-test@thirdparty.example.net; "
                    "pct=25" )



 TOC 

A.2.4.  Third Party Sender and Identifier Alignment

The Domain Owner only uses the top-level domain for email, and uses a third-party sender for some marketing message traffic. It has implemented SPF and DKIM across its in-house infrastructure and required the third-party to do the same. A monitoring period has shown that the Domain Owner and the third-party sender are both executing well with respect to email authentication measures.

The third-party has access to the appropriate DKIM private or signing keys for the selectors it will use. However the third-party uses sub-domains like "id1234.bounces.example.com" in the RFC5321.Mailfrom address for campaign tracking and troubleshooting purposes. The sub-domain "bounces.example.com" has been delegated to the third-party so that it can publish appropriate MX records in the DNS.

Therefore the Domain Owner wishes to publish a policy that requests rejection of messages which fail to authenticate, strict identifier alignment for DKIM authentication, and relaxed identifier alignment for SPF checks. Aggregate reports will only be sent to the Domain Owner in this example.

The Domain Owner will accomplish this by constructing a policy record indicating that:

The DMARC policy record might look like this when retrieved using a common command-line tool (the output shown would appear on a single line, but is wrapped here for publication):

  % dig +short TXT _dmarc.example.com
  "v=DMARC1\; p=reject\; adkim=s\; aspf=r\;
   rua=mailto:dmarc-feedback@example.com"

To publish such a record, the DNS administrator for the Domain Owner might create an entry like the following in the appropriate zone file:

  ; DMARC record for the domain example.com
  _dmarc  IN  TXT  ( "v=DMARC1; p=reject; adkim=s; aspf=r; "
                     "rua=mailto:dmarc-feedback@example.com" )



 TOC 

A.2.5.  Sub-Domain Policy, Reporting Interval

In this example the Domain Owner only uses addresses in the Organizational Domain itself ("user@example.com" versus "user@sub.example.com"). A business decision has been made that messages incorrectly being rejected as false positives during, for example, a transient outage are unacceptable. Therefore, the desired policy is that:

Furthermore the Domain Owner would like to request that aggregate data be sent at four hour intervals to themselves and a third-party service for analysis and action. It recognizes that not all Receivers will honor this request, but feels that faster intraday analysis of failures and threats make this worthwhile.

The Domain Owner will accomplish this by constructing a policy record indicating that:

The DMARC policy record might look like this when retrieved using a common command-line tool (the output shown would appear on a single line, but is wrapped here for publication):

  % dig +short TXT _dmarc.example.com
  "v=DMARC1\; p=quarantine\; sp=reject\; ri=14400\;
   rua=mailto:dmarc-feedback@example.com,
   mailto:customer-data@thirdparty.example.net"

To publish such a record, the DNS administrator for the Domain Owner might create an entry like the following in the appropriate zone file:

  ; DMARC record for the domain example.com
  _dmarc  IN  TXT  ( "v=DMARC1; p=quarantine; sp=reject; "
                     "rua=mailto:dmarc-feedback@example.com,"
                     "mailto:customer-data@thirdparty.example.net" )



 TOC 

A.3.  Mail Receiver Example

A Mail Receiver that wants to use DMARC should already be checking SPF and DKIM, and possess the ability to collect relevant information from various email processing stages to provide feedback to Domain Owners.



 TOC 

A.3.1.  SMTP-time Processing

An optimal DMARC-enabled Mail Receiver performs authentication and identifier alignment checking during the [SMTP] (Klensin, J., “Simple Mail Transfer Protocol,” October 2008.) conversation.

Prior to returning a reply to the DATA command, the Mail Receiver's MTA has performed:

  1. An SPF check to determine an SPF-authenticated Identifier.
  2. DKIM checks that yield one or more DKIM-authenticated Identifiers.
  3. A DMARC policy lookup.

The presence of an Author Domain DMARC record indicates that the Mail Receiver should continue with DMARC-specific processing before returning a reply to the DATA command.

Given a DMARC record and the set of Authenticated Identifiers, the Mail Receiver checks to see if the Authenticated Identifiers align with the Author Domain (taking into consideration any "strict" vs "relaxed" options found in the DMARC record).

For example, the following sample data is considered to be from a piece of email originating from the Domain Owner of "example.com":

  Author Domain: example.com
  SPF-authenticated Identifier: mail.example.com
  DKIM-authenticated Identifier: example.com
  DMARC record:
    "v=DMARC1; p=reject; aspf=r;
     rua=mailto:dmarc-feedback@example.com"

In the above sample, both the SPF and the DKIM-authenticated Identifiers align with the Author Domain. The Mail Receiver considers the above email to pass the DMARC check, avoiding the "reject" policy that is to be applied to email that fails to pass the DMARC check.

If no Authenticated Identifiers align with the Author Domain, then the Mail Receiver applies the DMARC-record-specified policy. However, before this action is taken, the Mail Receiver can consult external information to override the Domain Owner's policy. For example, if the Mail Receiver knows that this particular email came from a known and trusted forwarder (that happens to break both SPF and DKIM), then the Mail Receiver may choose to ignore the Domain Owner's policy.

The Mail Receiver is now ready to reply to the DATA command. If the DMARC check yields that the message is to be rejected, then the Mail Receiver replies with a 550 code to inform the sender of failure. If the DMARC check cannot be resolved due to transient network errors, then the Mail Receiver replies with a 450 code to inform the sender as to the need to reattempt delivery later. If the DMARC check yields a passing message, then the Mail Receiver continues on with email processing, perhaps using the result of the DMARC check as an input to additional processing modules such as a domain reputation query.

Before exiting DMARC-specific processing, the Mail Receiver checks to see if the Author Domain DMARC record requests AFRF-based reporting. If so, then the Mail Receiver can emit an AFRF to the reporting address supplied in the DMARC record.

At the exit of DMARC-specific processing, the Mail Receiver captures (through logging or direct insertion into a data store) the result of DMARC processing. Captured information is used to build feedback for Domain Owner consumption.



 TOC 

A.3.2.  Real-time Feedback Processing

If the DMARC record for the Author Domain of the message under processing requests [AFRF]-based reporting, then the Mail Receiver can supply an AFRF report for a message that does not pass all underlying DMARC authentication checks. In other words, if any DMARC-supporting authentication checks fail, an AFRF report should be generated and sent to the reporting address found in the Author Domain's DMARC record.



 TOC 

A.4.  Utilization of Aggregate Feedback example

Aggregate feedback is consumed by Domain Owners to verify the Domain Owners understanding of how the Domain Owner's Domain is being processed by the Mail Receiver. Aggregate reporting data on emails that pass all DMARC-supporting authentication checks is used by Domain Owners to verify that authentication practices remain accurate. For example, if a third party is sending on behalf of a Domain Owner, the Domain Owner can use aggregate report data to verify ongoing authentication practices of the third party.

Data on email that only partially passes underlying authentication checks provides visibility into problems that need to be addressed by the Domain Owner. For example, if either SPF or DKIM fail to pass, the Domain Owner is provided with enough information to either directly correct the problem or to understand where authentication-breaking changes are being introduced in the email transmission path. If authentication-breaking changes due to email transmission path cannot be directly corrected, then the Domain Owner at least maintains an understanding of the effect of DMARC-based policies upon the Domain Owner's email.

Data on email that fails all underlying authentication checks provides baseline visibility on how the Domain Owner's Domain is being received at the Mail Receiver. Based on this visibility, the Domain Owner can begin deployment of authentication technologies across uncovered email sources. Additionally, the Domain Owner may come to an understanding of how its Domain is being misused.



 TOC 

A.5.  mailto Transport example

A DMARC record can contain a "mailto" reporting address, such as:

  mailto:dmarc-feedback@example.com

A sample aggregate report from the Mail Receiver at mail.receiver.example follows:

  DKIM-Signature: v=1; ...; d=mail.receiver.example; ...
  From: dmarc-reporting@mail.receiver.example
  Date: Fri, Feb 15 2002 16:54:30 -0800
  To: dmarc-feedback@example.com
  Subject: Report Domain: example.com
      Submitter: mail.receiver.example
      Report-ID: <2002.02.15.1>
  MIME-Version: 1.0
  Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_024E_01CC9B0A.AFE54C00"
  Content-Language: en-us

  This is a multipart message in MIME format.

  ------=_NextPart_000_024E_01CC9B0A.AFE54C00
  Content-Type: text/plain; charset="us-ascii"
  Content-Transfer-Encoding: 7bit

  This is an aggregate report from mail.receiver.example.

  ------=_NextPart_000_024E_01CC9B0A.AFE54C00
  Content-Type: application/zip
  Content-Transfer-Encoding: base64
  Content-Disposition: attachment;
      filename="mail.receiver.example!example.com!
                1013662812!1013749130.zip"

  <zipped content of report>

  ------=_NextPart_000_024E_01CC9B0A.AFE54C00--

Not shown in the above example is that the Mail Receiver's feedback should be authenticated using SPF. Also, the value of the "filename" MIME parameter is wrapped for printing in this specification but would normally appear as one continuous string.



 TOC 

A.6.  https Transport example

A DMARC record can contain an "https" reporting address, such as:

  https:feedback.example.com/dmarc-feedback-submissions

A sample aggregate report from the Mail Receiver at mail.receiver.example, being posted per the above URL via an established secure HTTP (https) connection, might look like this:

  POST /dmarc-feedback-submissions HTTP/1.1
  Host: feedback.example.com
  Subject: Report Domain: example.com
      Submitter: mail.receiver.example
      Report-ID: <2002.02.15.1>
  Content-Type: application/zip
  Content-Length: 19191

  <zipped content of report here>



 TOC 

Appendix B.  Organizational Domain Discovery Issues

Although protocols like ADSP are useful for "protecting" a specific domain name, they are not helpful at protecting subdomains. If one wished to protect "example.com" by requiring via ADSP that all mail bearing an RFC5322.From domain of "example.com" be signed, this would "protect" that domain; however, one could then craft an email whose RFC5322.From domain is "security.example.com", and ADSP would not provide any protection. One could use a DNS wildcard, but this can undesirably interfere with other DNS activity; one could add ADSP records as fraudulent domains are discovered, but this solution does not scale and is a purely reactive measure against abuse.

The DNS does not provide a method by which the "domain of record", or the domain that was actually registered with a domain registrar, can be determined given an arbitrary domain name. Suggestions have been made that attempt to glean such information from SOA or NS resource records, but these too are not fully reliable as the partitioning of the DNS is not always done at administrative boundaries.

When seeking domain-specific policy based on an arbitrary domain name, one could "climb the tree", dropping labels off the left end of the name until the root is reached or a policy is discovered, but then one could craft a name that has a large number of nonsense labels; this would cause a Mail Receiver to attempt a large number of queries in search of a policy record. Sending many such messages constitutes an amplified denial-of-service attack.

The Organizational Domain mechanism is a necessary component to the goals of DMARC. The method described in Section 4 (Terminology and Definitions) is not perfect, but serves this purpose reasonably well without adding undue burden or semantics to the DNS.



 TOC 

Appendix C.  Issues With ADSP In Operation

Contributors to DMARC have compiled a list of issues associated with ADSP, gained from operational experience, that have influenced the direction of DMARC:

  1. ADSP has no support for subdomains, i.e., the ADSP record for example.com does not explicitly or implicitly apply to subdomain.example.com. If wildcarding is not applied, then spammers can trivially bypass ADSP by sending from a subdomain with no ADSP record.
  2. Non-existent subdomains are explicitly out of scope in ADSP. There is nothing in ADSP that states receivers should simply reject mail from NXDOMAINs regardless of ADSP policy (which of course allows spammers to trivially bypass ADSP by sending email from non-existent subdomains).
  3. ADSP has no operational advice on when to look up the ADSP record.
  4. ADSP has no support for using SPF as an auxiliary mechanism to DKIM.
  5. ADSP has no support for a slow roll-out, i.e., no way to configure a percentage of email on which the receiver should apply the policy. This is important for large-volume senders.
  6. ADSP has no explicit support for an intermediate phase where the receiver quarantines (e.g., sends to the recipient's "spam" folder) rather than rejects the email.
  7. The binding between the "From" header domain and DKIM is too tight for ADSP; they must match exactly.


 TOC 

Appendix D.  DMARC Discovery Requirements

Contributors to DMARC have also compiled a list of requirements that have informed the design of how DMARC policy is determined:

  1. Simple to implement, especially for the feedback generator.
  2. Minimize DNS queries in the discovery phase.
  3. Resilient to abuse of the report consumer. The ability of abusers to publish feedback addresses on wildcarded domains to create a lot of meaningless work for the generator is to be avoided. In recognition that DMARC can be used to perform "joe-job" attacks, the feedback destination URI should be within the same organizational domain. If it is not, the feedback generators need to make a best-effort attempt not to joe-job the apparent feedback consumer.
  4. Support for multiple report consumers. Multiple consumers should be able to receive feedback reports in parallel.
  5. Transport layer security as an option.
  6. Feedback generator verification. Posting a URI in DNS to which anyone can upload large amounts of data is always dangerous. The feedback consumer has to have a way to prevent denial of service attacks by dropping or blocking unwanted data.


 TOC 

Appendix E.  DMARC XML Schema

The following is the proposed initial schema for producing XML formatted aggregate reports as described in this memo:

<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
  targetNamespace="http://dmarc.org/dmarc-xml/0.1">

<!-- The time range in UTC covered by messages in this report,
     specified in seconds since epoch. -->
<xs:complexType name="DateRangeType">
  <xs:all>
    <xs:element name="begin" type="xs:integer"/>
    <xs:element name="end" type="xs:integer"/>
  </xs:all>
</xs:complexType>

<!-- Report generator metadata -->
<xs:complexType name="ReportMetadataType">
  <xs:sequence>
    <xs:element name="org_name" type="xs:string"/>
    <xs:element name="email" type="xs:string"/>
    <xs:element name="extra_contact_info" type="xs:string"
               minOccurs="0"/>
    <xs:element name="report_id" type="xs:string"/>
    <xs:element name="date_range" type="DateRangeType"/>
    <xs:element name="error" type="xs:string" minOccurs="0"
      maxOccurs="unbounded"/>
  </xs:sequence>
</xs:complexType>

<!-- Alignment mode (relaxed or strict) for DKIM and
     SPF. -->
<xs:simpleType name="AlignmentType">
  <xs:restriction base="xs:string">
    <xs:enumeration value="r"/>
    <xs:enumeration value="s"/>
  </xs:restriction>
</xs:simpleType>

<!-- The policy actions specified by p and sp in the
     DMARC record. -->
<xs:simpleType name="DispositionType">
  <xs:restriction base="xs:string">
    <xs:enumeration value="none"/>
    <xs:enumeration value="quarantine"/>
    <xs:enumeration value="reject"/>
  </xs:restriction>
</xs:simpleType>

<!-- The DMARC policy that applied to the messages in
    this report. -->
<xs:complexType name="PolicyPublishedType">
  <xs:all>
    <!-- The domain at which the DMARC record was found. -->
    <xs:element name="domain" type="xs:string"/>
    <!-- The DKIM alignment mode. -->
    <xs:element name="adkim" type="AlignmentType"/>
    <!-- The SPF alignment mode. -->
    <xs:element name="aspf" type="AlignmentType"/>
    <!-- The policy to apply to messages from the domain. -->
    <xs:element name="p" type="DispositionType"/>
    <!-- The policy to apply to messages from subdomains. -->
    <xs:element name="sp" type="DispositionType"/>
    <!-- The percent of messages to which policy applies. -->
    <xs:element name="pct" type="xs:integer"/>
  </xs:all>
</xs:complexType>

<!-- The DMARC-aligned authentication result. -->
<xs:simpleType name="DMARCResultType">
  <xs:restriction base="xs:string">
    <xs:enumeration value="pass"/>
    <xs:enumeration value="fail"/>
  </xs:restriction>
</xs:simpleType>

<!-- Reasons that may affect DMARC disposition or execution
     thereof. -->
<xs:simpleType name="PolicyOverrideType">
  <xs:restriction base="xs:string">
    <xs:enumeration value="forwarded"/>
    <xs:enumeration value="sampled_out"/>
    <xs:enumeration value="trusted_forwarder"/>
    <xs:enumeration value="other"/>
  </xs:restriction>
</xs:simpleType>

<!-- How do we allow report generators to include new
     classes of override reasons if they want to be more
     specific than "other"? -->
<xs:complexType name="PolicyOverrideReason">
  <xs:all>
    <xs:element name="type" type="PolicyOverrideType"/>
    <xs:element name="comment" type="xs:string"
               minOccurs="0"/>
  </xs:all>
</xs:complexType>

<!-- Taking into account everything else in the record,
     the results of applying DMARC. -->
<xs:complexType name="PolicyEvaluatedType">
  <xs:sequence>
    <xs:element name="disposition" type="DispositionType"/>
    <xs:element name="dkim" type="DMARCResultType"/>
    <xs:element name="spf" type="DMARCResultType"/>
    <xs:element name="reason" type="PolicyOverrideReason"
                  minOccurs="0" maxOccurs="unbounded"/>
  </xs:sequence>
</xs:complexType>

<!-- Credit to Roger L. Costello for IPv4 regex
    http://mailman.ic.ac.uk/pipermail/xml-dev/1999-December/
         018018.html -->
<!-- Credit to java2s.com for IPv6 regex
    http://www.java2s.com/Code/XML/XML-Schema/
         IPv6addressesareeasiertodescribeusingasimpleregex.htm -->
<xs:simpleType name="IPAddress">
  <xs:restriction base="xs:string">
    <xs:pattern value="((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]).){3}
                (1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])|
                ([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}"/>
  </xs:restriction>
</xs:simpleType>

<xs:complexType name="RowType">
  <xs:all>
    <!-- The connecting IP. -->
    <xs:element name="source_ip" type="IPAddress"/>
    <!-- The number of matching messages -->
    <xs:element name="count" type="xs:integer"/>
    <!-- The DMARC disposition applying to matching
         messages. -->
    <xs:element name="policy_evaluated"
                type="PolicyEvaluatedType"
                minOccurs="0"/>
  </xs:all>
</xs:complexType>

<xs:complexType name="IdentifierType">
  <xs:all>
    <!-- The envelope recipient domain. -->
    <xs:element name="envelope_to" type="xs:string"
               minOccurs="0"/>
    <!-- The payload From domain. -->
    <xs:element name="header_from" type="xs:string"
               minOccurs="1"/>
  </xs:all>
</xs:complexType>

<!-- DKIM verification result, according to RFC 5451
     Section 2.4.1. -->
<xs:simpleType name="DKIMResultType">
  <xs:restriction base="xs:string">
    <xs:enumeration value="none"/>
    <xs:enumeration value="pass"/>
    <xs:enumeration value="fail"/>
    <xs:enumeration value="policy"/>
    <xs:enumeration value="neutral"/>
    <xs:enumeration value="temperror"/>
    <xs:enumeration value="permerror"/>
  </xs:restriction>
</xs:simpleType>

<xs:complexType name="DKIMAuthResultType">
  <xs:all>
    <!-- The d= parameter in the signature -->
    <xs:element name="domain" type="xs:string"
                minOccurs="1"/>
    <!-- The DKIM verification result -->
    <xs:element name="result" type="DKIMResultType"
                minOccurs="1"/>
    <!-- Any extra information (e.g., from
         Authentication-Results -->
    <xs:element name="human_result" type="xs:string"
                minOccurs="0"/>
  </xs:all>
</xs:complexType>

<!-- SPF result -->
<xs:simpleType name="SPFResultType">
  <xs:restriction base="xs:string">
    <xs:enumeration value="none"/>
    <xs:enumeration value="neutral"/>
    <xs:enumeration value="pass"/>
    <xs:enumeration value="fail"/>
    <xs:enumeration value="softfail"/>
    <!-- "TempError" commonly implemented as "unknown" -->
    <xs:enumeration value="temperror"/>
    <!-- "PermError" commonly implemented as "error" -->
    <xs:enumeration value="permerror"/>
  </xs:restriction>
</xs:simpleType>

<xs:complexType name="SPFAuthResultType">
  <xs:all>
    <!-- The envelope From domain. -->
    <xs:element name="domain" type="xs:string" minOccurs="1"/>
    <!-- The SPF verification result -->
    <xs:element name="result" type="SPFResultType"
                minOccurs="1"/>
  </xs:all>
</xs:complexType>

<!-- This element contains DKIM and SPF results, uninterpreted
     with respect to DMARC. -->
<xs:complexType name="AuthResultType">
  <xs:sequence>
    <!-- There may be no DKIM signatures, or multiple DKIM
         signatures. -->
    <xs:element name="dkim" type="DKIMAuthResultType"
      minOccurs="0" maxOccurs="unbounded"/>
    <!-- There will always be at least one SPF result. -->
    <xs:element name="spf" type="SPFAuthResultType" minOccurs="1"
      maxOccurs="unbounded"/>
  </xs:sequence>
</xs:complexType>

<!-- This element contains all the authentication results used
     to evaluate the DMARC disposition for the given set of
     messages. -->
<xs:complexType name="RecordType">
  <xs:sequence>
    <xs:element name="row" type="RowType"/>
    <xs:element name="identifiers" type="IdentifierType"/>
    <xs:element name="auth_results" type="AuthResultType"/>
  </xs:sequence>
</xs:complexType>

<!-- Parent -->
<xs:element name="feedback">
  <xs:complexType>
    <xs:sequence>
      <xs:element name="report_metadata"
                 type="ReportMetadataType"/>
      <xs:element name="policy_published"
                 type="PolicyPublishedType"/>
      <xs:element name="record" type="RecordType"
                  maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>
</xs:element>
</xs:schema>



 TOC 

Appendix F.  Public Suffix Lists

A public suffix list for the purposes of determining the Organizational Domain can be obtained from various sources. The most common one is maintained by the Mozilla Foundation and made public at http://publicsuffix.org. License terms governing the use of that list are available at that URI.



 TOC 

Appendix G.  Public Discussion

Public discussion of the DMARC proposal documents is taking place on the dmarc-discuss@dmarc.org mailing list. Subscription is available at http://www.dmarc.org/mailman/listinfo/dmarc-discuss.



 TOC 

Author's Address

  Murray S. Kucherawy (editor)
  Cloudmark
  128 King St., 2nd Floor
  San Francisco, CA 94107
  USA
Phone:  +1 415 946 3800
Email:  msk@cloudmark.com