rfc9989.original   rfc9989.txt 
DMARC T. Herr (ed) Internet Engineering Task Force (IETF) T. Herr, Ed.
Internet-Draft Valimail Request for Comments: 9989 Valimail
Obsoletes: 7489, 9091 (if approved) J. Levine (ed) Obsoletes: 7489, 9091 J. Levine, Ed.
Intended status: Standards Track Standcore LLC Category: Standards Track Standcore LLC
Expires: 6 October 2025 4 April 2025 ISSN: 2070-1721 May 2026
Domain-based Message Authentication, Reporting, and Conformance (DMARC) Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
draft-ietf-dmarc-dmarcbis-41
Abstract Abstract
This document describes the Domain-based Message Authentication, This document describes the Domain-based Message Authentication,
Reporting, and Conformance (DMARC) protocol. Reporting, and Conformance (DMARC) protocol.
DMARC permits the owner of an email's Author Domain to enable DMARC permits the owner of an email's Author Domain to enable
validation of the domain's use, to indicate the Domain Owner's or validation of the domain's use to indicate the Domain Owner's or
Public Suffix Operator's message handling preference regarding failed Public Suffix Operator's message handling preference regarding failed
validation, and to request reports about the use of the domain name. validation and to request reports about the use of the domain name.
Mail receiving organizations can use this information when evaluating Mail-receiving organizations can use this information when evaluating
handling choices for incoming mail. handling choices for incoming mail.
This document obsoletes RFCs 7489 and 9091. This document obsoletes RFCs 7489 and 9091.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
This Internet-Draft will expire on 6 October 2025. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9989.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 7 2. Requirements
2.1. High-Level Goals . . . . . . . . . . . . . . . . . . . . 7 2.1. High-Level Goals
2.2. Anti-Phishing . . . . . . . . . . . . . . . . . . . . . . 8 2.2. Anti-Phishing
2.3. Scalability . . . . . . . . . . . . . . . . . . . . . . . 8 2.3. Scalability
2.4. Out of Scope . . . . . . . . . . . . . . . . . . . . . . 8 2.4. Out of Scope
3. Terminology and Definitions . . . . . . . . . . . . . . . . . 9 3. Terminology and Definitions
3.1. Conventions Used in This Document . . . . . . . . . . . . 9 3.1. Conventions Used in This Document
3.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 9 3.2. Definitions
3.2.1. Authenticated Identifiers . . . . . . . . . . . . . . 9 3.2.1. Authenticated Identifiers
3.2.2. Author Domain . . . . . . . . . . . . . . . . . . . . 9 3.2.2. Author Domain
3.2.3. DKIM Signing Domain . . . . . . . . . . . . . . . . . 10 3.2.3. DKIM Signing Domain
3.2.4. SPF Domain . . . . . . . . . . . . . . . . . . . . . 10 3.2.4. SPF Domain
3.2.5. DMARC Policy Domain . . . . . . . . . . . . . . . . . 10 3.2.5. DMARC Policy Domain
3.2.6. DMARC Policy Record . . . . . . . . . . . . . . . . . 10 3.2.6. DMARC Policy Record
3.2.7. Domain Owner . . . . . . . . . . . . . . . . . . . . 10 3.2.7. Domain Owner
3.2.8. Domain Owner Assessment Policy . . . . . . . . . . . 11 3.2.8. Domain Owner Assessment Policy
3.2.9. Enforcement . . . . . . . . . . . . . . . . . . . . . 11 3.2.9. Enforcement
3.2.10. Identifier Alignment . . . . . . . . . . . . . . . . 11 3.2.10. Identifier Alignment
3.2.11. Mail Receiver . . . . . . . . . . . . . . . . . . . . 12 3.2.11. Mail Receiver
3.2.12. Monitoring Mode . . . . . . . . . . . . . . . . . . . 12 3.2.12. Monitoring Mode
3.2.13. Non-existent Domains . . . . . . . . . . . . . . . . 12 3.2.13. Non-Existent Domains
3.2.14. Organizational Domain . . . . . . . . . . . . . . . . 12 3.2.14. Organizational Domain
3.2.15. Public Suffix Domain (PSD) . . . . . . . . . . . . . 12 3.2.15. Public Suffix Domain (PSD)
3.2.16. Public Suffix Operator (PSO) . . . . . . . . . . . . 13 3.2.16. Public Suffix Operator (PSO)
3.2.17. PSO Controlled Domain Names . . . . . . . . . . . . . 13 3.2.17. PSO-Controlled Domain Names
3.2.18. Report Consumer . . . . . . . . . . . . . . . . . . . 13 3.2.18. Report Consumer
4. Overview and Key Concepts . . . . . . . . . . . . . . . . . . 13 4. Overview and Key Concepts
4.1. DMARC Basics . . . . . . . . . . . . . . . . . . . . . . 13 4.1. DMARC Basics
4.2. Use of RFC5322.From . . . . . . . . . . . . . . . . . . . 14 4.2. Use of RFC5322.From
4.3. Authentication Mechanisms . . . . . . . . . . . . . . . . 14 4.3. Authentication Mechanisms
4.4. Identifier Alignment Explained . . . . . . . . . . . . . 15 4.4. Identifier Alignment Explained
4.4.1. DKIM-Authenticated Identifiers . . . . . . . . . . . 16 4.4.1. DKIM-Authenticated Identifiers
4.4.2. SPF-Authenticated Identifiers . . . . . . . . . . . . 16 4.4.2. SPF-Authenticated Identifiers
4.4.3. Alignment and Extension Technologies . . . . . . . . 17 4.4.3. Alignment and Extension Technologies
4.5. DMARC Policy Record Explained . . . . . . . . . . . . . . 17 4.5. DMARC Policy Record Explained
4.6. DMARC Reporting URIs . . . . . . . . . . . . . . . . . . 18 4.6. DMARC Reporting URIs
4.7. DMARC Policy Record Format . . . . . . . . . . . . . . . 18 4.7. DMARC Policy Record Format
4.8. Formal Definition . . . . . . . . . . . . . . . . . . . . 22 4.8. Formal Definition
4.9. Flow Diagram . . . . . . . . . . . . . . . . . . . . . . 24 4.9. Flow Diagram
4.10. DNS Tree Walk . . . . . . . . . . . . . . . . . . . . . . 26 4.10. DNS Tree Walk
4.10.1. DMARC Policy Discovery . . . . . . . . . . . . . . . 28 4.10.1. DMARC Policy Discovery
4.10.2. Identifier Alignment Evaluation . . . . . . . . . . 29 4.10.2. Identifier Alignment Evaluation
5. DMARC Participation . . . . . . . . . . . . . . . . . . . . . 31 5. DMARC Participation
5.1. Domain Owner Actions . . . . . . . . . . . . . . . . . . 31 5.1. Domain Owner Actions
5.1.1. Publish an SPF Record for an Aligned Domain . . . . . 32 5.1.1. Publish an SPF Record for an Aligned Domain
5.1.2. Configure Sending System for DKIM Signing Using an 5.1.2. Configure Sending System for DKIM Signing Using an
Aligned Domain . . . . . . . . . . . . . . . . . . . 32 Aligned Domain
5.1.3. Set Up a Mailbox to Receive Aggregate Reports . . . . 32 5.1.3. Set Up a Mailbox to Receive Aggregate Reports
5.1.4. Publish a DMARC Policy Record for the Author Domain and 5.1.4. Publish a DMARC Policy Record for the Author Domain and
Organizational Domain . . . . . . . . . . . . . . . . 32 Organizational Domain
5.1.5. Collect and Analyze Reports . . . . . . . . . . . . . 32 5.1.5. Collect and Analyze Reports
5.1.6. Remediate Unaligned or Unauthenticated Mail 5.1.6. Remediate Unaligned or Unauthenticated Mail Streams
Streams . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.7. Decide Whether to Update Domain Owner Assessment Policy 5.1.7. Decide Whether to Update Domain Owner Assessment Policy
to Enforcement . . . . . . . . . . . . . . . . . . . 33 to Enforcement
5.1.8. A Note on Large, Complex Organizations and 5.1.8. A Note on Large, Complex Organizations and
Decentralized DNS Management . . . . . . . . . . . . 33 Decentralized DNS Management
5.2. PSO Actions . . . . . . . . . . . . . . . . . . . . . . . 34 5.2. PSO Actions
5.3. Mail Receiver Actions . . . . . . . . . . . . . . . . . . 35 5.3. Mail Receiver Actions
5.3.1. Extract Author Domain . . . . . . . . . . . . . . . . 35 5.3.1. Extract Author Domain
5.3.2. Determine If The DMARC Mechanism Applies . . . . . . 35 5.3.2. Determine If the DMARC Mechanism Applies
5.3.3. Determine If Authenticated Identifiers Exist . . . . 36 5.3.3. Determine If Authenticated Identifiers Exist
5.3.4. Conduct Identifier Alignment Checks If Necessary . . 36 5.3.4. Conduct Identifier Alignment Checks If Necessary
5.3.5. Determine DMARC "Pass" or "Fail" . . . . . . . . . . 36 5.3.5. Determine DMARC "Pass" or "Fail"
5.3.6. Apply Policy If Appropriate . . . . . . . . . . . . . 36 5.3.6. Apply Policy If Appropriate
5.3.7. Store Results of DMARC Processing . . . . . . . . . . 37 5.3.7. Store Results of DMARC Processing
5.3.8. Send Aggregate Reports . . . . . . . . . . . . . . . 37 5.3.8. Send Aggregate Reports
5.3.9. Optionally Send Failure Reports . . . . . . . . . . . 37 5.3.9. Optionally Send Failure Reports
5.4. Policy Enforcement Considerations . . . . . . . . . . . . 37 5.4. Policy Enforcement Considerations
6. DMARC Feedback . . . . . . . . . . . . . . . . . . . . . . . 38 6. DMARC Feedback
7. Other Topics . . . . . . . . . . . . . . . . . . . . . . . . 39 7. Other Topics
7.1. Issues Specific to SPF . . . . . . . . . . . . . . . . . 39 7.1. Issues Specific to SPF
7.2. Rejecting Messages . . . . . . . . . . . . . . . . . . . 39 7.2. Rejecting Messages
7.3. Interoperability Issues . . . . . . . . . . . . . . . . . 40 7.3. Interoperability Issues
7.4. Interoperability Considerations . . . . . . . . . . . . . 41 7.4. Interoperability Considerations
8. Conformance Requirements for Full DMARC Participation . . . . 43 8. Conformance Requirements for Full DMARC Participation
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44 9. IANA Considerations
9.1. Email Authentication Methods Registry Update . . . . . . 44 9.1. Email Authentication Methods Registry Update
9.2. Email Authentication Result Names Registry Update . . . . 45 9.2. Email Authentication Result Names Registry Update
9.3. DMARC Tags Registry Update . . . . . . . . . . . . . . . 47 9.3. DMARC Tags Registry Update
9.4. DMARC Report Formats Registry Update . . . . . . . . . . 48 9.4. DMARC Report Formats Registry Update
9.5. Underscored and Globally Scoped DNS Node Names Registry 9.5. Underscored and Globally Scoped DNS Node Names Registry
Update . . . . . . . . . . . . . . . . . . . . . . . . . 49 Update
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . 50 10. Privacy Considerations
10.1. Aggregate Report Considerations . . . . . . . . . . . . 50 10.1. Aggregate Report Considerations
10.2. Failure Report Considerations . . . . . . . . . . . . . 50 10.2. Failure Report Considerations
11. Security Considerations . . . . . . . . . . . . . . . . . . . 51 11. Security Considerations
11.1. Authentication Methods . . . . . . . . . . . . . . . . . 51 11.1. Authentication Methods
11.2. Attacks on Reporting URIs . . . . . . . . . . . . . . . 52 11.2. Attacks on Reporting URIs
11.3. DNS Security . . . . . . . . . . . . . . . . . . . . . . 52 11.3. DNS Security
11.4. Display Name Attacks . . . . . . . . . . . . . . . . . . 53 11.4. Display Name Attacks
11.5. Denial of DMARC Processing Attacks . . . . . . . . . . . 53 11.5. Denial of DMARC Processing Attacks
11.6. External Reporting Addresses . . . . . . . . . . . . . . 54 11.6. External Reporting Addresses
11.7. Secure Protocols . . . . . . . . . . . . . . . . . . . . 54 11.7. Secure Protocols
11.8. Relaxed Alignment Considerations . . . . . . . . . . . . 54 11.8. Relaxed Alignment Considerations
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 56 12. References
12.1. Normative References . . . . . . . . . . . . . . . . . . 56 12.1. Normative References
12.2. Informative References . . . . . . . . . . . . . . . . . 58 12.2. Informative References
Appendix A. Technology Considerations . . . . . . . . . . . . . 60 Appendix A. Technology Considerations
A.1. S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . 60 A.1. S/MIME
A.2. Method Exclusion . . . . . . . . . . . . . . . . . . . . 61 A.2. Method Exclusion
A.3. Sender Header Field . . . . . . . . . . . . . . . . . . . 61 A.3. Sender Header Field
A.4. Domain Existence Test . . . . . . . . . . . . . . . . . . 62 A.4. Domain Existence Test
A.5. Organizational Domain Discovery Issues . . . . . . . . . 62 A.5. Organizational Domain Discovery Issues
A.6. Removal of the "pct" Tag . . . . . . . . . . . . . . . . 63 A.6. Removal of the "pct" Tag
Appendix B. Examples . . . . . . . . . . . . . . . . . . . . . . 64 Appendix B. Examples
B.1. Identifier Alignment Examples . . . . . . . . . . . . . . 64 B.1. Identifier Alignment Examples
B.1.1. SPF . . . . . . . . . . . . . . . . . . . . . . . . . 64 B.1.1. SPF
B.1.2. DKIM . . . . . . . . . . . . . . . . . . . . . . . . 65 B.1.2. DKIM
B.2. Domain Owner Example . . . . . . . . . . . . . . . . . . 66 B.2. Domain Owner Example
B.2.1. Entire Domain, Monitoring Mode . . . . . . . . . . . 66 B.2.1. Entire Domain, Monitoring Mode
B.2.2. Entire Domain, Monitoring Mode, Per-Message Failure B.2.2. Entire Domain, Monitoring Mode, Per-Message Failure
Reports . . . . . . . . . . . . . . . . . . . . . . . 67 Reports
B.2.3. Per-Message Failure Reports Directed to Third B.2.3. Per-Message Failure Reports Directed to Third Party
Party . . . . . . . . . . . . . . . . . . . . . . . . 68 B.2.4. Overriding Destination Addresses
B.2.4. Overriding destination addresses . . . . . . . . . . 69 B.2.5. Subdomain, Testing, and Multiple Aggregate Report URIs
B.2.5. Subdomain, Testing, and Multiple Aggregate Report B.3. Mail Receiver Example
URIs . . . . . . . . . . . . . . . . . . . . . . . . 69 B.3.1. SMTP Session Example
B.3. Mail Receiver Example . . . . . . . . . . . . . . . . . . 71 B.4. Organizational and Policy Domain Tree Walk Examples
B.3.1. SMTP Session Example . . . . . . . . . . . . . . . . 71 B.4.1. Simple Organizational and Policy Example
B.4. Organizational and Policy Domain Tree Walk Examples . . . 73 B.4.2. Deep Tree Walk Example
B.4.1. Simple Organizational and Policy Example . . . . . . 73 B.4.3. Example with a PSD DMARC Policy Record
B.4.2. Deep Tree Walk Example . . . . . . . . . . . . . . . 74 B.5. Utilization of Aggregate Feedback: Example
B.4.3. Example with a PSD DMARC Policy Record . . . . . . . 75 Appendix C. Changes from RFC 7489
B.5. Utilization of Aggregate Feedback: Example . . . . . . . 76 C.1. Informational vs. Standards Track
Appendix C. Changes from RFC 7489 . . . . . . . . . . . . . . . 76 C.2. Changes to Terminology and Definitions
C.1. Informational vs. Standards Track . . . . . . . . . . . . 76 C.2.1. Terms Added
C.2. Changes to Terminology and Definitions . . . . . . . . . 77 C.2.2. Definitions Updated
C.2.1. Terms Added . . . . . . . . . . . . . . . . . . . . . 77 C.3. Policy Discovery and Organizational Domain Determination
C.2.2. Definitions Updated . . . . . . . . . . . . . . . . . 77 C.4. Reporting
C.3. Policy Discovery and Organizational Domain C.5. Tags
Determination . . . . . . . . . . . . . . . . . . . . . 77 C.5.1. Tags Added
C.5.2. Tags Removed
C.4. Reporting . . . . . . . . . . . . . . . . . . . . . . . . 78 C.6. Expansion of Domain Owner Actions Section
C.5. Tags . . . . . . . . . . . . . . . . . . . . . . . . . . 78 C.7. Report Generator Recommendations
C.5.1. Tags Added . . . . . . . . . . . . . . . . . . . . . 78 C.8. Removal of RFC 7489, Appendix A.5
C.5.2. Tags Removed . . . . . . . . . . . . . . . . . . . . 78 C.9. RFC 7489 Errata Summary
C.6. Expansion of Domain Owner Actions Section . . . . . . . . 78 C.9.1. RFC Errata, Erratum ID 5365, RFC 7489, Section 7.2.1.1
C.7. Report Generator Recommendations . . . . . . . . . . . . 79 C.9.2. RFC Errata, Erratum ID 5371, RFC 7489, Section 7.2.1.1
C.8. Removal of RFC 7489 Appendix A.5 . . . . . . . . . . . . 79 C.9.3. RFC Errata, Erratum ID 5440, RFC 7489, Section 7.1 and
C.9. RFC 7489 Errata Summary . . . . . . . . . . . . . . . . . 79 Appendices B.2.1, B.2.3, and B.2.4
C.9.1. RFC Errata, Erratum ID 5365, RFC 7489, C.9.4. RFC Errata, Erratum ID 6439, RFC 7489, Section 7.1
Section 7.2.1.1 . . . . . . . . . . . . . . . . . . . 80 C.9.5. RFC Errata, Erratum ID 5221, RFC 7489, Appendix C
C.9.2. RFC Errata, Erratum ID 5371, RFC 7489, C.9.6. RFC Errata, Erratum ID 5229, RFC 7489, Appendix C
Section 7.2.1.1 . . . . . . . . . . . . . . . . . . . 80 C.9.7. RFC Errata, Erratum 5495, RFC 7489, Section 6.6.3
C.9.3. RFC Errata, Erratum ID 5440, RFC 7489, Sections 7.1, C.9.8. RFC Errata, Erratum ID 6485, RFC 7489, Section 7.2.1.1
B.2.1, B.2.3, and B.2.4 . . . . . . . . . . . . . . . 80 C.9.9. RFC Errata, Erratum ID 6729, RFC 7489, Section 3.2
C.9.4. RFC Errata, Erratum ID 6439, RFC 7489, Section 7.1 . 80 C.9.10. RFC Errata, Erratum ID 7099, RFC 7489, Section 7.2.1.1
C.9.5. RFC Errata, Erratum ID 5221, RFC 7489, Appendix C . . 80 C.9.11. RFC Errata, Erratum ID 7100, RFC 7489, Section 7.2.1.1
C.9.6. RFC Errata, Erratum ID 5229, RFC 7489, Appendix C . . 80 C.9.12. RFC Errata, Erratum ID 7835, RFC 7489, Section 6.6.3
C.9.7. RFC Errata, Erratum 5495, RFC 7489, Section 6.6.3 . . 80 C.9.13. RFC Errata, Erratum ID 7865, RFC 7489, Appendix C
C.9.8. RFC Errata, Erratum ID 6485, RFC 7489, C.9.14. RFC Errata, Erratum ID 5151, RFC 7489, Section 1
Section 7.2.1.1 . . . . . . . . . . . . . . . . . . . 81 C.9.15. RFC Errata, Erratum ID 5774, RFC 7489, Appendix C
C.9.9. RFC Errata, Erratum ID 6729, RFC 7489, Section 3.2 . 81 C.10. General Editing and Formatting
C.9.10. RFC Errata, Erratum ID 7099, RFC 7489, Acknowledgements
Section 7.2.1.1 . . . . . . . . . . . . . . . . . . . 81 Acknowledgements - RFC 7489
C.9.11. RFC Errata, Erratum ID 7100, RFC 7489, Authors' Addresses
Section 7.2.1.1 . . . . . . . . . . . . . . . . . . . 81
C.9.12. RFC Errata, Erratum ID 7835, RFC 7489,
Section 6.6.3 . . . . . . . . . . . . . . . . . . . . 81
C.9.13. RFC Errata, Erratum ID 7865, RFC 7489, Appendix C . . 81
C.9.14. RFC Errata, Erratum ID 5151, RFC 7489, Section 1 . . 81
C.9.15. RFC Errata, Erratum ID 5774, RFC 7489, Appendix C . . 82
C.10. General Editing and Formatting . . . . . . . . . . . . . 82
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 82
Acknowledgements - RFC 7489 . . . . . . . . . . . . . . . . . . . 82
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 83
1. Introduction 1. Introduction
RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING:
The source for this draft is maintained on GitHub at:
https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis
(https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis)
Abusive email often includes unauthorized and deceptive use of a Abusive email often includes unauthorized and deceptive use of a
domain name in the "From" header field defined in section 3.6.2 of domain name in the "From" header field defined in Section 3.6.2 of
[RFC5322] and referred to as RFC5322.From. The domain typically [RFC5322] and referred to as RFC5322.From. The domain typically
belongs to an organization expected to be known to - and presumably belongs to an organization expected to be known to -- and presumably
trusted by - the recipient. The Sender Policy Framework (SPF) trusted by -- the recipient. The Sender Policy Framework (SPF)
[RFC7208] and DomainKeys Identified Mail (DKIM) [RFC6376] protocols [RFC7208] and DomainKeys Identified Mail (DKIM) [RFC6376] protocols
provide domain-level authentication but are not directly associated provide domain-level authentication but are not directly associated
with the RFC5322.From domain, also known as the Author Domain with the RFC5322.From domain, also known as the Author Domain
(#author-domain). DMARC leverages these two protocols, providing a (Section 3.2.2). DMARC leverages these two protocols, providing a
method for Domain Owners to publish a DNS TXT record describing the method for Domain Owners to publish a DNS TXT record describing the
email authentication policies for the Author Domain and to request email authentication policies for the Author Domain and to request
specific handling for messages using that domain that fail validation specific handling for messages using that domain that fail validation
checks. These DNS records are called DMARC Policy Records (#dmarc- checks. These DNS records are called DMARC Policy Records
policy-record). (Section 3.2.6).
As with SPF and DKIM, DMARC validation results in a verdict of either As with SPF and DKIM, DMARC validation results in a verdict of either
"pass" or "fail". A DMARC result of "pass" requires not only an SPF "pass" or "fail". A DMARC result of "pass" requires not only an SPF
or DKIM pass verdict for the email message, but also and more or DKIM pass verdict for the email message but also and more
importantly that the domain associated with the SPF or DKIM pass be importantly that the domain associated with the SPF or DKIM pass be
"aligned" with the Author Domain in one of two modes - "relaxed" or "aligned" with the Author Domain in one of two modes -- "relaxed" or
"strict". Domains are said to be in "relaxed alignment" if they have "strict". Domains are said to be in "relaxed alignment" if they have
the same Organizational Domain (#organizational-domain); a domain's the same Organizational Domain (Section 3.2.14); a domain's
Organizational Domain is the domain at the top of the namespace Organizational Domain is the domain at the top of the namespace
hierarchy for that domain while having the same administrative hierarchy for that domain while having the same administrative
authority as that domain. On the other hand, domains are in "strict authority as that domain. On the other hand, domains are in "strict
alignment" if and only if they are identical. The choice of required alignment" if and only if they are identical. The choice of required
alignment mode is left to the Domain Owner (#domain-owner) that alignment mode is left to the Domain Owner (Section 3.2.7) that
publishes a DMARC Policy Record. publishes a DMARC Policy Record.
A DMARC pass for a message indicates only that the use of the Author A DMARC pass for a message indicates only that the use of the Author
Domain has been validated for that message as authorized by the Domain has been validated for that message as authorized by the
Domain Owner. Such authorization does not carry an explicit or Domain Owner. Such authorization does not carry an explicit or
implicit value assertion about that message or about the Domain implicit value assertion about that message or about the Domain
Owner, and so a DMARC pass by itself does not guarantee that delivery Owner, and so a DMARC pass by itself does not guarantee that delivery
to the recipient's Inbox would be safe or desirable. For a mail- to the recipient's inbox would be safe or desirable. For a mail-
receiving organization participating in DMARC, a message that passes receiving organization participating in DMARC, a message that passes
DMARC validation is part of a message stream reliably associated with DMARC validation is part of a message stream reliably associated with
the Author Domain. Therefore, reputation assessment of that stream the Author Domain. Therefore, reputation assessment of that stream
by the mail-receiving organization can assume the use of that Author by the mail-receiving organization can assume the use of that Author
Domain is authorized by the Domain Owner. Domain is authorized by the Domain Owner.
On the other hand, a message that fails this validation is not On the other hand, a message that fails this validation is not
necessarily associated with the Author Domain and so should not necessarily associated with the Author Domain and so should not
affect the Author Domain's reputation. The phrase "not necessarily affect the Author Domain's reputation. The phrase "not necessarily
associated" was purposely chosen here, as it is importatnt to associated" was purposely chosen here, as it is important to
understand that some messages making authorized use of the Author understand that some messages making authorized use of the Author
Domain can still fail DMARC validation checks. [RFC7960] and Domain can still fail DMARC validation checks. [RFC7960] and
Section 7 of this document both discuss reasons why such failures may Section 7 of this document both discuss reasons why such failures may
happen. Because of this, a mail-receiving organization that performs happen. Because of this, a mail-receiving organization that performs
DMARC validation can choose to honor the Domain Owner's requested DMARC validation can choose to honor the Domain Owner's requested
message handling for validation failures, but it is not required to message handling for validation failures, but it is not required to
do so. DMARC is commonly used as one input to more complex filtering do so. DMARC is commonly used as one input to more complex filtering
decisions, and so the mail-receiving organization might choose decisions, and so the mail-receiving organization might choose
different actions entirely. different actions entirely.
DMARC, in the associated [I-D.ietf-dmarc-aggregate-reporting] and DMARC, in the associated documents [RFC9990] and [RFC9991], also
[I-D.ietf-dmarc-failure-reporting] documents, also specifies a specifies a reporting framework. Using it, a mail-receiving
reporting framework. Using it, a mail-receiving organization can organization can generate regular reports about messages that use
generate regular reports about messages that use Author Domains for Author Domains for which a DMARC Policy Record exists; those reports
which a DMARC Policy Record exists; those reports are sent to the are sent to the address(es) specified by the Domain Owner in the
address(es) specified by the Domain Owner in the DMARC Policy Record. DMARC Policy Record. Domain Owners can use these reports, especially
Domain Owners can use these reports, especially the aggregate the aggregate reports, not only to identify sources of mail
reports, not only to identify sources of mail attempting to attempting to fraudulently use their domain but also (and perhaps
fraudulently use their domain, but also (and perhaps more more importantly) to flag and fix gaps in their own authentication
importantly) to flag and fix gaps in their own authentication
practices. However, as with honoring the Domain Owner's stated mail practices. However, as with honoring the Domain Owner's stated mail
handling preference, a mail-receiving organization supporting DMARC handling preference, a mail-receiving organization supporting DMARC
is under no obligation to send requested reports, although it is is under no obligation to send requested reports; although, it is
recommended that they do send aggregate reports. recommended that they do send aggregate reports.
The use of DMARC creates some interoperability challenges that The use of DMARC creates some interoperability challenges that
require due consideration before deployment, particularly with require due consideration before deployment, particularly with
configurations that can cause mail to be rejected. These are configurations that can cause mail to be rejected. These are
discussed in Section 7. discussed in Section 7.
2. Requirements 2. Requirements
The following sections describe topics that guide the specification The following sections describe topics that guide the specification
of DMARC. of DMARC.
2.1. High-Level Goals 2.1. High-Level Goals
DMARC has the following high-level goals: DMARC has the following high-level goals:
* Allow Domain Owners (#domain-owner) and Public Suffix Operators * Allow Domain Owners (Section 3.2.7) and Public Suffix Operators
(PSOs) (#public-suffix-operator) to validate their email (PSOs) (Section 3.2.16) to validate their email authentication
authentication deployments. deployments.
* Allow Domain Owners and PSOs to assert their desired message * Allow Domain Owners and PSOs to assert their desired message
handling for validation failures on messages purporting to have handling for validation failures on messages purporting to have
authorship within the domain. authorship within the domain.
* Minimize implementation complexity for both senders and receivers. * Minimize implementation complexity for both senders and receivers.
* Reduce the amount of successfully delivered spoofed emails. * Reduce the amount of successfully delivered spoofed emails.
* Work at Internet scale. * Work at Internet scale.
2.2. Anti-Phishing 2.2. Anti-Phishing
DMARC is designed to prevent the unauthorized use of the Author DMARC is designed to prevent the unauthorized use of the Author
Domain (#author-domain) of an email message, a technique known as Domain (Section 3.2.2) of an email message, a technique known as
"spoofing". Such unauthorized usage can frequently be found in "spoofing". Such unauthorized usage can frequently be found in
messages impersonating a domain belonging to a business entity, messages impersonating a domain belonging to a business entity, i.e.,
messages that are meant to entice the recipient to provide sensitive messages that are meant to entice the recipient to provide sensitive
information, such as usernames, passwords, and financial account information, such as usernames, passwords, and financial account
information. These spoofed messages are commonly referred to as information. These spoofed messages are commonly referred to as
"phishing". "phishing".
DMARC can only be used to combat specific forms of exact-domain DMARC can only be used to combat specific forms of exact-domain
spoofing directly. DMARC does not attempt to solve all problems with spoofing directly. DMARC does not attempt to solve all problems with
spoofed or otherwise fraudulent emails. In particular, it does not spoofed or otherwise fraudulent emails. In particular, it does not
address the use of visually similar domain names or abuse of the address the use of visually similar domain names or abuse of the
RFC5322.From human-readable display-name, as defined in Section 3.4 RFC5322.From human-readable display name, as defined in Section 3.4
of [RFC5322]. of [RFC5322].
2.3. Scalability 2.3. Scalability
Scalability is a significant issue for systems that need to operate Scalability is a significant issue for systems that need to operate
in an environment as widely deployed as current SMTP email. For this in an environment as widely deployed as current SMTP email. For this
reason, DMARC seeks to avoid the need for third parties or pre- reason, DMARC seeks to avoid the need for third parties or pre-
sending agreements between senders and receivers. This preserves the sending agreements between senders and receivers. This preserves the
positive aspects of the current email infrastructure. positive aspects of the current email infrastructure.
skipping to change at page 8, line 43 skipping to change at line 350
email-handling flow, it also does not preclude them. Such third email-handling flow, it also does not preclude them. Such third
parties are free to provide services in conjunction with DMARC. parties are free to provide services in conjunction with DMARC.
2.4. Out of Scope 2.4. Out of Scope
Several topics and issues are specifically out of scope of this work. Several topics and issues are specifically out of scope of this work.
These include the following: These include the following:
* Different treatment of messages that are not authenticated (e.g., * Different treatment of messages that are not authenticated (e.g.,
those that have no DKIM signature or those sent using an Author those that have no DKIM signature or those sent using an Author
Domain (#author-domain) for which no DMARC Policy Record (#dmarc- Domain (Section 3.2.2) for which no DMARC Policy Record
policy-record) exists) versus those that fail validation; (Section 3.2.6) exists versus those that fail validation;
* Evaluation of anything other than RFC5322.From header field; * Evaluation of anything other than the RFC5322.From header field;
* Multiple reporting formats; * Multiple reporting formats;
* Publishing policy other than via the DNS; * Publishing policy other than via the DNS;
* Reporting or otherwise evaluating other than the last-hop IP * Reporting or otherwise evaluating other than the last-hop IP
address; address;
* Attacks in the display-name portions of the RFC5322.From header * Attacks in the display name portions of the RFC5322.From header
field, also known as "display name" attacks; field, also known as "display name" attacks;
* Authentication of entities other than domains, since DMARC is * Authentication of entities other than domains, since DMARC is
built upon SPF and DKIM, which authenticate domains; and built upon SPF and DKIM, which authenticate domains; and
* Content analysis. * Content analysis.
3. Terminology and Definitions 3. Terminology and Definitions
This section defines terms used in the rest of the document. This section defines terms used in the rest of the document.
3.1. Conventions Used in This Document 3.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in
14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
Readers are encouraged to be familiar with the contents of [RFC5598]. Readers are encouraged to be familiar with the contents of [RFC5598].
In particular, that document defines various roles in the messaging In particular, that document defines various roles in the messaging
infrastructure that can appear the same or separate in various infrastructure that can appear the same or separate in various
contexts. For example, a Domain Owner (#domain-owner) could, via the contexts. For example, a Domain Owner (Section 3.2.7) could, via the
messaging security mechanisms on which DMARC is based, delegate the messaging security mechanisms on which DMARC is based, delegate the
ability to send mail as the Domain Owner to a third party with ability to send mail as the Domain Owner to a third party with
another role. This document does not address the distinctions among another role. This document does not address the distinctions among
such roles; the reader is encouraged to become familiar with that such roles; the reader is encouraged to become familiar with that
material before continuing. material before continuing.
3.2. Definitions 3.2. Definitions
The following sections define the terms used in this document. The following sections define the terms used in this document.
3.2.1. Authenticated Identifiers 3.2.1. Authenticated Identifiers
Authenticated Identifiers are those domain-level identifiers for Authenticated Identifiers are those domain-level identifiers for
which authorized use is validated using a supported authentication which authorized use is validated using a supported authentication
mechanism (#authentication-mechanisms). mechanism (Section 4.3).
3.2.2. Author Domain 3.2.2. Author Domain
The domain name of the apparent author as extracted from the The Author Domain is the domain name of the apparent author as
RFC5322.From header field. extracted from the RFC5322.From header field.
3.2.3. DKIM Signing Domain 3.2.3. DKIM Signing Domain
The domain name that is the value of the "d" tag in a validated DKIM- The DKIM Signing Domain is the domain name that is the value of the
Signature header field in an email message. "d" tag in a validated DKIM-Signature header field in an email
message.
3.2.4. SPF Domain 3.2.4. SPF Domain
SPF, [RFC7208], can validate the uses of both the domain found in an SPF [RFC7208] can validate the uses of both the domain found in an
SMTP [RFC5321] HELO/EHLO command (the HELO identity) and the domain SMTP [RFC5321] HELO/EHLO command (the HELO identity) and the domain
found in an SMTP MAIL command (the MAIL FROM identity). DMARC relies found in an SMTP MAIL command (the MAIL FROM identity). DMARC relies
solely on SPF validation of the MAIL FROM identity. Section 2.4 of solely on SPF validation of the MAIL FROM identity. Section 2.4 of
[RFC7208] describes the determination of the MAIL FROM identity for [RFC7208] describes the determination of the MAIL FROM identity for
cases in which the SMTP MAIL command has a null path, i.e., the cases in which the SMTP MAIL command has a null path, i.e., the
mailbox composed of the local-part "postmaster" and the HELO mailbox composed of the local-part "postmaster" and the HELO
identity. identity.
The term "SPF Domain" when used in this document refers to an SPF The term "SPF Domain" when used in this document refers to an SPF-
validated MAIL FROM identity. validated MAIL FROM identity.
3.2.5. DMARC Policy Domain 3.2.5. DMARC Policy Domain
The domain name at which an applicable DMARC Policy Record (#dmarc- The DMARC Policy Domain is the domain name at which an applicable
policy-record) is discovered for the Author Domain (#author-domain) DMARC Policy Record (Section 3.2.6) is discovered for the Author
of an email message. Domain (Section 3.2.2) of an email message.
3.2.6. DMARC Policy Record 3.2.6. DMARC Policy Record
A DNS TXT record published by a Domain Owner (#domain-owner) or A DMARC Policy Record is a DNS TXT record published by a Domain Owner
Public Suffix Operator (PSO) (#public-suffix-operator) to enable (Section 3.2.7) or Public Suffix Operator (PSO) (Section 3.2.16) to
validation of an Author Domain's (#author-domain) use, to indicate enable validation of an Author Domain's (Section 3.2.2) use, to
the Domain Owner's or PSO's message handling preference regarding indicate the Domain Owner's or PSO's message handling preference
failed validation, and optionally to request reports about the use of regarding failed validation, and optionally to request reports about
the Author Domain. the use of the Author Domain.
3.2.7. Domain Owner 3.2.7. Domain Owner
An entity or organization that has control of a given DNS domain, A Domain Owner is an entity or organization that has control of a
usually by holding its registration. Domain Owners range from given DNS domain, usually by holding its registration. Domain Owners
complex, globally distributed organizations to service providers range from complex, globally distributed organizations to service
working on behalf of non-technical clients to individuals responsible providers working on behalf of non-technical clients to individuals
for maintaining personal domains. This specification uses this term responsible for maintaining personal domains. This specification
as analogous to an Administrative Management Domain as defined in uses this term as analogous to an Administrative Management Domain
[RFC5598]. It can also refer to delegates, such as Report Consumers (ADMD), as defined in [RFC5598]. It can also refer to delegates,
when those are outside of their immediate management domain. such as Report Consumers, when those are outside of their immediate
management domain.
3.2.8. Domain Owner Assessment Policy 3.2.8. Domain Owner Assessment Policy
The message handling preference expressed in a DMARC Policy Record The Domain Owner Assessment Policy is the message handling preference
(#dmarc-policy-record) by the Domain Owner (#domain-owner) regarding expressed in a DMARC Policy Record (Section 3.2.6) by the Domain
failed validation of the Author Domain (#author-domain) is called the Owner (Section 3.2.7) regarding failed validation of the Author
"Domain Owner Assessment Policy". Possible values are described in Domain (Section 3.2.2). Possible values are described in
Section 4.7. Section 4.7.
3.2.9. Enforcement 3.2.9. Enforcement
Enforcement describes a state where the existing Domain Owner Enforcement describes a state where the existing Domain Owner
Assessment Policy (#domain-owner-policy) for an Organizational Domain Assessment Policy (Section 3.2.8) for an Organizational Domain
(#organizational-domain) and all subdomains below it is not "p=none". (Section 3.2.14) and all subdomains below it is not "p=none". This
This state means that the Organizational Domain and its subdomains state means that the Organizational Domain and its subdomains can
can only be used as Author Domains (#author-domain) if they are only be used as Author Domains (Section 3.2.2) if they are properly
properly validated using the DMARC mechanism. validated using the DMARC mechanism.
Historically, Domain Owner Assessment Policies of "p=quarantine" or Historically, Domain Owner Assessment Policies of "p=quarantine" or
"p=reject" have been higher value signals to Mail Receivers (#mail- "p=reject" have been higher value signals to Mail Receivers
receiver). Messages with Author Domains for which such policies (Section 3.2.11). Messages with Author Domains for which such
exist that are not validated using the DMARC mechanism will not reach policies exist that are not validated using the DMARC mechanism will
the inbox at Mail Receivers that participate in DMARC and honor the not reach the inbox at Mail Receivers that participate in DMARC and
Domain Owner's expressed handling preference. honor the Domain Owner's expressed handling preference.
3.2.10. Identifier Alignment 3.2.10. Identifier Alignment
DMARC describes the concept of alignment between the Author Domain DMARC describes the concept of alignment between the Author Domain
(#author-domain) and an Authenticated Identifier (#authenticated- (Section 3.2.2) and an Authenticated Identifier (Section 3.2.1) and
identifiers), and requires such Identifier Alignment between the two requires such Identifier Alignment between the two for a message to
for a message to achieve a DMARC pass. DMARC defines two states for achieve a DMARC pass. DMARC defines two states for alignment.
alignment.
3.2.10.1. Relaxed Alignment 3.2.10.1. Relaxed Alignment
When the Author Domain (#author-domain) has the same Organizational When the Author Domain (Section 3.2.2) has the same Organizational
Domain (#organizational-domain) as an Authenticated Identifier Domain (Section 3.2.14) as an Authenticated Identifier
(#authenticated-identifier), the two are said to be in relaxed (Section 3.2.1), the two are said to be in relaxed alignment.
alignment.
3.2.10.2. Strict Alignment 3.2.10.2. Strict Alignment
When the Author Domain (#author-domain) is identical to an When the Author Domain (Section 3.2.2) is identical to an
Authenticated Identifier (#authenticated-identifier), the two are Authenticated Identifier (Section 3.2.1), the two are said to be in
said to be in strict alignment. strict alignment.
3.2.11. Mail Receiver 3.2.11. Mail Receiver
The entity or organization that receives and processes email. Mail The Mail Receiver is the entity or organization that receives and
Receivers operate one or more Internet-facing Message Transfer Agents processes email. Mail Receivers operate one or more Internet-facing
(MTAs). Message Transfer Agents (MTAs).
3.2.12. Monitoring Mode 3.2.12. Monitoring Mode
Monitoring Mode describes a state where the existing Domain Owner Monitoring Mode describes a state where the existing Domain Owner
Assessment Policy (#domain-owner-policy) for an Organizational Domain Assessment Policy (Section 3.2.8) for an Organizational Domain
(#organizational-domain) and all subdomains below it is "p=none", and (Section 3.2.14) and all subdomains below it is "p=none", and the
the Domain Owner (#domain-owner) is receiving aggregate reports for Domain Owner (Section 3.2.7) is receiving aggregate reports for the
the Organizational Domain. While the use of the Organizational Organizational Domain. While the use of the Organizational Domain
Domain and all its subdomains as Author Domains (#author-domain) can and all its subdomains as Author Domains (Section 3.2.2) can still be
still be validated by a Mail Receiver (#mail-receiver) deploying the validated by a Mail Receiver (Section 3.2.11) deploying the DMARC
DMARC mechanism, the Domain Owner expresses no handling preference mechanism, the Domain Owner expresses no handling preference for
for messages that fail DMARC validation. The Domain Owner is, messages that fail DMARC validation. However, the Domain Owner is
however, using the content of the DMARC aggregate reports to make any using the content of the DMARC aggregate reports to make any needed
needed adjustments to the authentication practices for its mail adjustments to the authentication practices for its mail streams.
streams.
3.2.13. Non-existent Domains 3.2.13. Non-Existent Domains
For DMARC purposes, a non-existent domain is consistent with the For DMARC purposes, a non-existent domain is consistent with the
term's meaning as described in [RFC8020]. That is, if the response term's meaning as described in [RFC8020]. That is, if the response
code received for a query for a domain name is NXDOMAIN, then the code received for a query for a domain name is NXDOMAIN, then the
domain name and any possible subdomains do not exist. domain name and any possible subdomains do not exist.
3.2.14. Organizational Domain 3.2.14. Organizational Domain
The Organizational Domain for any domain is akin to the ADMD The Organizational Domain for any domain is akin to the ADMD
described in [RFC5598]. A domain's Organizational Domain is the described in [RFC5598]. A domain's Organizational Domain is the
skipping to change at page 13, line 11 skipping to change at line 547
".com", ".org", ".us", and ".co.uk", to name just a few. These ".com", ".org", ".us", and ".co.uk", to name just a few. These
domains are called "Public Suffix Domains" (PSDs). For example, domains are called "Public Suffix Domains" (PSDs). For example,
"ietf.org" is a registered domain name, and ".org" is its PSD. "ietf.org" is a registered domain name, and ".org" is its PSD.
3.2.16. Public Suffix Operator (PSO) 3.2.16. Public Suffix Operator (PSO)
A Public Suffix Operator is an organization that manages operations A Public Suffix Operator is an organization that manages operations
within a PSD, particularly the DNS records published for names at and within a PSD, particularly the DNS records published for names at and
under that domain name. under that domain name.
3.2.17. PSO Controlled Domain Names 3.2.17. PSO-Controlled Domain Names
PSO-Controlled Domain Names are names in the DNS that are managed by PSO-Controlled Domain Names are names in the DNS that are managed by
a PSO. PSO-controlled Domain Names may have one label (e.g., ".com") a PSO. PSO-Controlled Domain Names may have one label (e.g., ".com")
or more (e.g., ".co.uk"), depending on the PSD's policy. or more (e.g., ".co.uk"), depending on the PSD's policy.
3.2.18. Report Consumer 3.2.18. Report Consumer
A Report Consumer is an operator that receives reports from another A Report Consumer is an operator that receives reports from another
operator implementing the reporting mechanisms described in the operator implementing the reporting mechanisms described in [RFC9990]
documents [I-D.ietf-dmarc-aggregate-reporting] and and [RFC9991]. This term applies collectively to the system
[I-D.ietf-dmarc-failure-reporting]. This term applies collectively components that receive and process these reports and the
to the system components that receive and process these reports and organizations that operate those components.
the organizations that operate those components.
Report Consumers can receive reports concerning domains for which the Report Consumers can receive reports concerning domains for which the
Report Consumer is also the Domain Owner (#domain-owner) or PSO Report Consumer is also the Domain Owner (Section 3.2.7) or PSO
(#public-suffix-operator), or concerning domains that belong to (Section 3.2.16) or concerning domains that belong to another
another operator entirely. The DMARC mechanism permits a Domain operator entirely. The DMARC mechanism permits a Domain Owner to act
Owner to act as a Report Consumer for its domain(s) and/or to as a Report Consumer for its domain(s) and/or to designate third
designate third parties to so act. See Section 11.6 for further parties to so act. See Section 11.6 for further discussion of such
discussion of such designation. designation.
4. Overview and Key Concepts 4. Overview and Key Concepts
This section provides a general overview of the design and operation This section provides a general overview of the design and operation
of the DMARC environment. of the DMARC environment.
4.1. DMARC Basics 4.1. DMARC Basics
DMARC permits a Domain Owner (#domain-owner) or PSO (#public-suffix- DMARC permits a Domain Owner (Section 3.2.7) or PSO (Section 3.2.16)
operator) to enable validation of an Author Domain's (#author-domain) to enable validation of an Author Domain's (Section 3.2.2) use in an
use in an email message, to indicate the Domain Owner's or PSO's email message, to indicate the Domain Owner's or PSO's message
message handling preference regarding failed validation, and to handling preference regarding failed validation, and to request
request reports about use of the Author Domain. A domain's DMARC reports about use of the Author Domain. A domain's DMARC Policy
Policy Record (#dmarc-policy-record) is published in the DNS as a TXT Record (Section 3.2.6) is published in the DNS as a TXT record at the
record at the name created by prepending the label "_dmarc" to the name created by prepending the label "_dmarc" to the domain name and
domain name and is retrieved through normal DNS queries. is retrieved through normal DNS queries.
DMARC's validation mechanism produces a "pass" result if a DMARC DMARC's validation mechanism produces a "pass" result if a DMARC
Policy Record exists for the Author Domain of an email message and Policy Record exists for the Author Domain of an email message and
the Author Domain is aligned (#identifier-alignment) with an the Author Domain is aligned (Section 3.2.10) with an Authenticated
Authenticated Identifier (#authenticated-identifiers) from that Identifier (Section 3.2.1) from that message. When a DMARC Policy
message. When a DMARC Policy Record exists for the Author Domain and Record exists for the Author Domain and the DMARC mechanism does not
the DMARC mechanism does not produce a "pass" result, the Mail produce a "pass" result, the Mail Receiver's (Section 3.2.11)
Receiver's (#mail-receiver) handling of that message can be handling of that message can be influenced by the Domain Owner
influenced by the Domain Owner Assessment Policy (#domain-owner- Assessment Policy (Section 3.2.8) expressed in the DMARC Policy
policy) expressed in the DMARC Policy Record. Record.
It is important to note that the authentication mechanisms employed It is important to note that the authentication mechanisms employed
by DMARC only validate the usage of a DNS domain in an email message. by DMARC only validate the usage of a DNS domain in an email message.
They do not validate the local-part of any email address identifier They do not validate the local-part of any email address identifier
found in that message, nor do such validations carry an explicit or found in that message, nor do such validations carry an explicit or
implicit value assertion about that message or about the Domain implicit value assertion about that message or about the Domain
Owner. Owner.
DMARC's reporting component involves the collection of information DMARC's reporting component involves the collection of information
about received messages using the Author Domain for periodic about received messages using the Author Domain for periodic
aggregate reports to the Domain Owner or PSO. The parameters and aggregate reports to the Domain Owner or PSO. The parameters and
format for such reports are discussed in format for such reports are discussed in [RFC9990].
[I-D.ietf-dmarc-aggregate-reporting].
A Mail Receiver participating in DMARC might also generate per- A Mail Receiver participating in DMARC might also generate per-
message failure reports that contain information related to message failure reports that contain information related to
individual messages that fail DMARC validation checks. Per-message individual messages that fail DMARC validation checks. Per-message
failure reports are a useful source of information when debugging failure reports are useful sources of information when debugging
deployments (if messages can be determined to be legitimate even deployments (if messages can be determined to be legitimate despite
though failing validation) or in analyzing attacks. The capability failing validation) or in analyzing attacks. The capability for such
for such services is enabled by DMARC but defined in other referenced services is enabled by DMARC but defined in other referenced material
material such as [RFC6591] and [I-D.ietf-dmarc-failure-reporting] such as [RFC6591] and [RFC9991].
4.2. Use of RFC5322.From 4.2. Use of RFC5322.From
One of the most obvious points of security scrutiny for DMARC is the One of the most obvious points of security scrutiny for DMARC is the
choice to focus on an identifier, namely the RFC5322.From address, choice to focus on an identifier, namely the RFC5322.From address,
which is part of a body of data that has been trivially forged which is part of a body of data that has been trivially forged
throughout the history of email. This field is the one used by end throughout the history of email. This field is the one used by end
users to identify the source of the message, and so it has always users to identify the source of the message, and so it has always
been a prime target for abuse through such forgery and other means. been a prime target for abuse through such forgery and other means.
That said, of all the identifiers that are part of the message That said, of all the identifiers that are part of the message
itself, this is the only one required to be present. A message itself, this is the only one required to be present. A message
without a single, properly formed RFC5322.From header field does not without a single, properly formed RFC5322.From header field does not
comply with [RFC5322], and handling such a message is outside of the comply with [RFC5322], and handling such a message is outside of the
scope of this specification. scope of this specification.
4.3. Authentication Mechanisms 4.3. Authentication Mechanisms
The following mechanisms for determining Authenticated Identifiers The following mechanisms for determining Authenticated Identifiers
(#authenticated-identifiers) are supported in this version of DMARC: (Section 3.2.1) are supported in this version of DMARC:
* DKIM, [RFC6376]. The DKIM Signing Domain (#dkim-signing-domain) * DKIM [RFC6376]: The DKIM Signing Domain (Section 3.2.3) from a
from a validated DKIM-Signature header field is an Authenticated validated DKIM-Signature header field is an Authenticated
Identifier. Identifier.
* SPF, [RFC7208]. The validated SPF Domain (#spf-domain) from the * SPF [RFC7208]: The validated SPF Domain (Section 3.2.4) from the
email message is the Authenticated Identifier. email message is the Authenticated Identifier.
4.4. Identifier Alignment Explained 4.4. Identifier Alignment Explained
DMARC validates the authorized use of the Author Domain (#author- DMARC validates the authorized use of the Author Domain
domain) by requiring either that it have the same Organizational (Section 3.2.2) by requiring either that it have the same
Domain (#organizational-domain) as an Authenticated Identifier Organizational Domain (Section 3.2.14) as an Authenticated Identifier
(#authenticated-identifier) (a condition known as "Relaxed Alignment (Section 3.2.1) (a condition known as "relaxed alignment"
(#relaxed-alignment)") or that it be identical to the Authenticated (Section 3.2.10.1)) or that it be identical to the Authenticated
Identifier (a condition known as "Strict Alignment (#strict- Identifier (a condition known as "strict alignment"
alignment)"). The choice of relaxed or strict alignment is left to (Section 3.2.10.2)). The choice of relaxed or strict alignment is
the Domain Owner (#domain-owner) and is expressed in the domain's left to the Domain Owner (Section 3.2.7) and is expressed in the
DMARC Policy Record (#dmarc-policy-record). In practice, nearly all domain's DMARC Policy Record (Section 3.2.6). In practice, nearly
Domain Owners have found relaxed alignment sufficient to meet their all Domain Owners have found relaxed alignment sufficient to meet
needs. Domain name comparisons in this context are case-insensitive, their needs. Domain name comparisons in this context are case-
per [RFC4343]. insensitive, per [RFC4343].
The following table is meant to illustrate possible alignment The following table is meant to illustrate possible alignment
conditions. conditions.
+==================+==================+=========================+ +==================+==================+=========================+
| Authenticated | Author Domain | Identifier Alignment | | Authenticated | Author Domain | Identifier Alignment |
| Identifier | | | | Identifier | | |
+==================+==================+=========================+ +==================+==================+=========================+
| foo.example.com | news.example.com | relaxed; the two have | | foo.example.com | news.example.com | relaxed; the two have |
| | | the same Organizational | | | | the same Organizational |
| | | Domain, example.com | | | | Domain, example.com |
+------------------+------------------+-------------------------+ +------------------+------------------+-------------------------+
| news.example.com | news.example.com | strict; the two are | | news.example.com | news.example.com | strict; the two are |
| | | identical | | | | identical |
+------------------+------------------+-------------------------+ +------------------+------------------+-------------------------+
| foo.example.net | news.example.com | none; the two do not | | foo.example.net | news.example.com | none; the two do not |
| | | share a common | | | | share a common |
| | | Organizational Domain | | | | Organizational Domain |
+------------------+------------------+-------------------------+ +------------------+------------------+-------------------------+
Table 1: "Alignment Examples" Table 1: Alignment Examples
It is important to note that Identifier Alignment cannot occur with a It is important to note that Identifier Alignment cannot occur with a
message that is not valid per [RFC5322], particularly one with a message that is not valid per [RFC5322], particularly one with a
malformed, absent, or repeated RFC5322.From header field, since in malformed, absent, or repeated RFC5322.From header field, since in
that case there is no reliable way to determine a DMARC Policy Record that case, there is no reliable way to determine a DMARC Policy
(#dmarc-policy-record) that applies to the message. Accordingly, Record (Section 3.2.6) that applies to the message. Accordingly,
DMARC operation is predicated on the input being a valid RFC5322 DMARC operation is predicated on the input being a valid message
message object. For non-compliant cases, handling is outside of the object [RFC5322]. For non-compliant cases, handling is outside of
scope of this specification. Further discussion of this can be found the scope of this specification. Further discussion of this can be
in Section 11.5. found in Section 11.5.
4.4.1. DKIM-Authenticated Identifiers 4.4.1. DKIM-Authenticated Identifiers
DKIM permits a Domain Owner to claim some responsibility for a DKIM permits a Domain Owner to claim some responsibility for a
message by associating the domain to the message. This association message by associating the domain to the message. This association
is done by inserting the domain as the value of the "d" tag in a is done by inserting the domain as the value of the "d" tag in a
DKIM-Signature header field, and the assertion of responsibility is DKIM-Signature header field, and the assertion of responsibility is
validated through a cryptographic signature in the header field. If validated through a cryptographic signature in the header field. If
the cryptographic signature validates, then the DKIM Signing Domain the cryptographic signature validates, then the DKIM Signing Domain
is the DKIM-Authenticated Identifier. is the DKIM-Authenticated Identifier.
skipping to change at page 16, line 48 skipping to change at line 727
validation of the MAIL FROM identity. If the use of the domain in validation of the MAIL FROM identity. If the use of the domain in
the MAIL FROM identity is validated by SPF, then that domain is the the MAIL FROM identity is validated by SPF, then that domain is the
SPF-Authenticated Identifier. SPF-Authenticated Identifier.
There is currently no generally accepted mechanism by which a Domain There is currently no generally accepted mechanism by which a Domain
Owner may assert a list of third-party domains that are authorized Owner may assert a list of third-party domains that are authorized
for use as the MAIL FROM identity for mail using a given Author for use as the MAIL FROM identity for mail using a given Author
Domain. Therefore, DMARC requires that Identifier Alignment is Domain. Therefore, DMARC requires that Identifier Alignment is
applied to the SPF-Authenticated Identifier because any Domain Owner, applied to the SPF-Authenticated Identifier because any Domain Owner,
even a bad actor, can publish an SPF record for its domain and send even a bad actor, can publish an SPF record for its domain and send
email that will obtain an SPF pass result. Only an SPF-Authenticated an email that will obtain an SPF "pass" result. Only an SPF-
Identifier that has Identifier Alignment with the Author Domain is Authenticated Identifier that has Identifier Alignment with the
enough to validate the authorized use of the Author Domain. Author Domain is enough to validate the authorized use of the Author
Domain.
4.4.3. Alignment and Extension Technologies 4.4.3. Alignment and Extension Technologies
If in the future DMARC is extended to include the use of other In the future, if DMARC is extended to include the use of other
authentication mechanisms, the extensions MUST allow for the authentication mechanisms, the extensions MUST allow for the
assignment of a domain as an Authenticated Identifier so that assignment of a domain as an Authenticated Identifier so that
alignment with the Author Domain can be validated. alignment with the Author Domain can be validated.
4.5. DMARC Policy Record Explained 4.5. DMARC Policy Record Explained
A Domain Owner (#domain-owner) or PSO (#public-suffix-operator) A Domain Owner (Section 3.2.7) or PSO (Section 3.2.16) advertises
advertises DMARC participation of one or more of its domains by DMARC participation of one or more of its domains by publishing DMARC
publishing DMARC Policy Records (#dmarc-policy-record) that will Policy Records (Section 3.2.6) that will apply to those domains. In
apply to those domains. In doing so, Domain Owners and PSOs indicate doing so, Domain Owners and PSOs indicate their handling preference
their handling preference regarding failed validation for email regarding failed validation for email messages using their domain in
messages using their domain in the RFC5322.From header field as well the RFC5322.From header field as well as their desire (if any) to
as their desire (if any) to receive feedback about such messages in receive feedback about such messages in the form of aggregate and/or
the form of aggregate and/or failure reports. failure reports.
DMARC Policy Records are stored as DNS TXT records with names DMARC Policy Records are stored as DNS TXT records with names
starting with the label "_dmarc". For example, the Domain Owner of starting with the label "_dmarc". For example, the Domain Owner of
"example.com" would publish a DMARC Policy Record at the name "example.com" would publish a DMARC Policy Record at the name
"_dmarc.example.com", and a Mail Receiver (#mail-receiver) wishing to "_dmarc.example.com", and a Mail Receiver (Section 3.2.11) wishing to
find the DMARC Policy Record for mail with an Author Domain (#author- find the DMARC Policy Record for mail with an Author Domain
domain) of "example.com" would issue a TXT query to the DNS for the (Section 3.2.2) of "example.com" would issue a TXT query to the DNS
name "_dmarc.example.com". A Domain Owner or PSO may choose not to for the name "_dmarc.example.com". A Domain Owner or PSO may choose
participate in DMARC validation by Mail Receivers simply by not not to participate in DMARC validation by Mail Receivers simply by
publishing a DMARC Policy Record for its Author Domain(s). not publishing a DMARC Policy Record for its Author Domain(s).
DMARC Policy Records can also apply to subdomains of the name at DMARC Policy Records can also apply to subdomains of the name at
which they are published in the DNS, if the record is published at an which they are published in the DNS if the record is published at an
Organizational Domain (#organizational-domain) for the subdomains. Organizational Domain (Section 3.2.14) for the subdomains. The
The Domain Owner Assessment Policy (#domain-owner-policy) that Domain Owner Assessment Policy (Section 3.2.8) that applies to the
applies to the subdomains can be identical to the Domain Owner subdomains can be identical to the Domain Owner Assessment Policy
Assessment Policy that applies to the Organizational Domain or that applies to the Organizational Domain or different, depending on
different, depending on the presence or absence of certain values in the presence or absence of certain values in the DMARC Policy Record.
the DMARC Policy Record. See Section 4.7 for more details. See Section 4.7 for more details.
DMARC's use of the Domain Name Service is driven by DMARC's use of DMARC's use of the Domain Name Service is driven by DMARC's use of
domain names and the nature of the query it performs. The query domain names and the nature of the query it performs. The query
requirement matches with the DNS for obtaining simple parametric requirement matches with the DNS for obtaining simple parametric
information. It uses an established method of storing the information. It uses an established method of storing the
information associated with the domain name targeted by a DNS query, information associated with the domain name targeted by a DNS query,
specifically an isolated TXT record that is restricted to the DMARC specifically an isolated TXT record that is restricted to the DMARC
context. Using the DNS as the query service has the benefit of context. Using the DNS as the query service has the benefit of
reusing an extremely well-established operations, administration, and reusing an extremely well-established operations, administration, and
management infrastructure, rather than creating a new one. management infrastructure, rather than creating a new one.
skipping to change at page 18, line 25 skipping to change at line 799
Authenticated Identifier and the Author Domain. Alternatively, if Authenticated Identifier and the Author Domain. Alternatively, if
the Domain Owner wishes to rely solely on SPF, then it can send email the Domain Owner wishes to rely solely on SPF, then it can send email
messages that have no DKIM-Signature header field that would produce messages that have no DKIM-Signature header field that would produce
Identifier Alignment between a DKIM-Authenticated Identifier and the Identifier Alignment between a DKIM-Authenticated Identifier and the
Author Domain. However, it is RECOMMENDED that Domain Owners use Author Domain. However, it is RECOMMENDED that Domain Owners use
both DKIM and SPF as underlying authentication mechanisms for DMARC. both DKIM and SPF as underlying authentication mechanisms for DMARC.
A Mail Receiver implementing the DMARC mechanism gets the Domain A Mail Receiver implementing the DMARC mechanism gets the Domain
Owner's or PSO's published Domain Owner Assessment Policy and can use Owner's or PSO's published Domain Owner Assessment Policy and can use
it to inform its handling decisions for messages that undergo DMARC it to inform its handling decisions for messages that undergo DMARC
validation checks and do not produce a result of pass. Mail handling validation checks and do not produce a result of "pass". Mail
considerations based on Domain Owner Assessment Policy enforcement handling considerations based on Domain Owner Assessment Policy
are discussed below in Section 5.4. enforcement are discussed below in Section 5.4.
4.6. DMARC Reporting URIs 4.6. DMARC Reporting URIs
[RFC3986] defines a syntax for identifying a resource. The DMARC [RFC3986] defines a syntax for identifying a resource. The DMARC
mechanism uses this as the format by which a Domain Owner (#domain- mechanism uses this as the format by which a Domain Owner
owner) or PSO (#public-suffix-organization) specifies the (Section 3.2.7) or PSO (Section 3.2.16) specifies the destination(s)
destination(s) for the two report types that are supported. The for the two report types that are supported. The DMARC Policy Record
DMARC Policy Record format (#policy-record-format) allows for a list format (Section 4.7) allows for a list of these URIs to be provided,
of these URIs to be provided, with each URI separated by commas with each URI separated by commas (ASCII 0x2c).
(ASCII 0x2c).
A formal definition is provided in Section 4.8. A formal definition is provided in Section 4.8.
4.7. DMARC Policy Record Format 4.7. DMARC Policy Record Format
DMARC Policy Records follow the extensible "tag-value" syntax for DMARC Policy Records follow the extensible "tag-value" syntax for
DNS-based key records defined in DKIM [RFC6376]. DNS-based key records defined in DKIM [RFC6376].
Section 9 creates a registry for known DMARC tags and registers the Section 9 creates a registry for known DMARC tags and registers the
initial set defined in this document. Only tags defined in that initial set defined in this document. Only tags defined in that
registry are to be processed; unknown tags MUST be ignored. registry are to be processed; unknown tags MUST be ignored.
The following tags are valid DMARC tags: The following tags are valid DMARC tags:
adkim: (plain-text; OPTIONAL; default is "r".) Indicates whether adkim: (plain-text; OPTIONAL; default is "r".) Indicates whether
the Domain Owner (#domain-owner) or PSO (#public-suffix- the Domain Owner (Section 3.2.7) or PSO (Section 3.2.16) requires
organization) requires strict or relaxed DKIM Identifier Alignment strict or relaxed DKIM Identifier Alignment mode. See
mode. See Section 4.4.1 for details. Valid values are as Section 4.4.1 for details. Valid values are as follows:
follows:
r: relaxed mode r: relaxed mode
s: strict mode s: strict mode
aspf: (plain-text; OPTIONAL; default is "r".) Indicates whether the aspf: (plain-text; OPTIONAL; default is "r".) Indicates whether the
Domain Owner or PSO requires strict or relaxed SPF Identifier Domain Owner or PSO requires strict or relaxed SPF Identifier
Alignment mode. See Section 4.4.2 for details. Valid values are Alignment mode. See Section 4.4.2 for details. Valid values are
as follows: as follows:
r: relaxed mode r: relaxed mode
s: strict mode s: strict mode
fo: Failure reporting options (plain-text; OPTIONAL; default is "0") fo: Failure reporting options (plain-text; OPTIONAL; default is
Provides requested options for the generation of failure reports. "0"). Provides requested options for the generation of failure
Report generators may choose to adhere to the requested options. reports. Report generators may choose to adhere to the requested
This tag's content MUST be ignored if a "ruf" tag (below) is not options. This tag's content MUST be ignored if a "ruf" tag
also specified. This tag can include one or more of the values (below) is not also specified. This tag can include one or more
shown here, with the exception that "0" and "1" are mutually of the values shown here, with the exception that "0" and "1" are
exclusive. If more than one value is assigned to the tag, the mutually exclusive. If more than one value is assigned to the
list of values should be separated by colons (e.g., fo=0:d), and tag, the list of values should be separated by colons (e.g.,
the values may appear in the list in any order. Valid values and fo=0:d), and the values may appear in the list in any order.
their meanings are: Valid values and their meanings are as follows:
0: Generate a DMARC failure report if all underlying 0: Generate a DMARC failure report if all underlying
authentication mechanisms fail to produce an aligned "pass" authentication mechanisms fail to produce an aligned "pass"
result. result.
1: Generate a DMARC failure report if any underlying 1: Generate a DMARC failure report if any underlying
authentication mechanism fails to produce an aligned "pass" authentication mechanism fails to produce an aligned "pass"
result. result.
d: Generate a DKIM failure report if the message had a signature d: Generate a DKIM failure report if the message had a signature
that failed evaluation, regardless of its alignment. DKIM- that failed evaluation, regardless of its alignment. DKIM-
specific reporting is described in [RFC6651]. specific reporting is described in [RFC6651].
s: Generate an SPF failure report if the message failed SPF s: Generate an SPF failure report if the message failed SPF
evaluation, regardless of its alignment. SPF-specific evaluation, regardless of its alignment. SPF-specific
reporting is described in [RFC6652]. reporting is described in [RFC6652].
np: Domain Owner Assessment Policy (#domain-owner-policy) for non- np: Domain Owner Assessment Policy (Section 3.2.8) for non-existent
existent subdomains of the given Organizational Domain (plain- subdomains of the given Organizational Domain (plain-text;
text; OPTIONAL). For this tag, the definition of "non-existent OPTIONAL). For this tag, the definition of "non-existent
subdomain" is the same as that used for "Non-existent Domains" in subdomain" is the same as that used for "non-existent domains" in
Section 3.2.13. The policy expressed by this tag indicates the Section 3.2.13. The policy expressed by this tag indicates the
message handling preference of the Domain Owner or PSO for mail message handling preference of the Domain Owner or PSO for mail
using non-existent subdomains of the prevailing Organizational using non-existent subdomains of the prevailing Organizational
Domain and not passing DMARC validation. It applies only to non- Domain and not passing DMARC validation. It applies only to non-
existent subdomains of the Organizational Domain queried and not existent subdomains of the Organizational Domain queried and not
to either existing subdomains or the domain itself. Its syntax is to either existing subdomains or the domain itself. Its syntax is
identical to that of the "p" tag defined below. If the "np" tag identical to that of the "p" tag defined below. If the "np" tag
is absent, the policy specified by the "sp" tag (if the "sp" tag is absent, the policy specified by the "sp" tag (if the "sp" tag
is present) or the policy specified by the "p" tag, if the "sp" is present) or the policy specified by the "p" tag (if the "sp"
tag is not present, MUST be applied for non-existent subdomains. tag is not present) MUST be applied for non-existent subdomains.
p: Domain Owner Assessment Policy (#domain-owner-policy) (plain- p: Domain Owner Assessment Policy (Section 3.2.8) (plain-text;
text; RECOMMENDED for DMARC Policy Records). Indicates the RECOMMENDED for DMARC Policy Records). Indicates the message
message handling preference of the Domain Owner or PSO for mail handling preference of the Domain Owner or PSO for mail using its
using its domain but not passing DMARC validation. The policy domain but not passing DMARC validation. The policy applies to
applies to the domain queried and to subdomains, unless the the domain queried and to subdomains, unless the subdomain policy
subdomain policy is explicitly described using the "sp" or "np" is explicitly described using the "sp" or "np" tags. If this tag
tags. If this tag is not present in an otherwise syntactically is not present in an otherwise syntactically valid DMARC Policy
valid DMARC Policy Record, then the record is treated as if it Record, then the record is treated as if it included "p=none" (see
included "p=none" (see Section 4.10.1). This tag is not Section 4.10.1). This tag is not applicable for third-party
applicable for third-party reporting records (see reporting records (see [RFC9990] and [RFC9991]). Possible values
[I-D.ietf-dmarc-aggregate-reporting] and are as follows:
[I-D.ietf-dmarc-failure-reporting]). Possible values are as
follows:
none: The Domain Owner offers no expression of preference. none: The Domain Owner offers no expression of preference.
quarantine: The Domain Owner considers such mail to be quarantine: The Domain Owner considers such mail to be
suspicious. It is possible the mail is valid, although the suspicious. It is possible the mail is valid, although the
failure creates a significant concern. failure creates a significant concern.
reject: The Domain Owner considers all such failures to be a reject: The Domain Owner considers all such failures to be a
clear indication that the use of the domain name is not valid. clear indication that the use of the domain name is not valid.
See Section 7.2 for some discussion of SMTP rejection methods See Section 7.2 for some discussion of SMTP rejection methods
and their implications. and their implications.
psd: A flag indicating whether the domain is a PSD. (plain-text; psd: A flag indicating whether the domain is a PSD (plain-text;
OPTIONAL; default is "u"). Possible values are: OPTIONAL; default is "u"). Possible values are as follows:
y: PSOs include this tag with a value of "y" to indicate that the y: PSOs include this tag with a value of "y" to indicate that the
domain is a PSD. If a record containing this tag with a value domain is a PSD. If a record containing this tag with a value
of "y" is found during policy discovery, this information will of "y" is found during policy discovery, this information will
be used to determine the Organizational Domain and DMARC Policy be used to determine the Organizational Domain and DMARC Policy
Domain applicable to the message in question. Domain applicable to the message in question.
n: The DMARC Policy Record is published for a domain that is not n: The DMARC Policy Record is published for a domain that is not
a PSD, but it is the Organizational Domain for itself and its a PSD, but it is the Organizational Domain for itself and its
subdomains. subdomains.
u: The default indicates that the DMARC Policy Record is u: The default indicates that the DMARC Policy Record is
published for a domain that is not a PSD, and may or may not be published for a domain that is not a PSD and may or may not be
an Organizational Domain for itself and its subdomains. Use an Organizational Domain for itself and its subdomains. Use
the mechanism described in Section 4.10 for determining the the mechanism described in Section 4.10 for determining the
Organizational Domain for this domain. Organizational Domain for this domain.
rua: Addresses to which aggregate feedback reports are to be sent rua: Addresses to which aggregate feedback reports are to be sent
(comma-separated plain-text list of DMARC Reporting URIs; (comma-separated plain-text list of DMARC Reporting URIs;
OPTIONAL). If present, the Domain Owner is requesting Mail OPTIONAL). If present, the Domain Owner is requesting Mail
Receivers to send aggregate feedback reports as defined in Receivers to send aggregate feedback reports as defined in
[I-D.ietf-dmarc-aggregate-reporting] to the URIs listed. Any [RFC9990] to the URIs listed. Any valid URI can be specified. A
valid URI can be specified. A Mail Receiver that sends aggregate Mail Receiver that sends aggregate feedback reports MUST implement
feedback reports MUST implement support for a "mailto:" URI, i.e., support for a "mailto:" URI, i.e., the ability to send a DMARC
the ability to send a DMARC report via electronic mail. If the report via electronic mail. If the tag is not provided, Mail
tag is not provided, Mail Receivers MUST NOT generate aggregate Receivers MUST NOT generate aggregate feedback reports for the
feedback reports for the domain. URIs involving schemes not domain. URIs involving schemes not supported by Mail Receivers
supported by Mail Receivers MUST be ignored. MUST be ignored. [RFC9990] also discusses considerations that
[I-D.ietf-dmarc-aggregate-reporting] also discusses considerations apply when the domain name of a URI differs from the domain
that apply when the domain name of a URI differs from the domain
publishing the DMARC Policy Record. See Section 11.6 for publishing the DMARC Policy Record. See Section 11.6 for
additional considerations. additional considerations.
ruf: Addresses to which message-specific failure information is to ruf: Addresses to which message-specific failure information is to
be reported (comma-separated plain-text list of DMARC URIs; be reported (comma-separated plain-text list of DMARC URIs;
OPTIONAL). If present, the Domain Owner is requesting Mail OPTIONAL). If present, the Domain Owner is requesting Mail
Receivers to send detailed failure reports about messages that Receivers to send detailed failure reports about messages that
fail the DMARC evaluation in specific ways (see the "fo" tag fail the DMARC evaluation in specific ways (see the "fo" tag
above) to the URIs listed. Depending on the value of the "fo" above) to the URIs listed. Depending on the value of the "fo"
tag, the format for such reports is described in tag, the format for such reports is described in [RFC9991],
[I-D.ietf-dmarc-failure-reporting], [RFC6651], or [RFC6652]. Any [RFC6651], and [RFC6652]. Any valid URI can be specified. A Mail
valid URI can be specified. A Mail Receiver sending failure Receiver sending failure reports MUST implement support for a
reports MUST implement support for a "mailto:" URI, i.e., the "mailto:" URI, i.e., the ability to send message-specific failure
ability to send message-specific failure information via information via electronic mail. If the tag is not provided, Mail
electronic mail. If the tag is not provided, Mail Receivers MUST Receivers MUST NOT generate failure reports for the domain. URIs
NOT generate failure reports for the domain. URIs involving involving schemes not supported by Mail Receivers MUST be ignored.
schemes not supported by Mail Receivers MUST be ignored. [RFC9990] discusses considerations that apply when the domain name
[I-D.ietf-dmarc-aggregate-reporting] discusses considerations that of a URI differs from that of the domain advertising the policy.
apply when the domain name of a URI differs from that of the See Section 11.6 for additional considerations.
domain advertising the policy. See Section 11.6 for additional
considerations.
sp: Domain Owner Assessment Policy for all subdomains of the given sp: Domain Owner Assessment Policy for all subdomains of the given
Organizational Domain (plain-text; OPTIONAL). Indicates the Organizational Domain (plain-text; OPTIONAL). Indicates the
message handling preference of the Domain Owner or PSO for mail message handling preference of the Domain Owner or PSO for mail
using an existing subdomain of the prevailing Organizational using an existing subdomain of the prevailing Organizational
Domain for and not passing DMARC validation. It applies only to Domain for and not passing DMARC validation. It applies only to
existing subdomains of the message's Organizational Domain in the existing subdomains of the message's Organizational Domain in the
DNS hierarchy and not to the Organizational Domain itself. Its DNS hierarchy and not to the Organizational Domain itself. Its
syntax is identical to that of the "p" tag defined above. If both syntax is identical to that of the "p" tag defined above. If both
the "sp" tag is absent, and the "np" tag is either absent or not the "sp" tag is absent and the "np" tag is either absent or not
applicable, the policy specified by the "p" tag MUST be applied applicable, the policy specified by the "p" tag MUST be applied
for subdomains. Note that "sp" will be ignored for DMARC Policy for subdomains. Note that "sp" will be ignored for DMARC Policy
Records published on subdomains of Organizational Domains and PSDs Records published on subdomains of Organizational Domains and PSDs
due to the effect of the DMARC Policy Discovery (#dmarc-policy- due to the effect of the DMARC policy discovery (Section 4.10.1).
discovery).
t: DMARC policy test mode (plain-text; OPTIONAL; default is "n"). t: DMARC policy test mode (plain-text; OPTIONAL; default is "n").
For the Author Domain to which the DMARC Policy Record applies, For the Author Domain to which the DMARC Policy Record applies,
the "t" tag serves as a signal to the actor performing DMARC the "t" tag serves as a signal to the actor performing DMARC
validation checks as to whether or not the Domain Owner wishes the validation checks as to whether or not the Domain Owner wishes the
Domain Owner Assessment Policy declared in the "p", "sp", and/or Domain Owner Assessment Policy declared in the "p", "sp", and/or
"np" tags to actually be applied. This tag does not affect the "np" tags to actually be applied. This tag does not affect the
generation of DMARC reports, and it has no effect on any policy generation of DMARC reports, and it has no effect on any policy
("p", "sp", or "np") that is "none". See Appendix A.6 for further ("p", "sp", or "np") that is "none". See Appendix A.6 for further
discussion of the use of this tag. Possible values are as discussion of the use of this tag. Possible values are as
follows: follows:
y: A request that the actor performing the DMARC validation check y: A request that the actor performing the DMARC validation check
not apply the policy, but instead apply any special handling not apply the policy, but instead apply any special handling
rules it might have in place, such as rewriting the rules it might have in place, such as rewriting the
RFC5322.From header field (see Appendix A.6). The Domain Owner RFC5322.From header field (see Appendix A.6). The Domain Owner
is currently testing its specified DMARC assessment policy, and is currently testing its specified DMARC assessment policy and
has an expectation that the policy applied to any failing has an expectation that the policy applied to any failing
messages will be one level below the specified policy. That messages will be one level below the specified policy. That
is, if the policy is "quarantine" and the value of the "t" tag is, if the policy is "quarantine" and the value of the "t" tag
is "y", a policy of "none" will be applied to failing messages; is "y", a policy of "none" will be applied to failing messages;
if the policy is "reject" and the value of the "t" tag is "y", if the policy is "reject" and the value of the "t" tag is "y",
a policy of "quarantine" will be applied to failing messages, a policy of "quarantine" will be applied to failing messages,
irrespective of any other special handling rules that might be irrespective of any other special handling rules that might be
triggered by the "t" tag having a value of "y". triggered by the "t" tag having a value of "y".
n: The default is a request to apply the Domain Owner Assessment n: The default is a request to apply the Domain Owner Assessment
Policy as specified to any message that produces a DMARC "fail" Policy as specified to any message that produces a DMARC "fail"
result. result.
v: Version (plain-text; REQUIRED). Identifies the record retrieved v: Version (plain-text; REQUIRED). Identifies the record retrieved
as a DMARC Policy Record. This tag MUST be the first tag in the as a DMARC Policy Record. This tag MUST be the first tag in the
list. The tag value is case sensitive, and the only possible list. The tag value is case sensitive, and the only possible
value is "DMARC1". If the tag is not the first in the list, or value is "DMARC1". If the tag is not the first in the list, the
the tag is absent, or the value is not "DMARC1", then the entire tag is absent, or the value is not "DMARC1", then the entire
record MUST be ignored. record MUST be ignored.
4.8. Formal Definition 4.8. Formal Definition
A DMARC Policy Record MUST comply with the formal definition of same A DMARC Policy Record MUST comply with the formal definition of same
found in this section. Unknown tags MUST be ignored. Syntax errors found in this section. Unknown tags MUST be ignored. Syntax errors
in the remainder of the record MUST be discarded in favor of default in the remainder of the record MUST be discarded in favor of default
values (if any) or ignored outright. values (if any) or ignored outright.
Because unknown tags MUST be ignored, the addition of a new tag into Because unknown tags MUST be ignored, the addition of a new tag into
the registered list of tags does not itself require a new version of the registered list of tags does not itself require a new version of
DMARC to be generated (with a corresponding change to the "v" tag's DMARC to be generated (with a corresponding change to the "v" tag's
value), but a change to any existing tags does require a new version value), but a change to any existing tags does require a new version
of DMARC. of DMARC.
The formal definition of the DMARC Policy Record format, using The formal definition of the DMARC Policy Record format, using ABNF
[RFC5234] and [RFC7405], is as follows: syntax as described in [RFC5234] and [RFC7405], is as follows:
dmarc-uri = URI dmarc-uri = URI
; "URI" is imported from [RFC3986]; ; "URI" is imported from [RFC3986];
; commas (ASCII 0x2C) and exclamation ; commas (ASCII 0x2C) and exclamation
; points (ASCII 0x21) MUST be ; points (ASCII 0x21) MUST be
; encoded ; encoded
obs-dmarc-uri = dmarc-uri obs-dmarc-report-size obs-dmarc-uri = dmarc-uri obs-dmarc-report-size
; Obsolete syntax, reporters should ignore the ; Obsolete syntax, reporters should ignore the
; obs-dmarc-report-size if it is found in a DMARC Policy Record. ; obs-dmarc-report-size if it is found in a
; DMARC Policy Record.
obs-dmarc-report-size = "!" 1*DIGIT [ "k" / "m" / "g" / "t" ] obs-dmarc-report-size = "!" 1*DIGIT [ "k" / "m" / "g" / "t" ]
dmarc-sep = *WSP ";" *WSP dmarc-sep = *WSP ";" *WSP
equals = *WSP "=" *WSP equals = *WSP "=" *WSP
dmarc-record = dmarc-version *(dmarc-sep dmarc-tag) [dmarc-sep] dmarc-record = dmarc-version *(dmarc-sep dmarc-tag) [dmarc-sep]
dmarc-tag = 1*ALPHA equals 1*dmarc-value dmarc-tag = 1*ALPHA equals 1*dmarc-value
; any printing characters but semicolon ; any printing characters but semicolon
dmarc-value = %x20-3A / %x3C-7E dmarc-value = %x20-3A / %x3C-7E
dmarc-version = "v" equals %s"DMARC1" ; case sensitive dmarc-version = "v" equals %s"DMARC1" ; case sensitive
; specialized syntax of DMARC values ; specialized syntax of DMARC values
dmarc-request = "none" / "quarantine" / "reject" dmarc-request = "none" / "quarantine" / "reject"
dmarc-yorn = "y" / "n" dmarc-yorn = "y" / "n"
dmarc-psd = "y" / "n" / "u" dmarc-psd = "y" / "n" / "u"
dmarc-rors = "r" / "s" dmarc-rors = "r" / "s"
dmarc-urilist = (dmarc-uri / obs-dmarc-uri) *(*WSP "," *WSP (dmarc-uri / obs-dmarc-uri)) dmarc-urilist = (dmarc-uri / obs-dmarc-uri) *(*WSP "," *WSP (dmarc-uri / obs-dmarc-uri))
dmarc-fo = ("0" / "1") *(":" dmarc-afrf) dmarc-fo = ("0" / "1") *(":" dmarc-afrf)
/ dmarc-afrf [":" ("0" / "1")] [":" dmarc-afrf] / dmarc-afrf [":" ("0" / "1")] [":" dmarc-afrf]
/ *(dmarc-afrf ":") ("0" / "1") / *(dmarc-afrf ":") ("0" / "1")
dmarc-afrf = "d" / "s" dmarc-afrf = "d" / "s"
; each may appear at most once in dmarc-fo ; each may appear at most once in dmarc-fo
In each dmarc-tag, the dmarc-value has a syntax that depends on the In each dmarc-tag, the dmarc-value has a syntax that depends on the
tag name. The ABNF rule for each dmarc-value is specified in the tag name. The ABNF rule for each dmarc-value is specified in the
following table: following table:
+==========+===============+ +==========+===============+
| Tag Name | Value Rule | | Tag Name | Value Rule |
+==========+===============+ +==========+===============+
| p | dmarc-request | | p | dmarc-request |
+----------+---------------+ +----------+---------------+
| t | dmarc-yorn | | t | dmarc-yorn |
+----------+---------------+ +----------+---------------+
| psd | dmarc-psd | | psd | dmarc-psd |
+----------+---------------+ +----------+---------------+
| np | dmarc-request | | np | dmarc-request |
+----------+---------------+ +----------+---------------+
| sp | dmarc-request | | sp | dmarc-request |
+----------+---------------+ +----------+---------------+
| adkim | dmarc-rors | | adkim | dmarc-rors |
+----------+---------------+ +----------+---------------+
| aspf | dmarc-rors | | aspf | dmarc-rors |
+----------+---------------+ +----------+---------------+
| rua | dmarc-urilist | | rua | dmarc-urilist |
+----------+---------------+ +----------+---------------+
| ruf | dmarc-urilist | | ruf | dmarc-urilist |
+----------+---------------+ +----------+---------------+
| fo | dmarc-fo | | fo | dmarc-fo |
+----------+---------------+ +----------+---------------+
Table 2: "Tag Names and Table 2: Tag Names and
Values" Values
4.9. Flow Diagram 4.9. Flow Diagram
+---------------+ +--------------------+ +---------------+ +--------------------+
| Author Domain |< . . . . . . . . . . . . | Return-Path Domain | | Author Domain |< . . . . . . . . . . . . | Return-Path Domain |
+---------------+ . +--------------------+ +---------------+ . +--------------------+
| . ^ | . ^
V V . V V .
+-----------+ +--------+ +----------+ v +-----------+ +--------+ +----------+ v
| MSA |<***>| DKIM | | DMARC | +----------+ | MSA |<***>| DKIM | | DMARC | +----------+
| Service | | Signer | | Validator|<***>| SPF | | Service | | Signer | | Validator|<***>| SPF |
+-----------+ +--------+ +----------+ * | Validator| +-----------+ +--------+ +----------+ * | Validator|
| ^ * +----------+ | ^ * +----------+
skipping to change at page 25, line 45 skipping to change at line 1141
flow, dotted lines (e.g., < . . >) represent DNS queries used to flow, dotted lines (e.g., < . . >) represent DNS queries used to
retrieve message policy related to the supported message retrieve message policy related to the supported message
authentication schemes, and starred lines (e.g., <**>) indicate data authentication schemes, and starred lines (e.g., <**>) indicate data
exchange between message-handling modules and message authentication exchange between message-handling modules and message authentication
modules. "sMTA" is the sending MTA, and "rMTA" is the receiving MTA. modules. "sMTA" is the sending MTA, and "rMTA" is the receiving MTA.
Put simply, when a message reaches a DMARC-aware rMTA, a DNS query Put simply, when a message reaches a DMARC-aware rMTA, a DNS query
will be initiated to determine if a DMARC Policy Record exists that will be initiated to determine if a DMARC Policy Record exists that
applies to the Author Domain. If a DMARC Policy Record is found, the applies to the Author Domain. If a DMARC Policy Record is found, the
rMTA will use the results of SPF and DKIM validation checks to rMTA will use the results of SPF and DKIM validation checks to
determine DMARC validation status. The DMARC validation status can determine the DMARC validation status. The DMARC validation status
then factor into the message handling decision made by the can then factor into the message handling decision made by the
recipient's mail system. recipient's mail system.
More details on specific actions for the parties involved can be More details on specific actions for the parties involved can be
found in Section 5.1 and Section 5.3. found in Sections 5.1 and 5.3.
4.10. DNS Tree Walk 4.10. DNS Tree Walk
An Organizational Domain (#organizational-domain) serves two An Organizational Domain (Section 3.2.14) serves two different
different purposes, depending on the context: purposes, depending on the context:
* The Organizational Domain of the Author Domain (#author-domain) * The Organizational Domain of the Author Domain (Section 3.2.2)
establishes the DMARC Policy Record (#dmarc-policy-record) for establishes the DMARC Policy Record (Section 3.2.6) for that
that domain when no DMARC Policy Record is published specifically domain when no DMARC Policy Record is published specifically for
for the Author Domain. (see Section 4.10.1) the Author Domain (see Section 4.10.1).
* The Organizational Domains of an Authenticated Identifier * The Organizational Domains of an Authenticated Identifier
(#authenticated-identifiers) and the Author Domain are used in (Section 3.2.1) and the Author Domain are used in determining
determining Identifier Alignment between the two. (see Identifier Alignment between the two (see Section 4.10.2).
Section 4.10.2).
[RFC7489] defined an Organizational Domain as "The domain that was [RFC7489] defined an Organizational Domain as "The domain that was
registered with a domain name registrar." RFC 7489 discussed using a registered with a domain name registrar". [RFC7489] discussed using
"public suffix" list (PSL) as the authoritative list of the parent a Public Suffix List (PSL) as the authoritative list of the parent
domains for Organizational Domains, and further described a method domains for Organizational Domains and further described a method for
for determining the Organizational Domain of an Author Domain or an determining the Organizational Domain of an Author Domain or an
Authenticated Identifier. However, RFC 7489 mandated no requirement Authenticated Identifier. However, [RFC7489] mandated no requirement
for a specific PSL for Mail Receivers to use (though it did suggest for a specific PSL for Mail Receivers to use (though it did suggest
the one found at https://publicsuffix.org/ the one found at <https://publicsuffix.org/>) nor did it provide any
(https://publicsuffix.org/)) nor did it provide any guidance for the guidance for the frequency of regular retrieval of the PSL by Mail
frequency of regular retrieval of the PSL by Mail Receivers Receivers participating in DMARC. [RFC7489] acknowledged the
participating in DMARC. RFC 7489 acknowledged the possibility of possibility of interoperability issues caused by Mail Receivers
interoperability issues caused by Mail Receivers choosing different choosing different PSLs and even suggested that if a more reliable
PSLs, and even suggested that if a more reliable and secure method and secure method for determining the Organizational Domain could be
for determining the Organizational Domain could be created, that created, that method should replace reliance on a PSL.
method should replace reliance on a public suffix list.
This update to DMARC offers more flexibility to Domain Owners, This update to DMARC offers more flexibility to Domain Owners,
especially those with large, complex organizations that might want to especially those with large, complex organizations that might want to
apply decentralized management to their DNS and their DMARC Policy apply decentralized management to their DNS and their DMARC Policy
Records. Rather than just using a public suffix list to help Records. Rather than just using a Public Suffix List to help
identify an Organizational Domain, this update defines a discovery identify an Organizational Domain, this update defines a discovery
technique known colloquially as the "DNS Tree Walk". The target of technique known colloquially as the "DNS Tree Walk". The target of
any DNS Tree Walk is discovery of a valid DMARC Policy Record, and any DNS Tree Walk is discovery of a valid DMARC Policy Record, and
its use in determining an Organizational Domain allows for publishing its use in determining an Organizational Domain allows for publishing
DMARC Policy Records at multiple points in the namespace. DMARC Policy Records at multiple points in the namespace.
This flexibility comes at a possible cost, however. Since the DNS However, this flexibility comes at a possible cost. Since the DNS
Tree Walk relies on the Mail Receiver making a series of DNS queries, Tree Walk relies on the Mail Receiver making a series of DNS queries,
the potential exists for an ill-intentioned Domain Owner to send mail the potential exists for an ill-intentioned Domain Owner to send mail
with Author Domains with tens or even hundreds of labels for the with Author Domains with tens or even hundreds of labels for the
purpose of executing a Denial of Service Attack on the Mail Receiver. purpose of executing a denial-of-service attack on the Mail Receiver.
To guard against such abuse of the DNS, a shortcut is built into the To guard against such abuse of the DNS, a shortcut is built into the
process so that Author Domains with more than eight labels do not process so that Author Domains with more than eight labels do not
result in more than eight DNS queries. Observed data at the time of result in more than eight DNS queries. Observed data at the time of
publication showed that Author Domains with up to seven labels were publication showed that Author Domains with up to seven labels were
in usage, and so eight was chosen as the query limit to allow for in usage, and so eight was chosen as the query limit to allow for
some future expansion of the name space that did not require updating some future expansion of the namespace that did not require updating
this document. this document.
The generic steps for a DNS Tree Walk are as follows: The generic steps for a DNS Tree Walk are as follows:
1. Query the DNS for a TXT record that matches the format of a DMARC 1. Query the DNS for a TXT record that matches the format of a DMARC
Policy Record at the starting point for the Tree Walk. The Policy Record at the starting point for the Tree Walk. The
starting point for the DNS Tree Walk will depend on the ultimate starting point for the DNS Tree Walk will depend on the ultimate
target of the DNS Tree Walk. Section 4.10.1 and Section 4.10.2 target of the DNS Tree Walk. Sections 4.10.1 and 4.10.2 describe
describe the possible starting points. A possibly empty set of the possible starting points. A possibly empty set of records is
records is returned. returned.
2. Records that do not start with a "v" tag that identifies the 2. Records that do not start with a "v" tag that identifies the
current version of DMARC are discarded. If multiple DMARC Policy current version of DMARC are discarded. If multiple DMARC Policy
Records are returned for a single target, they are all discarded. Records are returned for a single target, they are all discarded.
If a single record remains and it contains a "psd=n" or "psd=y" If a single record remains and it contains a "psd=n" or "psd=y"
tag, stop. tag, stop.
3. Break the subject DNS domain name into a set of ordered labels. 3. Break the subject DNS domain name into a set of ordered labels.
Assign the count of labels to "x", and number the labels from Assign the count of labels to "x", and number the labels from
right to left; e.g., for "a.mail.example.com", "x" would be right to left, e.g., for "a.mail.example.com", "x" would be
assigned the value 4, "com" would be label 1, "example" would be assigned the value 4, "com" would be label 1, "example" would be
label 2, "mail" would be label 3, and so forth. label 2, "mail" would be label 3, and so forth.
4. If x < 8, remove the left-most (highest-numbered) label from the 4. If x < 8, remove the left-most (highest-numbered) label from the
subject domain. If x >= 8, remove the left-most (highest- subject domain. If x >= 8, remove the left-most (highest-
numbered) labels from the subject domain until 7 labels remain. numbered) labels from the subject domain until 7 labels remain.
The resulting DNS domain name is the new target for the next The resulting DNS domain name is the new target for the next
lookup. lookup.
5. Query the DNS for a DMARC Policy Record at the DNS domain name 5. Query the DNS for a DMARC Policy Record at the DNS domain name
skipping to change at page 28, line 11 skipping to change at line 1248
label from the target of the previous query. Repeat steps 5, 6, label from the target of the previous query. Repeat steps 5, 6,
and 7 until the process stops or there are no more labels and 7 until the process stops or there are no more labels
remaining. remaining.
To illustrate, for a message with the arbitrary Author Domain of To illustrate, for a message with the arbitrary Author Domain of
"a.b.c.d.e.f.g.h.i.j.mail.example.com", a full DNS Tree Walk would "a.b.c.d.e.f.g.h.i.j.mail.example.com", a full DNS Tree Walk would
require the following eight queries to potentially locate the DMARC require the following eight queries to potentially locate the DMARC
Policy Record or Organizational Domain: Policy Record or Organizational Domain:
* _dmarc.a.b.c.d.e.f.g.h.i.j.mail.example.com * _dmarc.a.b.c.d.e.f.g.h.i.j.mail.example.com
* _dmarc.g.h.i.j.mail.example.com * _dmarc.g.h.i.j.mail.example.com
* _dmarc.h.i.j.mail.example.com * _dmarc.h.i.j.mail.example.com
* _dmarc.i.j.mail.example.com * _dmarc.i.j.mail.example.com
* _dmarc.j.mail.example.com * _dmarc.j.mail.example.com
* _dmarc.mail.example.com * _dmarc.mail.example.com
* _dmarc.example.com * _dmarc.example.com
* _dmarc.com * _dmarc.com
4.10.1. DMARC Policy Discovery 4.10.1. DMARC Policy Discovery
The DMARC Policy Record to be applied to an email message will be the The DMARC Policy Record to be applied to an email message will be the
record found at any of the following locations, listed from highest record found at any of the following locations, listed from highest
preference to lowest: preference to lowest:
* The Author Domain * The Author Domain
* The Organizational Domain of the Author Domain * The Organizational Domain of the Author Domain
* The Public Suffix Domain of the Author Domain * The Public Suffix Domain of the Author Domain
Policy discovery starts first with a query for a valid DMARC Policy Policy discovery first starts with a query for a valid DMARC Policy
Record at the name created by prepending the label "_dmarc" to the Record at the name created by prepending the label "_dmarc" to the
Author Domain of the message being evaluated. If a valid DMARC Author Domain of the message being evaluated. If a valid DMARC
Policy Record is found there, then this is the DMARC Policy Record to Policy Record is found there, then this is the DMARC Policy Record to
be applied to the message; however, this does not necessarily mean be applied to the message; however, this does not necessarily mean
that the Author Domain is the Organizational Domain to be used in that the Author Domain is the Organizational Domain to be used in
Identifier Alignment checks. Whether this is also the Organizational Identifier Alignment checks. Whether this is also the Organizational
Domain is dependent on the value of the "psd" tag, if present, or Domain is dependent on the value of the "psd" tag, if present, or
some conditions described in Section 4.10.2. some conditions described in Section 4.10.2.
If no valid DMARC Policy Record is found by the first query, then If no valid DMARC Policy Record is found by the first query, then
skipping to change at page 28, line 46 skipping to change at line 1292
Domain is dependent on the value of the "psd" tag, if present, or Domain is dependent on the value of the "psd" tag, if present, or
some conditions described in Section 4.10.2. some conditions described in Section 4.10.2.
If no valid DMARC Policy Record is found by the first query, then If no valid DMARC Policy Record is found by the first query, then
perform a DNS Tree Walk to find the Author Domain's Organizational perform a DNS Tree Walk to find the Author Domain's Organizational
Domain or its Public Suffix Domain. The starting point for this DNS Domain or its Public Suffix Domain. The starting point for this DNS
Tree Walk is determined as follows: Tree Walk is determined as follows:
* If the Author Domain has eight or fewer labels, the starting point * If the Author Domain has eight or fewer labels, the starting point
will be the immediate parent domain of the Author Domain. will be the immediate parent domain of the Author Domain.
* Otherwise, the starting point will be the name produced by * Otherwise, the starting point will be the name produced by
shortening the Author Domain as described starting in step 3 of shortening the Author Domain as described starting in step 3 of
Section 4.10. Section 4.10.
If the DMARC Policy Record to be applied is that of the Author If the DMARC Policy Record to be applied is that of the Author
Domain, then the Domain Owner Assessment Policy is taken from the "p" Domain, then the Domain Owner Assessment Policy is taken from the "p"
tag of the record. tag of the record.
If the DMARC Policy Record to be applied is that of either the If the DMARC Policy Record to be applied is that of either the
Organizational Domain or the Public Suffix Domain and the Author Organizational Domain or the Public Suffix Domain and the Author
Domain is a subdomain of that domain, then the Domain Owner Domain is a subdomain of that domain, then the Domain Owner
Assessment Policy is taken from the "sp" tag (if any) if the Author Assessment Policy is taken from the "sp" tag (if any) if the Author
Domain exists, or the "np" tag (if any) if the Author Domain does not Domain exists or the "np" tag (if any) if the Author Domain does not
exist. In the absence of applicable "sp" or "np" tags, the "p" tag exist. In the absence of applicable "sp" or "np" tags, the "p" tag
policy is used for subdomains. policy is used for subdomains.
If a retrieved DMARC Policy Record does not contain a valid "p" tag, If a retrieved DMARC Policy Record does not contain a valid "p" tag,
or contains an "sp" or "np" tag that is not valid, then: or contains an "sp" or "np" tag that is not valid, then:
* If a "rua" tag is present and contains at least one syntactically * If a "rua" tag is present and contains at least one syntactically
valid reporting URI, the Mail Receiver MUST act as if a record valid reporting URI, the Mail Receiver MUST act as if a record
containing "p=none" was retrieved and continue processing; containing "p=none" was retrieved and continue processing.
* Otherwise, the Mail Receiver applies no DMARC processing to this * Otherwise, the Mail Receiver applies no DMARC processing to this
message. message.
If the set produced by the DNS Tree Walk contains no DMARC Policy If the set produced by the DNS Tree Walk contains no DMARC Policy
Record (i.e., any indication that there is no such record as opposed Record (i.e., any indication that there is no such record as opposed
to a transient DNS error), Mail Receivers MUST NOT apply the DMARC to a transient DNS error), Mail Receivers MUST NOT apply the DMARC
mechanism to the message. mechanism to the message.
Handling of DNS errors when querying for the DMARC Policy Record is Handling of DNS errors when querying for the DMARC Policy Record is
skipping to change at page 30, line 5 skipping to change at line 1349
It may be necessary to perform multiple DNS Tree Walks to determine It may be necessary to perform multiple DNS Tree Walks to determine
if an Authenticated Identifier and an Author Domain are in alignment, if an Authenticated Identifier and an Author Domain are in alignment,
meaning that they have either the same Organizational Domain (relaxed meaning that they have either the same Organizational Domain (relaxed
alignment) or that they're identical (strict alignment). DNS Tree alignment) or that they're identical (strict alignment). DNS Tree
Walks done to discover an Organizational Domain for use in Identifier Walks done to discover an Organizational Domain for use in Identifier
Alignment Evaluation might start at any of the following locations: Alignment Evaluation might start at any of the following locations:
* The Author Domain of the message being evaluated. * The Author Domain of the message being evaluated.
* The SPF-Authenticated Identifier if there is an SPF pass result * The SPF-Authenticated Identifier if there is an SPF "pass" result
for the message being evaluated. for the message being evaluated.
* Any DKIM-Authenticated Identifier if one or more DKIM pass results
exist for the message being evaluated. * Any DKIM-Authenticated Identifier if one or more DKIM "pass"
results exist for the message being evaluated.
Note: There is no need to perform Identifier Alignment Evaluations Note: There is no need to perform Identifier Alignment Evaluations
under any of the following conditions: under any of the following conditions:
* The Author Domain and the Authenticated Identifier(s) are all the * The Author Domain and the Authenticated Identifier(s) are all the
same domain, and there is a DMARC Policy Record published for that same domain, and there is a DMARC Policy Record published for that
domain. In this case, this common domain is treated as the domain. In this case, this common domain is treated as the
Organizational Domain. For example, if the common domain in Organizational Domain. For example, if the common domain in
question is "mail.example.com", and there is a valid DMARC Policy question is "mail.example.com", and there is a valid DMARC Policy
Record published at "_dmarc.mail.example.com", then Record published at "_dmarc.mail.example.com", then
skipping to change at page 30, line 20 skipping to change at line 1365
Note: There is no need to perform Identifier Alignment Evaluations Note: There is no need to perform Identifier Alignment Evaluations
under any of the following conditions: under any of the following conditions:
* The Author Domain and the Authenticated Identifier(s) are all the * The Author Domain and the Authenticated Identifier(s) are all the
same domain, and there is a DMARC Policy Record published for that same domain, and there is a DMARC Policy Record published for that
domain. In this case, this common domain is treated as the domain. In this case, this common domain is treated as the
Organizational Domain. For example, if the common domain in Organizational Domain. For example, if the common domain in
question is "mail.example.com", and there is a valid DMARC Policy question is "mail.example.com", and there is a valid DMARC Policy
Record published at "_dmarc.mail.example.com", then Record published at "_dmarc.mail.example.com", then
"mail.example.com" is the Organizational Domain. "mail.example.com" is the Organizational Domain.
* No applicable DMARC Policy Record is discovered for the Author * No applicable DMARC Policy Record is discovered for the Author
Domain. In this case, the DMARC mechanism does not apply to the Domain. In this case, the DMARC mechanism does not apply to the
message in question. message in question.
* The DMARC Policy Record for the Author Domain indicates strict * The DMARC Policy Record for the Author Domain indicates strict
alignment. In this case, a simple string comparison of the Author alignment. In this case, a simple string comparison of the Author
Domain and the Authenticated Identifier(s) is all that is Domain and the Authenticated Identifier(s) is all that is
required. required.
To discover the Organizational Domain for a domain, perform the DNS To discover the Organizational Domain for a domain, perform the DNS
Tree Walk described in Section 4.10 as needed for any of the domains Tree Walk described in Section 4.10 as needed for any of the domains
in question. in question.
For each Tree Walk that retrieved valid DMARC Policy Records, select For each Tree Walk that retrieved valid DMARC Policy Records, select
the Organizational Domain from the domains for which valid DMARC the Organizational Domain from the domains for which valid DMARC
Policy Records were retrieved from the longest to the shortest: Policy Records were retrieved from the longest to the shortest:
1. If a valid DMARC Policy Record contains the "psd" tag set to "n" 1. If a valid DMARC Policy Record contains the "psd" tag set to "n"
("psd=n"), this is the Organizational Domain, and the selection ("psd=n"), this is the Organizational Domain, and the selection
process is complete. process is complete.
2. If a valid DMARC Policy Record, other than the one for the domain 2. If a valid DMARC Policy Record, other than the one for the domain
where the tree walk started, contains the "psd" tag set to "y" where the Tree Walk started, contains the "psd" tag set to "y"
("psd=y"), the Organizational Domain is the domain one label ("psd=y"), the Organizational Domain is the domain one label
below this one in the DNS hierarchy, and the selection process is below this one in the DNS hierarchy, and the selection process is
complete. For example, if in the course of a tree walk a DMARC complete. For example, if in the course of a Tree Walk a DMARC
Policy Record is queried for at first "_dmarc.mail.example.com" Policy Record is queried for at first "_dmarc.mail.example.com"
and then "_dmarc.example.com", and a valid DMARC Policy Record and then "_dmarc.example.com", and a valid DMARC Policy Record
containing the "psd" tag set to "y" is found at containing the "psd" tag set to "y" is found at
"_dmarc.example.com", then "mail.example.com" is the domain one "_dmarc.example.com", then "mail.example.com" is the domain one
label below "example.com" in the DNS hierarchy and is thus the label below "example.com" in the DNS hierarchy and is thus the
Organizational Domain. Organizational Domain.
3. Otherwise, select the DMARC Policy Record found at the name with 3. Otherwise, select the DMARC Policy Record found at the name with
the fewest number of labels. This is the Organizational Domain the fewest number of labels. This is the Organizational Domain
and the selection process is complete. and the selection process is complete.
skipping to change at page 31, line 34 skipping to change at line 1428
"mail.example.com". "mail.example.com".
As a last example, given the starting domain "a.mail.example.com", if As a last example, given the starting domain "a.mail.example.com", if
a search for the Organizational Domain only yields a DMARC Policy a search for the Organizational Domain only yields a DMARC Policy
Record at "_dmarc.com" and that record contains the tag "psd=y", then Record at "_dmarc.com" and that record contains the tag "psd=y", then
the Organizational Domain for this domain would be "example.com". the Organizational Domain for this domain would be "example.com".
5. DMARC Participation 5. DMARC Participation
This section describes the actions for participating in DMARC for This section describes the actions for participating in DMARC for
each of three unique entities - Domain Owners, PSOs, and Mail each of three unique entities -- Domain Owners, PSOs, and Mail
Receivers. Receivers.
5.1. Domain Owner Actions 5.1. Domain Owner Actions
A Domain Owner (#domain-owner) wishing to fully participate in DMARC A Domain Owner (Section 3.2.7) wishing to fully participate in DMARC
will publish a DMARC Policy Record (#dmarc-policy-record) to cover will publish a DMARC Policy Record (Section 3.2.6) to cover each
each Author Domain (#author-domain) and corresponding Organizational Author Domain (Section 3.2.2) and corresponding Organizational Domain
Domain (#organizational-domain) to which DMARC validation should (Section 3.2.14) to which DMARC validation should apply; will send
apply, send email that produces at least one, and preferably two, email that produces at least one -- preferably two -- Authenticated
Authenticated Identifiers (#authenticated-identifiers) that align Identifiers (Section 3.2.1) that align with the Author Domain; will
with the Author Domain, will receive and monitor the content of DMARC receive and monitor the content of DMARC aggregate reports; and will
aggregate reports, and will correct any authentication shortcomings correct any authentication shortcomings in mail making authorized use
in mail making authorized use of its domains. of its domains.
The following sections describe how to achieve this. The following sections describe how to achieve this.
5.1.1. Publish an SPF Record for an Aligned Domain 5.1.1. Publish an SPF Record for an Aligned Domain
To configure SPF for DMARC, the Domain Owner MUST send mail that has To configure SPF for DMARC, the Domain Owner MUST send mail that has
an RFC5321.MailFrom domain that will produce an SPF-Authenticated an RFC5321.MailFrom domain that will produce an SPF-Authenticated
Identifier (#spf-identifiers) that has Identifier Alignment Identifier (Section 4.4.2) that has Identifier Alignment
(#identifier-alignment-explained) with the Author Domain. (Section 4.4) with the Author Domain.
5.1.2. Configure Sending System for DKIM Signing Using an Aligned 5.1.2. Configure Sending System for DKIM Signing Using an Aligned
Domain Domain
To configure DKIM for DMARC, the Domain Owner MUST send mail that has To configure DKIM for DMARC, the Domain Owner MUST send mail that has
a DKIM Signing Domain (#dkim-signing-domain) that will produce a a DKIM Signing Domain (Section 3.2.3) that will produce a
DKIM-Authenticated Identifier (#dkim-identifiers) that has Identifier DKIM-Authenticated Identifier (Section 4.4.1) that has Identifier
Alignment (#identifier-alignment-explained) with the Author Domain. Alignment (Section 4.4) with the Author Domain.
5.1.3. Set Up a Mailbox to Receive Aggregate Reports 5.1.3. Set Up a Mailbox to Receive Aggregate Reports
Proper consumption and analysis of DMARC aggregate reports are Proper consumption and analysis of DMARC aggregate reports are
essential to any successful DMARC deployment for a Domain Owner. essential to any successful DMARC deployment for a Domain Owner.
DMARC aggregate reports, which are defined in DMARC aggregate reports, which are defined in [RFC9990], contain
[I-D.ietf-dmarc-aggregate-reporting], contain valuable data for the valuable data for the Domain Owner, showing sources of mail using the
Domain Owner, showing sources of mail using the Author Domain. Author Domain.
5.1.4. Publish a DMARC Policy Record for the Author Domain and 5.1.4. Publish a DMARC Policy Record for the Author Domain and
Organizational Domain Organizational Domain
Once SPF, DKIM, and the aggregate reports mailbox are all in place, Once SPF, DKIM, and the aggregate reports mailbox are all in place,
it's time to publish a DMARC Policy Record. For best results, Domain it's time to publish a DMARC Policy Record. For best results, Domain
Owners usually start with "p=none", (see Section 5.1.5) with the Owners usually start with "p=none" (see Section 5.1.5) with the "rua"
"rua" tag containing a URI that references the mailbox created in the tag containing a URI that references the mailbox created in the
previous step. This is commonly referred to as putting the Author previous step. This is commonly referred to as putting the Author
Domain into Monitoring Mode (#monitoring-mode). If the Domain into Monitoring Mode (Section 3.2.12). If the Organizational
Organizational Domain is different from the Author Domain, a record Domain is different from the Author Domain, a record also needs to be
also needs to be published for the Organizational Domain. published for the Organizational Domain.
5.1.5. Collect and Analyze Reports 5.1.5. Collect and Analyze Reports
The reason for starting at "p=none" is to ensure that nothing's been The reason for starting at "p=none" is to ensure that nothing's been
missed in the initial SPF and DKIM deployments. In all but the most missed in the initial SPF and DKIM deployments. In all but the most
trivial setups, a Domain Owner can overlook a server here or be trivial setups, a Domain Owner can overlook a server here or be
unaware of a third party sending agreement there. Starting at unaware of a third-party sending agreement there. Starting at
"p=none", therefore, takes advantage of DMARC's aggregate reporting "p=none", therefore, takes advantage of DMARC's aggregate reporting
function, with the Domain Owner using the reports to audit its own function, with the Domain Owner using the reports to audit its own
mail streams' authentication configurations. mail streams' authentication configurations.
While it is possible for a human to read aggregate reports, they are While it is possible for a human to read aggregate reports, they are
formatted in such a way that it is recommended that they be machine- formatted in such a way that it is recommended that they be machine-
parsed, so setting up a mailbox involves more than just the physical parsed, so setting up a mailbox involves more than just the physical
creation of that mailbox. Many third-party services exist that will creation of that mailbox. Many third-party services exist that will
process DMARC aggregate reports or the Domain Owner can create its process DMARC aggregate reports, or the Domain Owner can create its
own set of tools. No matter which method is chosen, the ability to own set of tools. No matter which method is chosen, the ability to
consume these reports and parse the data contained in them will go a consume these reports and parse the data contained in them will go a
long way to ensuring a successful deployment. long way to ensuring a successful deployment.
5.1.6. Remediate Unaligned or Unauthenticated Mail Streams 5.1.6. Remediate Unaligned or Unauthenticated Mail Streams
DMARC aggregate reports can reveal to the Domain Owner mail streams DMARC aggregate reports can reveal to the Domain Owner mail streams
using the Author Domain but not passing DMARC validation checks. using the Author Domain but not passing DMARC validation checks.
These mail streams may be a combination of illegitimate uses of the These mail streams may be a combination of illegitimate uses of the
domain, such as spoofing or other attempted abuse, and legitimate domain, such as spoofing or other attempted abuse, and legitimate
uses, as in the case of a mail stream created by an agent of the uses, as in the case of a mail stream created by an agent of the
Domain Owner but one which is not passing is due to Authenticated Domain Owner but one that is not passing due to Authenticated
Identifiers being unaligned or missing entirely. For such legitimate Identifiers being unaligned or missing entirely. For such legitimate
uses, these shortcomings MUST be addressed prior to any attempt by uses, these shortcomings MUST be addressed prior to any attempt by
the Domain Owner to publish a Domain Owner Assessment Policy the Domain Owner to publish a Domain Owner Assessment Policy
(#domain-owner-policy) of Enforcement (#enforcement) for the Author (Section 3.2.8) of Enforcement (Section 3.2.9) for the Author Domain.
Domain.
5.1.7. Decide Whether to Update Domain Owner Assessment Policy to 5.1.7. Decide Whether to Update Domain Owner Assessment Policy to
Enforcement Enforcement
Once the Domain Owner is satisfied that it is properly authenticating Once the Domain Owner is satisfied that it is properly authenticating
all of its mail, then it is time to decide if it is appropriate to all of its mail, then it is time to decide if it is appropriate to
change its Domain Owner Assessment Policy to Enforcement change its Domain Owner Assessment Policy to Enforcement
(#enforcement). Depending on its cadence for sending mail, it may (Section 3.2.9). Depending on its cadence for sending mail, it may
take many months of consuming DMARC aggregate reports before a Domain take many months of consuming DMARC aggregate reports before a Domain
Owner reaches the point where it is sure that it is properly Owner reaches the point where it is sure that it is properly
authenticating all of its mail, and the decision on which "p" value authenticating all of its mail, and the decision on which "p" value
to use will depend on its needs. to use will depend on its needs.
In making this decision it is important to understand the In making this decision, it is important to understand the
interoperability issues involved and problems that can result for interoperability issues involved and problems that can result for
mailing lists and for delivery of legitimate mail. Those issues are mailing lists and for delivery of legitimate mail. Those issues are
discussed in detail in Section 7.4 discussed in detail in Section 7.4
5.1.8. A Note on Large, Complex Organizations and Decentralized DNS 5.1.8. A Note on Large, Complex Organizations and Decentralized DNS
Management Management
Large, complex organizations frequently adopt a decentralized model Large, complex organizations frequently adopt a decentralized model
for DNS management, whereby management of a subtree of the name space for DNS management, whereby management of a subtree of the namespace
is delegated to a local department by the central IT organization. is delegated to a local department by the central IT organization.
In such situations, the "psd" tag makes it possible for those local In such situations, the "psd" tag makes it possible for those local
departments to declare any arbitrary node in their subtree as an departments to declare any arbitrary node in their subtree as an
Organizational Domain. This would be accomplished by publishing a Organizational Domain. This would be accomplished by publishing a
DMARC Policy Record at that node with the "psd" tag set to "n". The DMARC Policy Record at that node with the "psd" tag set to "n". The
reasons that departments might declare their own Organizational reasons that departments might declare their own Organizational
Domains include a desire to have different policy settings or Domains include a desire to have different policy settings or
reporting URIs than the DMARC Policy Record published for the apex reporting URIs than the DMARC Policy Record published for the apex
domain. domain.
skipping to change at page 34, line 13 skipping to change at line 1549
reasons that departments might declare their own Organizational reasons that departments might declare their own Organizational
Domains include a desire to have different policy settings or Domains include a desire to have different policy settings or
reporting URIs than the DMARC Policy Record published for the apex reporting URIs than the DMARC Policy Record published for the apex
domain. domain.
Such configurations would work in theory, and they might involve Such configurations would work in theory, and they might involve
domain names with many labels, reflecting the structure of the domain names with many labels, reflecting the structure of the
organization, for example: organization, for example:
* Apex domain (DMARC Policy Record published here): example.com * Apex domain (DMARC Policy Record published here): example.com
* Zone cut domain (DMARC Policy Record with "psd=n" published here): * Zone cut domain (DMARC Policy Record with "psd=n" published here):
b.c.d.e.f.g.example.com b.c.d.e.f.g.example.com
* Author Domain: mail.a.b.c.d.e.f.g.example.com * Author Domain: mail.a.b.c.d.e.f.g.example.com
However, Domain Owners should be aware that due to the anti-abuse However, Domain Owners should be aware that due to the anti-abuse
protections built into the DNS Tree Walk (#dns-tree-walk), the DMARC protections built into the DNS Tree Walk (Section 4.10), the DMARC
Policy Record published at the zone cut domain in this example will Policy Record published at the zone cut domain in this example will
never be discovered. A Mail Receiver performing a Tree Walk would never be discovered. A Mail Receiver performing a Tree Walk would
only perform queries for these names: only perform queries for these names:
* _dmarc.mail.a.b.c.d.e.f.g.example.com * _dmarc.mail.a.b.c.d.e.f.g.example.com
* _dmarc.c.d.e.f.g.example.com * _dmarc.c.d.e.f.g.example.com
* _dmarc.d.e.f.g.example.com * _dmarc.d.e.f.g.example.com
* _dmarc.e.f.g.example.com * _dmarc.e.f.g.example.com
* _dmarc.f.g.example.com * _dmarc.f.g.example.com
* _dmarc.g.example.com * _dmarc.g.example.com
* _dmarc.example.com * _dmarc.example.com
* _dmarc.com * _dmarc.com
To avoid this circumstance, Domain Owners wishing to have a specific To avoid this circumstance, Domain Owners wishing to have a specific
DMARC Policy Record applied to a given Author Domain (#author-domain) DMARC Policy Record applied to a given Author Domain (Section 3.2.2)
longer than eight labels MUST publish a DMARC Policy Record at that longer than eight labels MUST publish a DMARC Policy Record at that
domain's location in the DNS namespace, as such records are always domain's location in the DNS namespace, as such records are always
queried by Mail Receivers that participate in DMARC before the Tree queried by Mail Receivers that participate in DMARC before the Tree
Walk begins. In the above example, this would mean publishing a Walk begins. In the above example, this would mean publishing a
DMARC Policy Record at the name DMARC Policy Record at the name
"_dmarc.mail.a.b.c.d.e.f.g.example.com.". "_dmarc.mail.a.b.c.d.e.f.g.example.com.".
5.2. PSO Actions 5.2. PSO Actions
In addition to the DMARC Domain Owner actions, if a PSO (#public- In addition to the DMARC Domain Owner actions, if a PSO
suffix-operator) publishes a DMARC Policy Record it MUST include the (Section 3.2.16) publishes a DMARC Policy Record, it MUST include the
"psd" tag (see Section 4.7) with a value of "y" ("psd=y"). "psd" tag (see Section 4.7) with a value of "y" ("psd=y").
5.3. Mail Receiver Actions 5.3. Mail Receiver Actions
Mail Receivers (#mail-receiver) wishing to fully participate in DMARC Mail Receivers (Section 3.2.11) wishing to fully participate in DMARC
will apply the DMARC mechanism to inbound email messages when a DMARC will apply the DMARC mechanism to inbound email messages when a DMARC
Policy Record (#dmarc-policy-record) exists that applies to the Policy Record (Section 3.2.6) exists that applies to the Author
Author Domain (#author-domain), and will send aggregate feedback Domain (Section 3.2.2) and will send aggregate feedback reports to
reports to Domain Owners that request them. Mail Receivers might Domain Owners that request them. Mail Receivers might also send
also send failure reports to Domain Owners that request them. The failure reports to Domain Owners that request them. The following
following sections describe how to achieve this. sections describe how to achieve this.
The steps for applying the DMARC mechanism to an email message can The steps for applying the DMARC mechanism to an email message can
take place during the SMTP transaction, and should do so if the Mail take place during the SMTP transaction and should do so if the Mail
Receiver plans to honor Domain Owner Assessment Policies (#domain- Receiver plans to honor Domain Owner Assessment Policies
owner-policy) that are at the Enforcement (#enforcement) state. (Section 3.2.8) that are at the Enforcement (Section 3.2.9) state.
Many Mail Receivers perform one or both of the underlying Many Mail Receivers perform one or both of the underlying
Authentication Mechanisms (#authentication-mechanisms) on inbound Authentication Mechanisms (Section 4.3) on inbound messages even in
messages even in cases where no DMARC Policy Record exists for the cases where no DMARC Policy Record exists for the Author Domain of a
Author Domain of a given message, or where the Mail Receiver is not given message, or where the Mail Receiver is not participating in
participating in DMARC. Nothing in this section is intended to imply DMARC. Nothing in this section is intended to imply that the
that the underlying Authentication Mechanisms should only be underlying authentication mechanisms should only be performed by Mail
performed by Mail Receivers participating in DMARC. Receivers participating in DMARC.
5.3.1. Extract Author Domain 5.3.1. Extract Author Domain
Once the email message has been transmitted to the Mail Receiver, the Once the email message has been transmitted to the Mail Receiver, the
Mail Receiver extracts the domain in the RFC5322.From header field as Mail Receiver extracts the domain in the RFC5322.From header field as
the Author Domain. If the domain is a U-label, the domain MUST be the Author Domain. If the domain is a U-label, the domain MUST be
converted to an A-label, as described in Section 2.3 of [RFC5890], converted to an A-label, as described in Section 2.3 of [RFC5890],
for further processing. for further processing.
If zero or more than one domain is extracted from the RFC5322.From If zero or more than one domain is extracted from the RFC5322.From
header field, then DMARC validation is not possible and the process header field, then DMARC validation is not possible and the process
terminates. In the case where more than one domain is retrieved, the terminates. In the case where more than one domain is retrieved, the
Mail Receiver MAY choose to go forward with DMARC validation anyway. Mail Receiver MAY choose to go forward with DMARC validation anyway.
See Section 11.5 for further discussion. See Section 11.5 for further discussion.
5.3.2. Determine If The DMARC Mechanism Applies 5.3.2. Determine If the DMARC Mechanism Applies
If precisely one Author Domain exists for the message, then perform If precisely one Author Domain exists for the message, then perform
the step described in DMARC Policy Discovery (#dmarc-policy- the step described in "DMARC Policy Discovery" (Section 4.10.1) to
discovery) to determine if the DMARC mechanism applies. If a DMARC determine if the DMARC mechanism applies. If a DMARC Policy Record
Policy Record (#dmarc-policy-record) is not discovered during this (Section 3.2.6) is not discovered during this step, then the DMARC
step, then the DMARC mechanism does not apply and DMARC validation mechanism does not apply and DMARC validation terminates for the
terminates for the message. message.
5.3.3. Determine If Authenticated Identifiers Exist 5.3.3. Determine If Authenticated Identifiers Exist
For each Authentication Mechanism underlying DMARC, perform the For each authentication mechanism underlying DMARC, perform the
required check to determine if an Authenticated Identifier required check to determine if an Authenticated Identifier
(#authenticated-identifier) exists for the message if such check has (Section 3.2.1) exists for the message if such check has not already
not already been performed. Results from each check must be been performed. Results from each check must be preserved for later
preserved for later use as follows: use as follows:
* For SPF, the preserved results MUST include "pass" or "fail". If
the result is "fail", it SHOULD include information about the
reasons for failure, if available. The results MUST further
include the domain name used to complete the SPF check.
* For SPF, the preserved results MUST include "pass" or "fail", and
if "fail", SHOULD include information about the reasons for
failure if available. The results MUST further include the domain
name used to complete the SPF check.
* For DKIM signature validation checks, for each signature checked, * For DKIM signature validation checks, for each signature checked,
the results MUST include "pass" or "fail", and if "fail", SHOULD the results MUST include "pass" or "fail". If the result is
include information about the reasons for failure. The results "fail", it SHOULD include information about the reasons for
MUST further include the value of the "d" and "s" tags from each failure. The results MUST further include the value of the "d"
checked DKIM signature. and "s" tags from each checked DKIM signature.
5.3.4. Conduct Identifier Alignment Checks If Necessary 5.3.4. Conduct Identifier Alignment Checks If Necessary
For each Authenticated Identifier found in the message, the Mail For each Authenticated Identifier found in the message, the Mail
Receiver checks to see if the Authenticated Identifier is aligned Receiver checks to see if the Authenticated Identifier is aligned
(#identifier-alignment-evaluation) with the Author Domain. (Section 4.10.2) with the Author Domain.
5.3.5. Determine DMARC "Pass" or "Fail" 5.3.5. Determine DMARC "Pass" or "Fail"
If one or more of the Authenticated Identifiers align with the Author If one or more of the Authenticated Identifiers align with the Author
Domain, the message is considered to pass the DMARC mechanism check. Domain, the message is considered to pass the DMARC mechanism check.
If no Authenticated Identifiers exist for the domain, or none of the If no Authenticated Identifiers exist for the domain, or none of the
Authenticated Identifiers align with the Author Domain, the message Authenticated Identifiers align with the Author Domain, the message
is considered to fail the DMARC mechanism check. is considered to fail the DMARC mechanism check.
skipping to change at page 37, line 14 skipping to change at line 1695
See Section 7.2 for further discussion of topics regarding rejecting See Section 7.2 for further discussion of topics regarding rejecting
messages. messages.
5.3.7. Store Results of DMARC Processing 5.3.7. Store Results of DMARC Processing
If the Mail Receiver intends to send aggregate feedback reports and/ If the Mail Receiver intends to send aggregate feedback reports and/
or failure reports, then results obtained from the application of the or failure reports, then results obtained from the application of the
DMARC mechanism by the Mail Receiver MUST be preserved for eventual DMARC mechanism by the Mail Receiver MUST be preserved for eventual
presentation back to the Domain Owner in the form of such reports. presentation back to the Domain Owner in the form of such reports.
Section 4.7 and [I-D.ietf-dmarc-aggregate-reporting] discuss Section 4.7 and [RFC9990] discuss aggregate feedback reports.
aggregate feedback reports.
5.3.8. Send Aggregate Reports 5.3.8. Send Aggregate Reports
To ensure maximum usefulness for DMARC across the email ecosystem, To ensure maximum usefulness for DMARC across the email ecosystem,
Mail Receivers SHOULD generate and send aggregate reports with a Mail Receivers SHOULD generate and send aggregate reports with a
frequency of at least once every 24 hours. Such reports provide frequency of at least once every 24 hours. Such reports provide
Domain Owners with insight into all mail streams using Author Domains Domain Owners with insight into all mail streams using Author Domains
under the Domain Owner's control, and aid the Domain Owner in under the Domain Owner's control and aid the Domain Owner in
determining whether and when to transition from Monitoring Mode determining whether and when to transition from Monitoring Mode
(#monitoring-mode) to Enforcement (#enforcement). (Section 3.2.12) to Enforcement (Section 3.2.9).
The most common reasons for a Mail Receiver to opt out of sending The most common reasons for a Mail Receiver to opt out of sending
aggregate reports include resource constraints, local policy against aggregate reports include resource constraints, local policy against
sharing data, and concerns about user privacy. sharing data, and concerns about user privacy.
5.3.9. Optionally Send Failure Reports 5.3.9. Optionally Send Failure Reports
Per-message failure reports can be a useful source of information for Per-message failure reports can be useful sources of information for
a Domain Owner, either for debugging deployments or in analyzing a Domain Owner, either for debugging deployments or in analyzing
attacks, and so Mail Receivers MAY choose to send them. Experience attacks, and so Mail Receivers MAY choose to send them. Experience
has shown, however, that Mail Receivers rightly concerned about has shown, however, that Mail Receivers rightly concerned about
protecting user privacy have either chosen to heavily redact the protecting user privacy have either chosen to heavily redact the
information in such reports (which can hinder their usefulness) or information in such reports (which can hinder their usefulness) or
not send them at all. See [I-D.ietf-dmarc-failure-reporting] for not send them at all. See [RFC9991] for further information.
further information.
5.4. Policy Enforcement Considerations 5.4. Policy Enforcement Considerations
The final handling of any message is always a matter of local policy The final handling of any message is always a matter of local policy
and is left to the discretion of the Mail Receiver. and is left to the discretion of the Mail Receiver.
A DMARC pass for a message indicates only that the use of the Author A DMARC pass for a message indicates only that the use of the Author
Domain (#author-domain) has been validated for that message as Domain (Section 3.2.2) has been validated for that message as
authorized by the Domain Owner (#domain-owner). Such authorization authorized by the Domain Owner (Section 3.2.7). Such authorization
does not carry an explicit or implicit value assertion about that does not carry an explicit or implicit value assertion about that
message or the Domain Owner, and Mail Receivers MAY choose to reject message or the Domain Owner, and Mail Receivers MAY choose to reject
or quarantine a message even if it passes the DMARC validation check. or quarantine a message even if it passes the DMARC validation check.
Mail Receivers are encouraged to maintain anti-abuse technologies to Mail Receivers are encouraged to maintain anti-abuse technologies to
combat the possibility of DMARC-enabled abuse. combat the possibility of DMARC-enabled abuse.
Mail Receivers MAY choose to accept email that fails the DMARC Mail Receivers MAY choose to accept email that fails the DMARC
validation check even if the published Domain Owner Assessment Policy validation check even if the published Domain Owner Assessment Policy
is "reject". In particular, because of the considerations discussed is "reject". In particular, because of the considerations discussed
in [RFC7960] and in Section 7.4 of this document, it is important in [RFC7960] and in Section 7.4 of this document, it is important
that Mail Receivers SHOULD NOT reject messages solely because of a that Mail Receivers SHOULD NOT reject messages solely because of a
published policy of "reject", but that they apply other knowledge and published policy of "reject" but that they apply other knowledge and
analysis to avoid situations such as rejection of legitimate messages analysis to avoid situations such as rejection of legitimate messages
sent in ways that DMARC cannot describe, harm to the operation of sent in ways that DMARC cannot describe, harm to the operation of
mailing lists, and similar. mailing lists, and similar.
If a Mail Receiver chooses not to honor the published Domain Owner If a Mail Receiver chooses not to honor the published Domain Owner
Assessment Policy to improve interoperability among mail systems, it Assessment Policy to improve interoperability among mail systems, it
may increase the likelihood of accepting abusive mail. At a minimum, may increase the likelihood of accepting abusive mail. At a minimum,
Mail Receivers SHOULD add the Authentication-Results header field Mail Receivers SHOULD add the Authentication-Results header field
(see [RFC8601]), and it is RECOMMENDED when delivering messages that (see [RFC8601]), and it is RECOMMENDED when delivering messages that
fail the DMARC validation check. fail the DMARC validation check.
When Mail Receivers deviate from a published Domain Owner Assessment When Mail Receivers deviate from a published Domain Owner Assessment
Policy during message processing they SHOULD make available the fact Policy during message processing, they SHOULD make available the fact
of and reason for the deviation to the Domain Owner via feedback of and reason for the deviation to the Domain Owner via feedback
reporting, specifically using the "PolicyOverride" feature of the reporting, specifically using the "PolicyOverride" feature of the
aggregate report defined in [I-D.ietf-dmarc-aggregate-reporting]. aggregate report defined in [RFC9990].
To enable Domain Owners to receive DMARC feedback without impacting To enable Domain Owners to receive DMARC feedback without impacting
existing mail processing, discovered policies of "p=none" MUST NOT existing mail processing, discovered policies of "p=none" MUST NOT
modify existing mail handling processes. modify existing mail handling processes.
6. DMARC Feedback 6. DMARC Feedback
DMARC Feedback is described in [I-D.ietf-dmarc-aggregate-reporting] DMARC feedback is described in [RFC9990].
As an operational note for Public Suffix Operators, feedback for non- As an operational note for Public Suffix Operators, feedback for non-
existent domains can be desirable and useful, just as it can be for existent domains can be desirable and useful, just as it can be for
Organizational Domains. Therefore, both such entities should Organizational Domains. Therefore, both such entities should
consider including "rua=" tags in any DMARC Policy Records they consider including "rua=" tags in any DMARC Policy Records they
publish for themselves. See Section 10 for discussion of Privacy publish for themselves. See Section 10 for discussion of privacy
Considerations. considerations.
7. Other Topics 7. Other Topics
This section discusses some topics regarding choices made in the This section discusses some topics regarding choices made in the
development of DMARC, largely to commit the history to record. development of DMARC, largely to commit the history to record.
7.1. Issues Specific to SPF 7.1. Issues Specific to SPF
Though DMARC does not inherently change the semantics of an SPF Though DMARC does not inherently change the semantics of an SPF
policy record, historically lax enforcement of such policies has led policy record, historically lax enforcement of such policies has led
many to publish extremely broad records containing many extensive many to publish extremely broad records containing many extensive
network ranges. Domain Owners (#domain-owner) are strongly network ranges. Domain Owners (Section 3.2.7) are strongly
encouraged to carefully review their SPF records to understand which encouraged to carefully review their SPF records to understand which
networks are authorized to send on behalf of the Domain Owner before networks are authorized to send on behalf of the Domain Owner before
publishing a DMARC Policy Record. Furthermore, Domain Owners should publishing a DMARC Policy Record. Furthermore, Domain Owners should
periodically review their SPF records to ensure that the periodically review their SPF records to ensure that the
authorization conveyed by the records matches the domain's current authorization conveyed by the records matches the domain's current
needs. needs.
SPF was intended to be implemented early in the SMTP transaction, SPF was intended to be implemented early in the SMTP transaction,
meaning it's possible for a message to fail SPF validation prior to meaning it's possible for a message to fail SPF validation prior to
any message content being transmitted, and so some Mail Receiver any message content being transmitted, and so some Mail Receiver
architectures might implement SPF in advance of any DMARC operations. architectures might implement SPF in advance of any DMARC operations.
This means that an SPF hard fail ("-") prefix on a sender's SPF This means that an SPF hard fail ("-") prefix on a sender's SPF
mechanism, such as "-all", could cause a message to be rejected early mechanism, such as "-all", could cause a message to be rejected early
in the SMTP transaction, before any DMARC processing takes place, if in the SMTP transaction, before any DMARC processing takes place, if
the message fails SPF authentication checks. Domain Owners choosing the message fails SPF authentication checks. Domain Owners choosing
to use "-all" to terminate SPF records should be aware of this, and to use "-all" to terminate SPF records should be aware of this and
should understand that messages that might otherwise pass DMARC due should understand that messages that might otherwise pass DMARC due
to an aligned DKIM-Authenticated Identifier (#dkim-identifiers) could to an aligned DKIM-Authenticated Identifier (Section 4.4.1) could be
be rejected solely due to an SPF fail. Moreover, messages rejected rejected solely due to an SPF fail. Moreover, messages rejected
early in the SMTP transaction will never appear in aggregate DMARC early in the SMTP transaction will never appear in aggregate DMARC
reports, as the transaction will never proceed to the DATA phase and reports, as the transaction will never proceed to the DATA phase, and
so the RFC5322.From domain will never be revealed and its DMARC so the RFC5322.From domain will never be revealed and its DMARC
policy will never be discovered. Domain Owners and Mail Receivers policy will never be discovered. Domain Owners and Mail Receivers
(#mail-receiver) can consult [M3SPF] and [M3AUTH] for more discussion (Section 3.2.11) can consult [M3SPF] and [M3AUTH] for more discussion
of the topic and best practices regarding publishing SPF records and of the topic and best practices regarding publishing SPF records and
when to reject based solely on SPF failure: when to reject based solely on SPF failure.
7.2. Rejecting Messages 7.2. Rejecting Messages
The DMARC mechanism calls for rejection of a message during the SMTP The DMARC mechanism calls for rejection of a message during the SMTP
session under certain circumstances. This is preferable to session under certain circumstances. This is preferable to
generation of a Delivery Status Notification [RFC3464], since generation of a Delivery Status Notification [RFC3464], since
fraudulent messages caught and rejected using the DMARC mechanism fraudulent messages caught and rejected using the DMARC mechanism
would then result in the annoying generation of such failure reports would then result in the annoying generation of such failure reports
that go back to the RFC5321.MailFrom address. that go back to the RFC5321.MailFrom address.
This synchronous rejection is typically done in one of two ways: This synchronous rejection is typically done in one of two ways:
* Full rejection, wherein the SMTP server issues a 5xy reply code to * A "full rejection", wherein the SMTP server issues a 5xy reply
the DATA command as an indication to the SMTP client that the code to the DATA command as an indication to the SMTP client that
transaction failed; the SMTP client is then responsible for the transaction failed; the SMTP client is then responsible for
generating a notification that delivery failed (see Section 4.2.5 generating a notification that delivery failed (see Section 4.2.5
of [RFC5321]). of [RFC5321]).
* A "silent discard", wherein the SMTP server returns a 2xy reply * A "silent discard", wherein the SMTP server returns a 2xy reply
code implying to the client that delivery (or, at least, relay) code implying to the client that delivery (or at least relay) was
was successfully completed, but then simply discards the message successfully completed but then simply discards the message with
with no further action. no further action.
Each of these has a cost. For instance, a silent discard can help to Each of these has a cost. For instance, a silent discard can help to
prevent backscatter, but it also effectively means that the SMTP prevent backscatter, but it also effectively means that the SMTP
server has to be programmed to give a false result, which can server has to be programmed to give a false result, which can
confound external debugging efforts. confound external debugging efforts.
Similarly, the text portion of the SMTP reply may be important to Similarly, the text portion of the SMTP reply may be important to
consider. For example, when rejecting a message, revealing the consider. For example, when rejecting a message, revealing the
reason for the rejection might give an attacker enough information to reason for the rejection might give an attacker enough information to
bypass those efforts on a later attempt, though it might also assist bypass those efforts on a later attempt, though it might also assist
a legitimate client to determine the source of some local issue that a legitimate client to determine the source of some local issue that
caused the rejection. caused the rejection.
In the latter case, when doing an SMTP rejection, providing a clear In the latter case, when doing an SMTP rejection, providing a clear
hint can be useful in resolving issues. A Mail Receiver (#mail- hint can be useful in resolving issues. A Mail Receiver
receiver) might indicate in plain text the reason for the rejection (Section 3.2.11) might indicate in plain text the reason for the
by using the word "DMARC" somewhere in the reply text. For example: rejection by using the word "DMARC" somewhere in the reply text. For
example:
550 5.7.1 Email rejected per DMARC policy for example.com 550 5.7.1 Email rejected per DMARC policy for example.com
Many systems are able to scan the SMTP reply text to determine the Many systems are able to scan the SMTP reply text to determine the
nature of the rejection. Thus, providing a machine-detectable reason nature of the rejection. Thus, providing a machine-detectable reason
for rejection allows the problems causing rejections to be properly for rejection allows the problems causing rejections to be properly
addressed by automated systems. addressed by automated systems.
If a Mail Receiver elects to defer delivery due to the inability to If a Mail Receiver elects to defer delivery due to the inability to
retrieve or apply DMARC policy, this is best done with a 4xy SMTP retrieve or apply DMARC policy, this is best done with a 4xy SMTP
skipping to change at page 41, line 12 skipping to change at line 1879
Issues specific to the use of policy mechanisms alongside DKIM are Issues specific to the use of policy mechanisms alongside DKIM are
further discussed in [RFC6377], particularly Section 5.2. further discussed in [RFC6377], particularly Section 5.2.
Mail that is sent by authorized, independent third parties might not Mail that is sent by authorized, independent third parties might not
be sent with Identifier Alignment, also preventing a "pass" result. be sent with Identifier Alignment, also preventing a "pass" result.
A Domain Owner can use DMARC aggregate reports to identify this mail A Domain Owner can use DMARC aggregate reports to identify this mail
and take steps to address authentication shortcomings. and take steps to address authentication shortcomings.
7.4. Interoperability Considerations 7.4. Interoperability Considerations
As discussed in "Interoperability Issues between DMARC and Indirect As discussed in "Interoperability Issues between Domain-based Message
Email Flows" [RFC7960], use of "p=reject" can be incompatible with Authentication, Reporting, and Conformance (DMARC) and Indirect Email
and cause interoperability problems to indirect message flows such as Flows" [RFC7960], the use of "p=reject" can be incompatible with and
cause interoperability problems to indirect message flows such as
"alumni forwarders", role-based email aliases, and mailing lists "alumni forwarders", role-based email aliases, and mailing lists
across the Internet. across the Internet.
As an example of this, a bank might send only targeted messages to As an example of this, a bank might send only targeted messages to
account holders. Those account holders might have given their bank account holders. Those account holders might have given their bank
addresses such as "jones@alumni.example.edu" (an address that relays addresses such as "jones@alumni.example.edu" (an address that relays
the messages to another address with a real mailbox) or the messages to another address with a real mailbox) or
"finance@association.example" (a role-based address that does similar "finance@association.example" (a role-based address that does similar
relaying for the current head of finance at the association). When relaying for the current head of finance at the association). When
such mail is delivered to the actual recipient mailbox, it will most such mail is delivered to the actual recipient mailbox, it will most
likely fail SPF checks unless the RFC5321.MailFrom address is likely fail SPF checks unless the RFC5321.MailFrom address is
rewritten by the relaying MTA, as the incoming IP address will be rewritten by the relaying MTA, as the incoming IP address will be
that of "example.edu" or "association.example", and not an IP address that of "example.edu" or "association.example" and not an IP address
authorized by the originating RFC5321.MailFrom domain. DKIM authorized by the originating RFC5321.MailFrom domain. DKIM
signatures will generally remain valid in these relay situations. signatures will generally remain valid in these relay situations.
| It is therefore critical that domains that publish "p=reject" MUST It is therefore critical that domains that publish "p=reject" MUST
| NOT rely solely on SPF to secure a DMARC pass, and MUST apply NOT rely solely on SPF to secure a DMARC pass and MUST apply valid
| valid DKIM signatures to their messages. DKIM signatures to their messages.
In the case of domains that have general users who send routine In the case of domains that have general users who send routine
email, those that publish a Domain Owner Assessment Policy (#domain- email, those that publish a Domain Owner Assessment Policy
owner-policy) of "p=reject" are likely to create significant (Section 3.2.8) of "p=reject" are likely to create significant
interoperability issues. In particular, if users in such domains interoperability issues. In particular, if users in such domains
post messages to mailing lists on the Internet, those messages can post messages to mailing lists on the Internet, those messages can
cause significant operational problems for the mailing lists and for cause significant operational problems for the mailing lists and for
the subscribers to those lists, as explained below and in [RFC7960]. the subscribers to those lists, as explained below and in [RFC7960].
| It is therefore critical that domains that host users who might It is therefore critical that domains that host users who might
| post messages to mailing lists SHOULD NOT publish Domain Owner post messages to mailing lists SHOULD NOT publish Domain Owner
| Assessment Policies of "p=reject". Any such domains wishing to Assessment Policies of "p=reject". Any such domains wishing to
| publish "p=reject" SHOULD first take advantage of DMARC aggregate publish "p=reject" SHOULD first take advantage of DMARC aggregate
| report data for their domain to determine the possible impact to report data for their domain to determine the possible impact to
| their users, first by publishing "p=none" for at least a month, their users, first by publishing "p=none" for at least a month,
| followed by publishing "p=quarantine" for an equally long period followed by publishing "p=quarantine" for an equally long period
| of time, and comparing the message disposition results. Domains of time, and comparing the message disposition results. Domains
| that choose to publish "p=reject" SHOULD either implement policies that choose to publish "p=reject" SHOULD implement policies that
| that their users not post to Internet mailing lists and/or inform their users not post to Internet mailing lists and/or inform their
| their users that their participation in mailing lists may be users that their participation in mailing lists may be hindered.
| hindered.
As noted in Section 5.4, Mail Receivers (#mail-receivers) need to As noted in Section 5.4, Mail Receivers (Section 3.2.11) need to
apply more analysis than just DMARC validation in their disposition apply more analysis than just DMARC validation in their disposition
of incoming messages. An example of the consequences of honoring a of incoming messages. An example of the consequences of honoring a
Domain Owner Assessment Policy of "p=reject" without further analysis Domain Owner Assessment Policy of "p=reject" without further analysis
is that rejecting messages that have been relayed by a mailing list is that rejecting messages that have been relayed by a mailing list
can cause the Mail Receiver's users to have their subscriptions to can cause the Mail Receiver's users to have their subscriptions to
that mailing list canceled by the list software's automated handling that mailing list canceled by the list software's automated handling
of such rejections - it looks to the list manager as though the of such rejections -- it looks to the list manager as though the
recipient's email address is no longer working, so the address is recipient's email address is no longer working, so the address is
automatically unsubscribed. An example of this scenario, albeit with automatically unsubscribed. An example of this scenario, albeit with
DKIM Author Domain Signing Practices (ADSP) rather than DMARC, can be DKIM Author Domain Signing Practices (ADSP) rather than DMARC, can be
found in Section 5.2 of [RFC6377]. found in Section 5.2 of [RFC6377].
| It is therefore critical that Mail Receivers MUST NOT reject It is therefore critical that Mail Receivers MUST NOT reject
| incoming messages solely on the basis of a "p=reject" policy by incoming messages solely on the basis of a "p=reject" policy by
| the sending domain. Mail Receivers must use the DMARC policy as the sending domain. Mail Receivers must use the DMARC policy as
| part of their disposition decision, along with other knowledge and part of their disposition decision, along with other knowledge and
| analysis. "Other knowledge and analysis" here might refer to analysis. "Other knowledge and analysis" here might refer to
| observed sending patterns for properly-authenticated mail using observed sending patterns for properly authenticated mail using
| the sending domain, content filtering, etc. In the absence of the sending domain, content filtering, etc. In the absence of
| other knowledge and analysis, Mail Receivers MUST treat such other knowledge and analysis, Mail Receivers MUST treat such
| failing mail as if the policy were "p=quarantine" rather than failing mail as if the policy were "p=quarantine" rather than
| "p=reject". "p=reject".
Failure to understand and abide by these considerations can cause Failure to understand and abide by these considerations can cause
legitimate, sometimes important email to be rejected, can cause legitimate, sometimes important, email to be rejected; can cause
operational damage to mailing lists throughout the Internet, and can operational damage to mailing lists throughout the Internet; and can
result in trouble-desk calls and complaints from the Mail Receiver's result in trouble-desk calls and complaints from the Mail Receiver's
employees, customers, and clients. employees, customers, and clients.
In practice, despite this advice, few Mail Receivers apply any In practice, despite this advice, few Mail Receivers apply any
mitigation techniques when receiving indirect mail flows, few mitigation techniques when receiving indirect mail flows, few
organizations consider the effect of DMARC policies on their users' organizations consider the effect of DMARC policies on their users'
indirect mail, and it is unlikely that any advice in this document indirect mail, and it is unlikely that any advice in this document
will change that. As a result, mail forwarded through mailing lists will change that. As a result, mail forwarded through mailing lists
with unmodified From: header lines is frequently rejected due to a with unmodified From: header lines is frequently rejected due to a
p=reject policy. "p=reject" policy.
In the ten years since large consumer mail systems started publishing In the ten years since large consumer mail systems started publishing
p=reject policies, mailing list software has all adopted workarounds p=reject policies, mailing list software has all adopted workarounds
to make the From: header line DMARC aligned. Some simply use the to make the From: header line DMARC aligned. Some simply use the
list's address, while others do per-address modifications intended to list's address, while others do per-address modifications intended to
be reversible or to allow mail to be forwarded back to the original be reversible or to allow mail to be forwarded back to the original
author, e.g., bob@example.com turned into author, e.g., bob@example.com turned into
bob=example.com@user.somelist.example. While these workarounds are bob=example.com@user.somelist.example. While these workarounds are
far from ideal, they are firmly established and list operators treat far from ideal, they are firmly established and list operators treat
them as a fact of life. them as a fact of life.
skipping to change at page 43, line 34 skipping to change at line 1982
methods to allow mailing lists to continue to work without modifying methods to allow mailing lists to continue to work without modifying
the From: header line, with a prominent example being the the From: header line, with a prominent example being the
Authenticated Received Chain (ARC) protocol described in [RFC8617]. Authenticated Received Chain (ARC) protocol described in [RFC8617].
While work continues, as of this document's publication, none of the While work continues, as of this document's publication, none of the
methods have become widely used. Should such a technical method methods have become widely used. Should such a technical method
achieve widespread adoption in the future, this document can be achieve widespread adoption in the future, this document can be
updated to reflect that. updated to reflect that.
8. Conformance Requirements for Full DMARC Participation 8. Conformance Requirements for Full DMARC Participation
This document describes the DMARC mechanism, and allows Domain Owners This document describes the DMARC mechanism and allows Domain Owners
and Mail Receivers some leeway in deciding which parts of the and Mail Receivers some leeway in deciding which parts of the
mechanism to implement. This section summarizes the requirements for mechanism to implement. This section summarizes the requirements for
full participation in DMARC, either by Domain Owners or by Mail full participation in DMARC, either by Domain Owners or by Mail
Receivers. Receivers.
In order to fully participate in DMARC, Domain Owners: In order to fully participate in DMARC, Domain Owners:
* MUST send mail so it produces an SPF-Authenticated identifier that * MUST send mail so it produces an SPF-Authenticated Identifier that
has Identifier Alignment with the Author Domain has Identifier Alignment with the Author Domain.
* MUST send mail that has a DKIM Signing Domain that will produce a * MUST send mail that has a DKIM Signing Domain that will produce a
DKIM-Authenticated Identifier that has Identifier Alignment with DKIM-Authenticated Identifier that has Identifier Alignment with
the Author Domain the Author Domain.
* MUST set up a mailbox to receive aggregate reports and collect and * MUST set up a mailbox to receive aggregate reports and collect and
analyze those reports analyze those reports.
* MUST publish a DMARC Policy Record for the Author Domain and the * MUST publish a DMARC Policy Record for the Author Domain and the
Organizational Domain, if it differs from the Author Domain Organizational Domain, if it differs from the Author Domain.
* MUST NOT rely solely on SPF for a DMARC pass if the DMARC policy * MUST NOT rely solely on SPF for a DMARC pass if the DMARC policy
for the Author Domain is "p=reject" for the Author Domain is "p=reject".
In order to fully participate in DMARC, Mail Receivers In order to fully participate in DMARC, Mail Receivers:
* MUST check for the existence of a DMARC Policy Record for the * MUST check for the existence of a DMARC Policy Record for the
Author Domain of an inbound mail message to determine if the DMARC Author Domain of an inbound mail message to determine if the DMARC
mechanism applies to that message. mechanism applies to that message.
* MUST determine if Authenticated Identifiers exist for the message * MUST determine if Authenticated Identifiers exist for the message
and preserve the results of those checks for future use in and preserve the results of those checks for future use in
reportging if the DMARC mechanism applies to the message reporting if the DMARC mechanism applies to the message.
* MUST conduct necessary Identifier Alignmeent checks if the DMARC
* MUST conduct necessary Identifier Alignment checks if the DMARC
mechanism applies for the message and Authenticated Identifiers mechanism applies for the message and Authenticated Identifiers
exist exist.
* MUST use the information from the checks for Authenticated * MUST use the information from the checks for Authenticated
Identifiers to determine if the DMARC validation result is "pass" Identifiers to determine if the DMARC validation result is "pass"
or "fail" for the message. or "fail" for the message.
* MUST support the "mailto:" URI for sending requested reports
* SHOULD send aggregate reports on at least a daily basis * MUST support the "mailto:" URI for sending requested reports.
* SHOULD send aggregate reports on at least a daily basis.
* MUST NOT reject messages solely on the basis of a "p=reject" * MUST NOT reject messages solely on the basis of a "p=reject"
policy for the Author Domain policy for the Author Domain.
9. IANA Considerations 9. IANA Considerations
This section describes actions to be completed by IANA. This section describes actions completed by IANA.
9.1. Email Authentication Methods Registry Update 9.1. Email Authentication Methods Registry Update
A registry group called "Email Authentication Parameters" exists, and
within it a registry group called "Email Authentication Methods"
exists and needs to be updated in the manner specified in this
section.
The properties of an email message to be evaluated by an email The properties of an email message to be evaluated by an email
authentication method are registered with IANA in this registry. authentication method have been registered by IANA in the "Email
Entries are assigned only for values that have been documented in a Authentication Methods" registry within the "Email Authentication
manner that satisfies the terms of Specification Required, per Parameters" registry group.
[RFC8126]. Each registration includes the authentication method; the
Each registration includes the authentication method; the
specification that defines the authentication method; the property specification that defines the authentication method; the property
type (ptype), which is one of the ptype values from the entries in type (ptype), which is one of the ptype values from the entries in
the "Email Authentication Property Types" registry in this same the "Email Authentication Property Types" registry in this same
registry group; the property; the value for that property; the status registry group; the property; the value for that property; the status
of the property, which is one of "active" or "deprecated"; and its of the property, which is one of "active" or "deprecated"; and its
version. The Designated Expert needs to confirm that the provided version. The designated expert needs to confirm that the provided
specification adequately describes the property and the method for specification adequately describes the property and the method for
its evaluation and clearly presents how they would be used within the its evaluation and clearly presents how they would be used within the
DMARC context by Domain Owners and Mail Receivers. DMARC context by Domain Owners and Mail Receivers.
The set of entries to be updated in this registry is as follows: IANA has changed the registration procedure from Expert Review to
Specification Required [RFC8126] and has listed this document as an
additional reference for the registry. IANA has updated the registry
as follows:
+======+===========+======+========+=================+======+=======+ +======+============+======+========+===============+======+=======+
|Method| Defined |ptype |Property| Value |Status|Version| |Method| Definition |ptype |Property| Value |Status|Version|
+======+===========+======+========+=================+======+=======+ +======+============+======+========+===============+======+=======+
|dmarc | [this |header|from | The domain |active|1 | |dmarc | RFC 9989 |header|from | The domain |active|1 |
| | document] | | | portion of the | | | | | | | | portion of | | |
| | | | | RFC5322.From | | | | | | | | the | | |
| | | | | header field | | | | | | | | RFC5322.From | | |
+------+-----------+------+--------+-----------------+------+-------+ | | | | | header field | | |
|dmarc | [this |policy|dmarc | The evaluated |active|1 | +------+------------+------+--------+---------------+------+-------+
| | document] | | | DMARC policy | | | |dmarc | RFC 9989 |policy|dmarc | The evaluated |active|1 |
| | | | | applied/to be | | | | | | | | DMARC policy | | |
| | | | | applied after | | | | | | | | applied / to | | |
| | | | | policy options | | | | | | | | be applied | | |
| | | | | have been | | | | | | | | after policy | | |
| | | | | processed. | | | | | | | | options have | | |
| | | | | Must be | | | | | | | | been | | |
| | | | | "none", | | | | | | | | processed. | | |
| | | | | "quarantine", | | | | | | | | Must be | | |
| | | | | or "reject". | | | | | | | | "none", | | |
+------+-----------+------+--------+-----------------+------+-------+ | | | | | "quarantine", | | |
| | | | | or "reject". | | |
+------+------------+------+--------+---------------+------+-------+
Table 3: "Email Authentication Methods Registry Update" Table 3: Email Authentication Methods Registry Update
9.2. Email Authentication Result Names Registry Update 9.2. Email Authentication Result Names Registry Update
Also within the registry group "Email Authentication Parameters" a Result codes for DMARC are registered with IANA in the "Email
registry called "Email Authentication Result Names" exists and should Authentication Result Names" registry within "Email Authentication
be updated to reference this section of this document. Parameters" registry group.
Result codes for DMARC are registered with IANA in this registry. Each registration includes the auth method; the code; the
Entries are assigned only for values that have been documented in a
manner that satisfies the terms of Specification Required, per
[RFC8126]. Each registration includes the auth method; the code; the
specification that defines the code; and the code's status, which is specification that defines the code; and the code's status, which is
one of "active" or "deprecated". The "Description" field is included one of "active" or "deprecated". Note that the "Description" field
here solely for the reader's reference, and does not appear in the is included here solely for the reader's reference and does not
IANA registry. The Designated Expert needs to confirm that the appear in the IANA registry. The designated expert needs to confirm
provided specification adequately describes the result code and that the provided specification adequately describes the result code
clearly presents how it would be used within the DMARC context by and clearly presents how it would be used within the DMARC context by
Domain Owners and Mail Receivers. Domain Owners and Mail Receivers.
The set of entries to be updated in this registry is as follows: IANA has changed the registration procedure from Expert Review to
Specification Required [RFC8126] and has listed this document as an
additional reference for the registry. IANA has updated the registry
as follows, replacing references to [RFC7489] with references to this
document:
+========+===========+===============+========+=====================+ +===========+===========+===============+========+==================+
| Auth | Code | Specification | Status | Description | | Auth | Code | Specification | Status | Description |
| Method | | | | | | Method(s) | | | | |
+========+===========+===============+========+=====================+ +===========+===========+===============+========+==================+
| dmarc | fail | [this | active | A DMARC Policy | | dmarc | fail | RFC 9989 | active | A DMARC Policy |
| | | document] | | Record exists for | | | | | | Record exists |
| | | | | the Author | | | | | | for the Author |
| | | | | Domain, but no | | | | | | Domain, but no |
| | | | | Authenticated | | | | | | Authenticated |
| | | | | Identifier with | | | | | | Identifier with |
| | | | | Identifier | | | | | | Identifier |
| | | | | Alignment exists | | | | | | Alignment |
+--------+-----------+---------------+--------+---------------------+ | | | | | exists |
| dmarc | none | [this | active | No DMARC Policy | +-----------+-----------+---------------+--------+------------------+
| | | document] | | Record exists for | | dmarc | none | RFC 9989 | active | No DMARC Policy |
| | | | | the Author Domain | | | | | | Record exists |
+--------+-----------+---------------+--------+---------------------+ | | | | | for the Author |
| dmarc | pass | [this | active | A DMARC Policy | | | | | | Domain |
| | | document] | | Record exists for | +-----------+-----------+---------------+--------+------------------+
| | | | | the Author | | dmarc | pass | RFC 9989 | active | A DMARC Policy |
| | | | | Domain, and an | | | | | | Record exists |
| | | | | Authenticated | | | | | | for the Author |
| | | | | Identifier with | | | | | | Domain, and an |
| | | | | Identifier | | | | | | Authenticated |
| | | | | Alignment exists | | | | | | Identifier with |
+--------+-----------+---------------+--------+---------------------+ | | | | | Identifier |
| dmarc | permerror | [this | active | An error occurred | | | | | | Alignment |
| | | document] | | during DMARC | | | | | | exists |
| | | | | evaluation that | +-----------+-----------+---------------+--------+------------------+
| | | | | is unrecoverable, | | dmarc | permerror | RFC 9989 | active | An error |
| | | | | such as the | | | | | | occurred during |
| | | | | retrieval of an | | | | | | DMARC |
| | | | | improperly | | | | | | evaluation that |
| | | | | formatted DMARC | | | | | | is |
| | | | | Policy Record. A | | | | | | unrecoverable, |
| | | | | later attempt is | | | | | | such as the |
| | | | | unlikely to | | | | | | retrieval of an |
| | | | | produce a final | | | | | | improperly |
| | | | | result | | | | | | formatted DMARC |
+--------+-----------+---------------+--------+---------------------+ | | | | | Policy Record. |
| dmarc | temperror | [this | active | An error occurred | | | | | | A later attempt |
| | | document] | | during DMARC | | | | | | is unlikely to |
| | | | | evaluation that | | | | | | produce a final |
| | | | | is likely | | | | | | result |
| | | | | transient in | +-----------+-----------+---------------+--------+------------------+
| | | | | nature, such as a | | dmarc | temperror | RFC 9989 | active | An error |
| | | | | DNS server being | | | | | | occurred during |
| | | | | temporarily | | | | | | DMARC |
| | | | | unreachable. A | | | | | | evaluation that |
| | | | | later attempt | | | | | | is likely |
| | | | | might produce a | | | | | | transient in |
| | | | | final result | | | | | | nature, such as |
+--------+-----------+---------------+--------+---------------------+ | | | | | a DNS server |
| | | | | being |
| | | | | temporarily |
| | | | | unreachable. A |
| | | | | later attempt |
| | | | | might produce a |
| | | | | final result |
+-----------+-----------+---------------+--------+------------------+
Table 4: "Email Authentication Result Names Registry Update" Table 4: Email Authentication Result Names Registry Update
9.3. DMARC Tags Registry Update 9.3. DMARC Tags Registry Update
A registry group called "Domain-based Message Authentication,
Reporting, and Conformance (DMARC)" exists, and within it, a registry
called "DMARC Tags" exists. That registry should be updated as
described in this section.
Names of tags used in DMARC Policy Records as part of "tag-value" Names of tags used in DMARC Policy Records as part of "tag-value"
pairs are registered with IANA in this registry. Entries are pairs are registered with IANA in the "DMARC Tags" registry within
assigned only for values that have been documented in a manner that the "Domain-based Message Authentication, Reporting, and Conformance
satisfies the terms of Specification Required, per [RFC8126]. Each (DMARC)" registry group.
registration includes the tag name, the specification that defines
the tag, the status of the tag, and a brief description of the tag. Entries are assigned only for values that have been documented in a
The Designated Expert needs to confirm that the provided manner that satisfies the terms of Specification Required, per
specification adequately describes the tag and clearly presents how [RFC8126]. Each registration includes the tag name, the
it would be used within the DMARC context by Domain Owners and Mail specification that defines the tag, the status of the tag, and a
Receivers. The "status" column is one of the following: brief description of the tag. The designated expert needs to confirm
that the provided specification adequately describes the tag and
clearly presents how it would be used within the DMARC context by
Domain Owners and Mail Receivers. The "status" column is one of the
following:
* "active", meaning the tag is in use in current implementations, * "active", meaning the tag is in use in current implementations,
and its specifications is expected to be stable and its specifications is expected to be stable
* "experimental", meaning the tag is relatively new and may be in * "experimental", meaning the tag is relatively new and may be in
use in some current implementations but not in others, and its use in some current implementations but not in others, and its
specification is not expected to be stable specification is not expected to be stable
* "historic", meaning the tag is considered deprecated and is not * "historic", meaning the tag is considered deprecated and is not
expected to be in use in any current implementation expected to be in use in any current implementation
To avoid version compatibility issues, tags added to the DMARC To avoid version compatibility issues, tags added to the DMARC
specification are to avoid changing the semantics of existing records specification are to avoid changing the semantics of existing records
when processed by implementations conforming to prior specifications. when processed by implementations conforming to prior specifications.
The set of entries to be updated in this registry is as follows: IANA has listed this document (rather than [RFC7489]) as the
reference for the registry. IANA has updated the registry as
follows, including the addition of the new "t" registration:
+=======+===========+==========+====================================+ +=======+===========+==========+====================================+
| Tag | Reference | Status | Description | | Tag | Reference | Status | Description |
| Name | | | | | Name | | | |
+=======+===========+==========+====================================+ +=======+===========+==========+====================================+
| adkim | [this | active | DKIM Identifier Alignment | | adkim | RFC 9989 | active | DKIM Identifier Alignment |
| | document] | | mode | | | | | mode |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| aspf | [this | active | SPF Identifier Alignment | | aspf | RFC 9989 | active | SPF Identifier Alignment |
| | document] | | mode | | | | | mode |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| fo | [this | active | Failure reporting options | | fo | RFC 9989 | active | Failure reporting options |
| | document] | | |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| np | [this | active | Requested Domain Owner | | np | RFC 9989 | active | Requested Domain Owner |
| | document] | | Assessment Policy for non- | | | | | Assessment Policy for non- |
| | | | existent subdomains | | | | | existent subdomains |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| p | [this | active | Requested Domain Owner | | p | RFC 9989 | active | Requested Domain Owner |
| | document] | | Assessment Policy | | | | | Assessment Policy |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| pct | [RFC7489] | historic | Sampling rate | | pct | [RFC7489] | historic | Sampling rate |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| psd | [this | active | Indicates whether the DMARC | | psd | RFC 9989 | active | Indicates whether the DMARC |
| | document] | | Policy Record is published | | | | | Policy Record is published |
| | | | by a Public Suffix Domain | | | | | by a Public Suffix Domain |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| rf | [RFC7489] | historic | Failure reporting format(s) | | rf | [RFC7489] | historic | Failure reporting format(s) |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| ri | [RFC7489] | historic | Aggregate Reporting | | ri | [RFC7489] | historic | Aggregate Reporting |
| | | | interval | | | | | interval |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| rua | [this | active | Reporting URI(s) for DMARC | | rua | RFC 9989 | active | Reporting URI(s) for DMARC |
| | document] | | aggregate feedback reports | | | | | aggregate feedback reports |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| ruf | [this | active | Reporting URI(s) for | | ruf | RFC 9989 | active | Reporting URI(s) for |
| | document] | | message-specific DMARC | | | | | message-specific DMARC |
| | | | failure reports | | | | | failure reports |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| sp | [this | active | Requested Domain Owner | | sp | RFC 9989 | active | Requested Domain Owner |
| | document] | | Assessment Policy for | | | | | Assessment Policy for |
| | | | subdomains | | | | | subdomains |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| t | [this | active | DMARC policy test mode | | t | RFC 9989 | active | DMARC policy test mode |
| | document] | | |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
| v | [this | active | DMARC specification version | | v | RFC 9989 | active | DMARC specification version |
| | document] | | |
+-------+-----------+----------+------------------------------------+ +-------+-----------+----------+------------------------------------+
Table 5: "DMARC Tags Registry Updatee" Table 5: DMARC Tags Registry Update
9.4. DMARC Report Formats Registry Update 9.4. DMARC Report Formats Registry Update
Also within the registry group "Domain-based Message Authentication,
Reporting, and Conformance (DMARC)" a registry called "DMARC Report
Formats" exists and should be updated to reference this document.
Names of DMARC failure reporting formats are registered with IANA in Names of DMARC failure reporting formats are registered with IANA in
this registry. Entries are assigned only for values that have been the "DMARC Report Formats" registry within the "Domain-based Message
documented in a manner that satisfies the terms of Specification Authentication, Reporting, and Conformance (DMARC)" registry group.
Required, per [RFC8126]. In addition to a reference to a permanent
specification, each registration includes the format name, the Entries are assigned only for values that have been documented in a
format's status, and a brief description of the format. The manner that satisfies the terms of Specification Required, per
Designated Expert needs to confirm that the provided specification [RFC8126]. In addition to a reference to a permanent specification,
adequately describes the report format and clearly presents how it each registration includes the format name, the format's status, and
would be used within the DMARC context by Domain Owners and Mail a brief description of the format. The designated expert needs to
Receivers. The "status" column is one of the following: confirm that the provided specification adequately describes the
report format and clearly presents how it would be used within the
DMARC context by Domain Owners and Mail Receivers. The "status"
column is one of the following:
* "active", meaning the format is in use in current implementations, * "active", meaning the format is in use in current implementations,
and its specifications is expected to be stable and its specifications is expected to be stable
* "experimental", meaning the format is relatively new and may be in * "experimental", meaning the format is relatively new and may be in
use in some current implementations but not in others, and its use in some current implementations but not in others, and its
specification is not expected to be stable specification is not expected to be stable
* "historic", meaning the format is considered deprecated and is not * "historic", meaning the format is considered deprecated and is not
expected to be in use in any current implementation expected to be in use in any current implementation
The entry to be updated in this registry is as follows: IANA has listed this document (rather than [RFC7489]) as the
reference for the registry. IANA has updated the registry as
follows:
+========+===========+========+==================================+ +========+===========+========+==================================+
| Format | Reference | Status | Description | | Format | Reference | Status | Description |
| Name | | | | | Name | | | |
+========+===========+========+==================================+ +========+===========+========+==================================+
| afrf | [this | active | Authentication Failure Reporting | | afrf | RFC 9989 | active | Authentication Failure Reporting |
| | document] | | Format (see [RFC6591]) | | | | | Format (see [RFC6591]) |
+--------+-----------+--------+----------------------------------+ +--------+-----------+--------+----------------------------------+
Table 6: "DMARC Report Formats Registry Update" Table 6: DMARC Report Formats Registry Update
9.5. Underscored and Globally Scoped DNS Node Names Registry Update 9.5. Underscored and Globally Scoped DNS Node Names Registry Update
A registry group called "Domain Name System (DNS) Parameters" exists, The names of DNS Resource Records (RRs) beginning with an underscore
and within it, a registry called "Underscored and Globally Scoped DNS
Node Names" exists, and that registry should be updated to reference
this document.
The names of DNS Resource Records beginning with an underscore
character that are globally scoped (as per [RFC8552]) are registered character that are globally scoped (as per [RFC8552]) are registered
with IANA in this registry. In addition to a reference to a with IANA in the "Underscored and Globally Scoped DNS Node Names"
permanent specification, each registration contains the DNS Resource registry within the "Domain Name System (DNS) Parameters" registry
Record (RR) type and Node Name. The Designated Expert needs to group.
confirm that the provided specification adequately describes the Node
Name and clearly presents how it would be used within the DMARC
context by Domain Owners and Mail Receivers.
The entry to be updated in this registry is as follows: In addition to a reference to a permanent specification, each
registration contains the DNS Resource Record (RR) type and Node
Name. The designated expert needs to confirm that the provided
specification adequately describes the Node Name and clearly presents
how it would be used within the DMARC context by Domain Owners and
Mail Receivers.
+=========+============+=================+ IANA has updated the reference for following entry to point to this
| RR Type | _NODE NAME | Reference | document (instead of [RFC7489]):
+=========+============+=================+
| TXT | _dmarc | [this document] |
+---------+------------+-----------------+
Table 7: "Underscored and Globally +=========+============+===========+
Scoped DNS Node Names Registry Update" | RR Type | _NODE NAME | Reference |
+=========+============+===========+
| TXT | _dmarc | RFC 9989 |
+---------+------------+-----------+
Table 7: Underscored and
Globally Scoped DNS Node Names
Registry Update
10. Privacy Considerations 10. Privacy Considerations
This section discusses issues specific to private data that may be This section discusses issues specific to private data that may be
included if DMARC reports are requested. Issues associated with included if DMARC reports are requested. Issues associated with
sending aggregate reports and failure reports are addressed in sending aggregate reports and failure reports are addressed in
[I-D.ietf-dmarc-aggregate-reporting] and [RFC9990] and [RFC9991], respectively.
[I-D.ietf-dmarc-failure-reporting] respectively.
10.1. Aggregate Report Considerations 10.1. Aggregate Report Considerations
Aggregate reports may, particularly for small organizations, provide Aggregate reports may, particularly for small organizations, provide
some limited insight into email sending patterns. As an example, in some limited insight into email sending patterns. As an example, in
a small organization, an aggregate report from a particular domain a small organization, an aggregate report from a particular domain
may be sufficient to make the Report Consumer aware of sensitive may be sufficient to make the Report Consumer aware of sensitive
personal or business information. If setting an "rua" tag in a DMARC personal or business information. If setting a "rua" tag in a DMARC
Policy Record, the reporting address needs controls appropriate to Policy Record, the reporting address needs controls appropriate to
the organizational requirements to mitigate any risk associated with the organizational requirements to mitigate any risk associated with
receiving and handling reports. receiving and handling reports.
In the case of "rua" requests for multi-organizational PSDs, In the case of "rua" requests for multi-organizational PSDs,
additional information leakage considerations exist. Multi- additional information leakage considerations exist. Multi-
organizational PSDs that do not mandate DMARC use by registrants risk organizational PSDs that do not mandate DMARC use by registrants risk
exposure of private data of registrant domains if they include the exposure of private data of registrant domains if they include the
"rua" tag in their DMARC Policy Record. "rua" tag in their DMARC Policy Record.
10.2. Failure Report Considerations 10.2. Failure Report Considerations
Failure reports do provide insight into email sending patterns, Failure reports do provide insight into email sending patterns,
including specific users. If requesting failure reports, data including specific users. If requesting failure reports, data
management controls are needed to support appropriate management of management controls are needed to support appropriate management of
this information. The additional detail available through failure this information. The additional details available through failure
reports (relative to aggregate reports) can drive a need for reports (relative to aggregate reports) can drive a need for
additional controls. As an example, a company may be legally additional controls. As an example, a company may be legally
restricted from receiving data related to a specific subsidiary. restricted from receiving data related to a specific subsidiary.
Before requesting failure reports, any such data spillage risks have Before requesting failure reports, any such data spillage risks have
to be addressed through data management controls or publishing DMARC to be addressed through data management controls or publishing DMARC
Policy Records for relevant subdomains to prevent reporting on data Policy Records for relevant subdomains to prevent reporting on data
related to their emails. related to their emails.
Due to the nature of the email contents which may be shared through Due to the nature of the email contents that may be shared through
Failure Reports, most Mail Receivers refuse to send them out of failure reports, most Mail Receivers refuse to send them out of
privacy concerns. Out of band agreements between Report Consumers privacy concerns. Out-of-band agreements between Report Consumers
and Mail Receivers may be required to address these concerns. and Mail Receivers may be required to address these concerns.
DMARC Policy Records for multi-organizational PSDs MUST NOT include DMARC Policy Records for multi-organizational PSDs MUST NOT include
the "ruf" tag. the "ruf" tag.
11. Security Considerations 11. Security Considerations
This section discusses security issues and possible remediations This section discusses security issues and possible remediations
(where available) for DMARC. (where available) for DMARC.
11.1. Authentication Methods 11.1. Authentication Methods
Security considerations from the authentication methods used by DMARC Security considerations from the authentication methods used by DMARC
are incorporated here by reference. are incorporated here by reference.
Both of the email authentication methods that underlie DMARC provide Both of the email authentication methods that underlie DMARC provide
some assurance that an email was transmitted by an MTA which is some assurance that an email was transmitted by an MTA that is
authorized to do so. SPF policies map domain names to sets of authorized to do so. SPF policies map domain names to sets of
authorized MTAs (see Section 11.4 of [RFC7208]). Validated DKIM authorized MTAs (see Section 11.4 of [RFC7208]). Validated DKIM
signatures indicate that an email was transmitted by an MTA with signatures indicate that an email was transmitted by an MTA with
access to a private key that matches the published DKIM key record. access to a private key that matches the published DKIM key record.
Whenever mail is sent, there is a risk that an overly permissive Whenever mail is sent, there is a risk that an overly permissive
source may send mail that will receive a DMARC pass result that was source may send mail that will receive a DMARC "pass" result that was
not, in fact, intended by the Domain Owner. These results may lead not, in fact, intended by the Domain Owner. These results may lead
to issues when systems interpret DMARC pass results to indicate a to issues when systems interpret DMARC "pass" results to indicate a
message is in some way authentic. They also allow such unauthorized message is in some way authentic. They also allow such unauthorized
senders to evade the Domain Owner's intended message handling for senders to evade the Domain Owner's intended message handling for
DMARC validation failures. DMARC validation failures.
To avoid this risk one must ensure that no unauthorized source can To avoid this risk, one must ensure that no unauthorized source can
add DKIM signatures to the domain's mail or transmit mail which will add DKIM signatures to the domain's mail or transmit mail that will
evaluate as SPF pass. If, nonetheless, a Domain Owner wishes to evaluate as an SPF "pass" result. Nonetheless, if a Domain Owner
include a permissive source in a domain's SPF record, the source can wishes to include a permissive source in a domain's SPF record, the
be excluded from DMARC consideration by using the "?" qualifier on source can be excluded from DMARC consideration by using the "?"
the SPF record mechanism associated with that source. The DMARC qualifier on the SPF record mechanism associated with that source.
working group had a lively discussion about possibly eliminating SPF The DMARC Working Group had a lively discussion about possibly
entirely as an underlying Authentication Mechanism for DMARC, but eliminating SPF entirely as an underlying authentication mechanism
consensus was not reached, and the suggestion to use the "?" for DMARC, but consensus was not reached, and the suggestion to use
qualifier for permissive sources is presented here instead. the "?" qualifier for permissive sources is presented here instead.
11.2. Attacks on Reporting URIs 11.2. Attacks on Reporting URIs
URIs published in DNS TXT records are well-understood possible URIs published in DNS TXT records are well-understood possible
targets for attack. Specifications such as [RFC1035] and [RFC2142] targets for an attack. Specifications such as [RFC1035] and
either expose or cause the exposure of email addresses that could be [RFC2142] either expose or cause the exposure of email addresses that
flooded by an attacker, for example. Records found in the DNS such could be flooded by an attacker, for example. Records found in the
as MX, NS, and others advertise potential attack destinations. DNS such as MX, NS, and others advertise potential attack
Common DNS names such as "www" plainly identify the locations at destinations. Common DNS names, such as "www", plainly identify the
which particular services can be found, providing destinations for locations at which particular services can be found, providing
targeted denial-of-service or penetration attacks. This all means destinations for targeted denial-of-service or penetration attacks.
that Domain Owners will need to harden these addresses against This all means that Domain Owners will need to harden these addresses
various attacks, including but not limited to: against various attacks, including but not limited to:
* high-volume denial-of-service attacks; * high-volume denial-of-service attacks;
* deliberate construction of malformed reports intended to identify * deliberate construction of malformed reports intended to identify
or exploit parsing or processing vulnerabilities; or exploit parsing or processing vulnerabilities; and
* deliberate construction of reports containing false claims for the * deliberate construction of reports containing false claims for the
Submitter or Reported-Domain fields, including the possibility of Submitter or Reported-Domain fields, including the possibility of
false data from compromised but known Mail Receivers. false data from compromised but known Mail Receivers.
11.3. DNS Security 11.3. DNS Security
The DMARC mechanism and its underlying Authentication Mechanisms (SPF The DMARC mechanism and its underlying authentication mechanisms (SPF
and DKIM) depend on the security of the DNS. Examples of how hostile and DKIM) depend on the security of the DNS. Examples of how hostile
parties can have an adverse impact on DNS traffic include: parties can have an adverse impact on DNS traffic include:
* If they can snoop on DNS traffic, they can get an idea of who is * If they can snoop on DNS traffic, they can get an idea of who is
receiving mail using the domain(s) in question. receiving mail using the domain(s) in question.
* If they can block outgoing or reply DNS messages, they can prevent * If they can block outgoing or reply DNS messages, they can prevent
systems from discovering senders' DMARC policies. systems from discovering senders' DMARC policies.
* If they can send forged response packets, they can make aligned * If they can send forged response packets, they can make aligned
mail appear unaligned or vice-versa. mail appear unaligned or vice versa.
None of these threats are unique to DMARC, and they can be addressed None of these threats are unique to DMARC, and they can be addressed
using a variety of techniques, including, but not limited to: using a variety of techniques including, but not limited to, the
following:
* Signing DNS records with Domain Name System Security Extensions * Signing DNS records with Domain Name System Security Extensions
(DNSSEC) [RFC9364], which enables recipients to validate the (DNSSEC) [RFC9364], which enables recipients to validate the
integrity of DNS data and detect and discard forged responses. integrity of DNS data and detect and discard forged responses.
* DNS over TLS [RFC7858] or DNS over HTTPS [RFC8484] can mitigate * DNS over TLS [RFC7858] or DNS over HTTPS [RFC8484] can mitigate
snooping and forged responses. snooping and forged responses.
11.4. Display Name Attacks 11.4. Display Name Attacks
An increasingly common attack in messaging abuse is the presentation An increasingly common attack in messaging abuse is the presentation
of false information in the display-name portion of the RFC5322.From of false information in the display name portion of the RFC5322.From
header field. For example, it is possible for the email address in header field. For example, it is possible for the email address in
that field to be an arbitrary address or domain name while containing that field to be an arbitrary address or domain name while containing
a well-known name (a person, brand, role, etc.) in the display name, a well-known name (a person, brand, role, etc.) in the display name,
intending to fool the end user into believing that the name is used intending to fool the end user into believing that the name is used
legitimately. legitimately.
Such attacks, known as display name attacks, are out of scope for Such attacks, known as display name attacks, are out of scope for
DMARC. DMARC.
11.5. Denial of DMARC Processing Attacks 11.5. Denial of DMARC Processing Attacks
The declaration in Section 5.3.1 and elsewhere in this document that The declaration in Section 5.3.1 and elsewhere in this document that
messages that do not contain precisely one RFC5322.From domain are messages that do not contain precisely one RFC5322.From domain are
outside the scope of this document exposes an attack vector that must outside the scope of this document exposes an attack vector that must
be taken into consideration. be taken into consideration.
Because such messages are outside the scope of this document, an Because such messages are outside the scope of this document, an
attacker can craft messages with multiple RFC5322.From domains, attacker can craft messages with multiple RFC5322.From domains,
including the spoofed domain, in an effort to bypass DMARC validation including the spoofed domain, in an effort to bypass DMARC validation
and get the fraudulent message to be displayed by the victim's MUA and get the fraudulent message to be displayed by the victim's Mail
with the spoofed domain successfully shown to the victim. In those User Agent (MUA) with the spoofed domain successfully shown to the
cases where such messages are not rejected due to other reasons (for victim. In those cases where such messages are not rejected due to
example, many such messages would violate RFC5322's requirement that other reasons (for example, many such messages would violate the
there be precisely one From: header field), care must be taken by the requirement described in [RFC5322] that there be precisely one From:
Mail Receiver to recognize such messages as the threats they might be header field), care must be taken by the Mail Receiver to recognize
and handle them appropriately. such messages as the threats they might be and handle them
appropriately.
The case of a syntactically valid multi-valued RFC5322.From field The case of a syntactically valid multi-valued RFC5322.From field
presents a particular challenge. Experience has shown that most such presents a particular challenge. Experience has shown that most such
messages are abusive and/or unwanted by their recipients, and given messages are abusive and/or unwanted by their recipients, and given
this fact, a Mail Receiver may make a negative disposition decision this fact, a Mail Receiver may make a negative disposition decision
for the message prior to and instead of its being subjected to DMARC for the message prior to and instead of its being subjected to DMARC
processing. However, in a case where a Mail Receiver requires that processing. However, in a case where a Mail Receiver requires that
the message be subject to DMARC validation, a recommended approach as the message be subject to DMARC validation, a recommended approach as
per [RFC7489] is to apply the DMARC mechanism to each domain found in per [RFC7489] is to apply the DMARC mechanism to each domain found in
the RFC5322.From field as the Author Domain and apply the most strict the RFC5322.From field as the Author Domain and apply the most strict
policy selected among the checks that fail. Such an approach might policy selected among the checks that fail. Such an approach might
prove useful for a small number of Author Domains, but it is possible prove useful for a small number of Author Domains, but it is possible
that applying such logic to messages with a large number of domains that applying such logic to messages with a large number of domains
(where "large" is defined by each Mail Receiver) will expose the Mail (where "large" is defined by each Mail Receiver) will expose the Mail
Receiver to a form of denial of service attack. Limiting the number Receiver to a form of denial-of-service attack. Limiting the number
of Author Domains processed will avoid this risk. If not all Author of Author Domains processed will avoid this risk. If not all Author
Domains are processed, then the DMARC evaluation is incomplete. Domains are processed, then the DMARC evaluation is incomplete.
11.6. External Reporting Addresses 11.6. External Reporting Addresses
To avoid abuse by bad actors, reporting addresses generally have to To avoid abuse by bad actors, reporting addresses generally have to
be inside the domains about which reports are requested. To be inside the domains about which reports are requested. To
accommodate special cases such as a need to get reports about domains accommodate special cases, such as a need to get reports about
that cannot actually receive mail, Section 3 of domains that cannot actually receive mail, Section 3 of [RFC9990]
[I-D.ietf-dmarc-aggregate-reporting] describes a DNS-based mechanism describes a DNS-based mechanism for validating approved external
for validating approved external reporting. reporting.
The obvious consideration here is an increased DNS load against The obvious consideration here is an increased DNS load against
domains that are claimed as external recipients. Negative caching domains that are claimed as external recipients. Negative caching
will mitigate this problem, but only to a limited extent, mostly will mitigate this problem, but only to a limited extent, mostly
dependent on the default TTL in the domain's SOA record. dependent on the default TTL in the domain's SOA record.
Where possible, external reporting is best achieved by having the Where possible, external reporting is best achieved by having the
report be directed to domains that can receive mail and simply having report be directed to domains that can receive mail and simply having
it automatically forwarded to the desired external destination. it automatically forwarded to the desired external destination.
skipping to change at page 54, line 47 skipping to change at line 2539
monitor such transmissions. Unencrypted mechanisms SHOULD be monitor such transmissions. Unencrypted mechanisms SHOULD be
avoided. avoided.
In particular, a message that was originally encrypted or otherwise In particular, a message that was originally encrypted or otherwise
secured might appear in a report that is not sent securely, which secured might appear in a report that is not sent securely, which
could reveal private information. could reveal private information.
11.8. Relaxed Alignment Considerations 11.8. Relaxed Alignment Considerations
The DMARC mechanism allows both DKIM- and SPF-Authenticated The DMARC mechanism allows both DKIM- and SPF-Authenticated
Identifiers (#identifier-alignment-explained) to validate authorized Identifiers (Section 4.4) to validate authorized use of an Author
use of an Author Domain (#author-domain) on behalf of a Domain Owner Domain (Section 3.2.2) on behalf of a Domain Owner (Section 3.2.7).
(#domain-owner). If malicious or unaware users can gain control of If malicious or unaware users can gain control of the SPF record or
the SPF record or DKIM selector records for a subdomain of the DKIM selector records for a subdomain of the Organizational Domain,
Organizational Domain, the subdomain can be used to generate email the subdomain can be used to generate email that achieves a DMARC
that achieves a DMARC pass on behalf of the Organizational Domain. pass on behalf of the Organizational Domain.
A scenario such as this could occur under the following conditions: A scenario such as this could occur under the following conditions:
* A DMARC Policy Record exists for the domain "example.com", such * A DMARC Policy Record exists for the domain "example.com", such
that "example.com" is an Organizational Domain that "example.com" is an Organizational Domain.
* An attacker controls DNS for the domain "evil.example.com" and * An attacker controls DNS for the domain "evil.example.com" and
publishes an SPF record for that domain publishes an SPF record for that domain.
* The attacker sends email with RFC5322.From header field containing
"foo@example.com" and an SPF-Authenticated Identifier of * The attacker sends email with the RFC5322.From header field
"evil.example.com" containing "foo@example.com" and an SPF-Authenticated Identifier
of "evil.example.com".
Although this email was not authorized by the Domain Owner, it can Although this email was not authorized by the Domain Owner, it can
produce a DMARC pass because the SPF-Authenticated Identifier produce a DMARC pass because the SPF-Authenticated Identifier
("evil.example.com") has Identifier Alignment with the Author Domain ("evil.example.com") has Identifier Alignment with the Author Domain
("example.com"). ("example.com").
The Organizational Domain Owner should be careful not to delegate The Organizational Domain Owner should be careful not to delegate
control of subdomains if this is an issue, and consider using the control of subdomains if this is an issue and consider using the
Strict Alignment (#strict-alignment) option if appropriate. strict alignment (Section 3.2.10.2) option if appropriate.
DMARC evaluation for relaxed alignment is also highly sensitive to DMARC evaluation for relaxed alignment is also highly sensitive to
errors in determining the Organizational Domain if the Author Domain errors in determining the Organizational Domain if the Author Domain
does not have a published DMARC Policy Record (#dmarc-policy-record). does not have a published DMARC Policy Record (Section 3.2.6). If an
If an incorrectly selected Organizational Domain is a parent of the incorrectly selected Organizational Domain is a parent of the correct
correct Organizational Domain, then relaxed alignment could Organizational Domain, then relaxed alignment could potentially allow
potentially allow a malicious sender to send mail that achieves a a malicious sender to send mail that achieves a DMARC pass verdict.
DMARC pass verdict. This potential exists for both the legacy This potential exists for both the legacy [RFC7489] and current
[RFC7489] and current methods for determining the organizational methods for determining the Organizational Domain; the latter is
domain, the latter described in Section 4.10.2. described in Section 4.10.2.
The following example illustrates this possibility: The following example illustrates this possibility:
* Mail is sent with an Author Domain of "a.mail.example.com" and * Mail is sent with an Author Domain of "a.mail.example.com" and
Authenticated Identifiers of "mail.example.com" Authenticated Identifiers of "mail.example.com".
* There is no DMARC Policy Record published at * There is no DMARC Policy Record published at
"_dmarc.a.mail.example.com" "_dmarc.a.mail.example.com".
* There is one published at "_dmarc.mail.example.com" and this is * There is one published at "_dmarc.mail.example.com" and this is
intended to be the Organizational Domain for this message intended to be the Organizational Domain for this message.
* There is also a DMARC Policy Record published at * There is also a DMARC Policy Record published at
"_dmarc.example.com", with default alignment (relaxed) "_dmarc.example.com", with default alignment (relaxed).
* An attacker is able to send mail with the Author Domain of * An attacker is able to send mail with the Author Domain of
"evil.example.com" and an Authenticated Identifier of "evil.example.com" and an Authenticated Identifier of
"mail.example.com" "mail.example.com".
In this scenario, if a Mail Receiver incorrectly determines the In this scenario, if a Mail Receiver incorrectly determines the
Organizational Domain to be "example.com", then the attacker's mail Organizational Domain to be "example.com", then the attacker's mail
will pass DMARC validation checks. will pass DMARC validation checks.
This issue is entirely avoided by the use of Strict Alignment and This issue is entirely avoided by the use of strict alignment and
publishing explicit DMARC Policy Records for all Author Domains used publishing explicit DMARC Policy Records for all Author Domains used
in an organization's email. in an organization's email.
For cases where Strict Alignment is not appropriate, this issue can For cases where strict alignment is not appropriate, this issue can
be mitigated by the Domain Owner periodically (perhaps weekly, or be mitigated by the Domain Owner periodically checking (perhaps
whatever frequency might be appropriate for a given organization's weekly or whatever frequency might be appropriate for a given
operational needs) checking the DMARC Policy Records, if any, of PSDs organization's operational needs) the DMARC Policy Records, if any,
(#public-suffix-domain) above the Organizational Domain in the DNS of PSDs (Section 3.2.15) above the Organizational Domain in the DNS
tree and (for legacy [RFC7489] checking that appropriate PSL entries tree (and for legacy [RFC7489], checking that appropriate PSL entries
remain present). If a PSD publishes a DMARC Policy Record without remain present). If a PSD publishes a DMARC Policy Record without
the appropriate "psd=y" tag, Organizational Domain owners can add the appropriate "psd=y" tag, Organizational Domain owners can add
"psd=n" to their Organizational Domain's DMARC Policy Record so that "psd=n" to their Organizational Domain's DMARC Policy Record so that
the PSD's DMARC Policy Record will not be incorrectly interpreted to the PSD's DMARC Policy Record will not be incorrectly interpreted to
indicate that the PSD is the Organizational Domain. indicate that the PSD is the Organizational Domain.
12. References 12. References
12.1. Normative References 12.1. Normative References
[I-D.ietf-dmarc-aggregate-reporting]
Brotman, A., "Domain-based Message Authentication,
Reporting, and Conformance (DMARC) Aggregate Reporting",
Work in Progress, Internet-Draft, draft-ietf-dmarc-
aggregate-reporting-32, 17 March 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-
aggregate-reporting-32>.
[I-D.ietf-dmarc-failure-reporting]
Jones, S. M. and A. Vesely, "Domain-based Message
Authentication, Reporting, and Conformance (DMARC) Failure
Reporting", Work in Progress, Internet-Draft, draft-ietf-
dmarc-failure-reporting-12, 9 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-
failure-reporting-12>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
skipping to change at page 58, line 19 skipping to change at line 2688
[RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for [RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for
Authorizing Use of Domains in Email, Version 1", RFC 7208, Authorizing Use of Domains in Email, Version 1", RFC 7208,
DOI 10.17487/RFC7208, April 2014, DOI 10.17487/RFC7208, April 2014,
<https://www.rfc-editor.org/info/rfc7208>. <https://www.rfc-editor.org/info/rfc7208>.
[RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF", [RFC7405] Kyzivat, P., "Case-Sensitive String Support in ABNF",
RFC 7405, DOI 10.17487/RFC7405, December 2014, RFC 7405, DOI 10.17487/RFC7405, December 2014,
<https://www.rfc-editor.org/info/rfc7405>. <https://www.rfc-editor.org/info/rfc7405>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8601] Kucherawy, M., "Message Header Field for Indicating [RFC8601] Kucherawy, M., "Message Header Field for Indicating
Message Authentication Status", RFC 8601, Message Authentication Status", RFC 8601,
DOI 10.17487/RFC8601, May 2019, DOI 10.17487/RFC8601, May 2019,
<https://www.rfc-editor.org/info/rfc8601>. <https://www.rfc-editor.org/info/rfc8601>.
[RFC9990] Brotman, A., Ed., "Domain-Based Message Authentication,
Reporting, and Conformance (DMARC) Aggregate Reporting",
RFC 9990, DOI 10.17487/RFC9990, May 2026,
<https://www.rfc-editor.org/info/rfc9990>.
[RFC9991] Jones, S. M., Ed. and A. Vesely, Ed., "Domain-Based
Message Authentication, Reporting, and Conformance (DMARC)
Failure Reporting", RFC 9991, DOI 10.17487/RFC9991, May
2026, <https://www.rfc-editor.org/info/rfc9991>.
12.2. Informative References 12.2. Informative References
[M3AUTH] "M3AAWG Email Authentication Recommended Best Practices", [M3AUTH] Messaging Malware Mobile Anti-Abuse Working Group
<https://www.m3aawg.org/sites/default/files/m3aawg-email- (M3AAWG), "M3AAWG Email Authentication Recommended Best
authentication-recommended-best-practices-09-2020.pdf>. Practices", <https://www.m3aawg.org/sites/default/files/
m3aawg-email-authentication-recommended-best-practices-
09-2020.pdf>.
[M3SPF] "M3AAWG Best Practices for Managing SPF Records", [M3SPF] Messaging Malware Mobile Anti-Abuse Working Group
<https://www.m3aawg.org/Managing-SPF-Records>. (M3AAWG), "M3AAWG Best Practices for Managing SPF
Records", <https://www.m3aawg.org/Managing-SPF-Records>.
[RFC2142] Crocker, D., "Mailbox Names for Common Services, Roles and [RFC2142] Crocker, D., "Mailbox Names for Common Services, Roles and
Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997, Functions", RFC 2142, DOI 10.17487/RFC2142, May 1997,
<https://www.rfc-editor.org/info/rfc2142>. <https://www.rfc-editor.org/info/rfc2142>.
[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS
NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998, NCACHE)", RFC 2308, DOI 10.17487/RFC2308, March 1998,
<https://www.rfc-editor.org/info/rfc2308>. <https://www.rfc-editor.org/info/rfc2308>.
[RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format [RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format
skipping to change at page 59, line 35 skipping to change at line 2767
[RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is [RFC8020] Bortzmeyer, S. and S. Huque, "NXDOMAIN: There Really Is
Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020, Nothing Underneath", RFC 8020, DOI 10.17487/RFC8020,
November 2016, <https://www.rfc-editor.org/info/rfc8020>. November 2016, <https://www.rfc-editor.org/info/rfc8020>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>. <https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS [RFC8484] Hoffman, P. and P. McManus, "DNS Queries over HTTPS
(DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018, (DoH)", RFC 8484, DOI 10.17487/RFC8484, October 2018,
<https://www.rfc-editor.org/info/rfc8484>. <https://www.rfc-editor.org/info/rfc8484>.
[RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ [RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/
Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
Message Specification", RFC 8551, DOI 10.17487/RFC8551, Message Specification", RFC 8551, DOI 10.17487/RFC8551,
April 2019, <https://www.rfc-editor.org/info/rfc8551>. April 2019, <https://www.rfc-editor.org/info/rfc8551>.
[RFC8552] Crocker, D., "Scoped Interpretation of DNS Resource [RFC8552] Crocker, D., "Scoped Interpretation of DNS Resource
skipping to change at page 60, line 40 skipping to change at line 2816
a standard for encrypting and signing MIME data in a message. This a standard for encrypting and signing MIME data in a message. This
was suggested and considered as a third security protocol for was suggested and considered as a third security protocol for
authenticating the source of a message. authenticating the source of a message.
DMARC is focused on authentication at the domain level (i.e., the DMARC is focused on authentication at the domain level (i.e., the
Domain Owner taking responsibility for the message), while S/MIME is Domain Owner taking responsibility for the message), while S/MIME is
really intended for user-to-user authentication and encryption. This really intended for user-to-user authentication and encryption. This
alone appears to make it a bad fit for DMARC's goals. alone appears to make it a bad fit for DMARC's goals.
S/MIME also suffers from the heavyweight problem of Public Key S/MIME also suffers from the heavyweight problem of Public Key
Infrastructure, which means that distribution of keys used to Infrastructure (PKI), which means that distribution of keys used to
validate signatures needs to be incorporated. In many instances, validate signatures needs to be incorporated. In many instances,
this alone is a showstopper. There have been consistent promises this alone is a showstopper. There have been consistent promises
that PKI usability and deployment will improve, but these have yet to that PKI usability and deployment will improve, but these have yet to
materialize. DMARC can revisit this choice after those barriers are materialize. DMARC can revisit this choice after those barriers are
addressed. addressed.
S/MIME has extensive deployment in specific market segments S/MIME has extensive deployment in specific market segments
(government, for example) but does not enjoy similar widespread (government, for example) but does not enjoy similar widespread
deployment over the general Internet, and this shows no signs of deployment over the general Internet, and this shows no signs of
changing. DKIM and SPF are both deployed widely over the general changing. DKIM and SPF are both deployed widely over the general
skipping to change at page 61, line 32 skipping to change at line 2856
mechanisms on several occasions and invariably concluded that there mechanisms on several occasions and invariably concluded that there
was not a strong enough use case to include them. The target was not a strong enough use case to include them. The target
audience for DMARC does not appear to have concerns about the failure audience for DMARC does not appear to have concerns about the failure
modes of one or the other being a barrier to DMARC's adoption. modes of one or the other being a barrier to DMARC's adoption.
In the scenario described above, the Domain Owner has a few options: In the scenario described above, the Domain Owner has a few options:
1. Tighten up its infrastructure to minimize the failure modes of 1. Tighten up its infrastructure to minimize the failure modes of
the single deployed technology. the single deployed technology.
2. Deploy the other supported authentication mechanism, to offset 2. Deploy the other supported authentication mechanism to offset the
the failure modes of the first. failure modes of the first.
3. Deploy DMARC in a reporting-only mode. 3. Deploy DMARC in a reporting-only mode.
A.3. Sender Header Field A.3. Sender Header Field
It has been suggested in several message authentication efforts that It has been suggested in several message authentication efforts that
the Sender header field be checked for an identifier of interest, as the Sender header field be checked for an identifier of interest, as
the standards indicate this as the proper way to indicate a re- the standards indicate this as the proper way to indicate a re-
mailing of content such as through a mailing list. Most recently, it mailing of content such as through a mailing list. Most recently, it
was a protocol-level option for DomainKeys [RFC4870], but on was a protocol-level option for DomainKeys [RFC4870], but on
skipping to change at page 62, line 36 skipping to change at line 2909
RRs, or AAAA RRs are deemed to be resolvable and to exist in the DNS. RRs, or AAAA RRs are deemed to be resolvable and to exist in the DNS.
This is a common practice among Mail Receivers to determine whether This is a common practice among Mail Receivers to determine whether
or not to accept a mail message before performing other more or not to accept a mail message before performing other more
expensive processing. expensive processing.
The DMARC mechanism makes no such requirement for the existence of The DMARC mechanism makes no such requirement for the existence of
specific DNS RRs in order for a domain to exist; instead, if any RR specific DNS RRs in order for a domain to exist; instead, if any RR
exists for a domain, then the domain exists. To use the terminology exists for a domain, then the domain exists. To use the terminology
from [RFC2308], an "NXDOMAIN" response (rcode "Name Error") to a DNS from [RFC2308], an "NXDOMAIN" response (rcode "Name Error") to a DNS
query means that the domain name does not exist, while a "NODATA" query means that the domain name does not exist, while a "NODATA"
response (rcode "NOERROR") means that the given resource record type response (rcode "NOERROR") means that the given Resource Record type
queried for does not exist, but the domain name does. queried for does not exist, but the domain name does.
Furthermore, in keeping with [RFC8020], if a query for a name returns Furthermore, in keeping with [RFC8020], if a query for a name returns
NXDOMAIN, then not only does the name not exist, every name below it NXDOMAIN, then not only does the name not exist, every name below it
in the DNS hierarchy also does not exist. in the DNS hierarchy also does not exist.
A.5. Organizational Domain Discovery Issues A.5. Organizational Domain Discovery Issues
An earlier informational version of the DMARC mechanism [RFC7489] An earlier Informational version of the DMARC mechanism [RFC7489]
noted that the DNS does not provide a method by which the "domain of noted that the DNS does not provide a method by which the "domain of
record", or the domain that was actually registered with a domain record", or the domain that was actually registered with a domain
registrar, can be determined given an arbitrary domain name. That registrar, can be determined given an arbitrary domain name. That
version further mentioned suggestions that have been made that version further mentioned suggestions that have been made that
attempt to glean such information from SOA or NS resource records, attempt to glean such information from SOA or NS Resource Records,
but these too are not fully reliable, as the partitioning of the DNS but these too are not fully reliable, as the partitioning of the DNS
is not always done at administrative boundaries. is not always done at administrative boundaries.
That previous version posited that one could "climb the tree" to find That previous version posited that one could "climb the tree" to find
the Organizational Domain, but expressed concern that an attacker the Organizational Domain but expressed concern that an attacker
could exploit this for a denial-of-service attack through sending a could exploit this for a denial-of-service attack through sending a
high number of messages each with a relatively large number of high number of messages, each with a relatively large number of
nonsense labels, causing a Mail Receiver to perform a large number of nonsense labels, causing a Mail Receiver to perform a large number of
DNS queries in search of a DMARC Policy Record. This version defines DNS queries in search of a DMARC Policy Record. This version defines
a method for performing a DNS Tree Walk (#dns-tree-walk), and further a method for performing a DNS Tree Walk (Section 4.10) and further
mitigates the risk of the denial-of-service attack by expressly mitigates the risk of the denial-of-service attack by expressly
limiting the number of DNS queries to execute regardless of the limiting the number of DNS queries to execute regardless of the
number of labels in the domain name. number of labels in the domain name.
Readers curious about the previous method for Organizational Domain Readers curious about the previous method for Organizational Domain
Discovery are directed to Section 3.2 of [RFC7489]. Discovery are directed to Section 3.2 of [RFC7489].
A.6. Removal of the "pct" Tag A.6. Removal of the "pct" Tag
An earlier informational version of the DMARC mechanism [RFC7489] An earlier informational version of the DMARC mechanism [RFC7489]
included a "pct" tag and specified all integers from 0 to 100 included a "pct" tag and specified all integers from 0 to 100
inclusive as valid values for the tag. The intent of the tag was to inclusive as valid values for the tag. The intent of the tag was to
provide domain owners with a method to gradually change their provide Domain Owners with a method to gradually change their
preferred Domain Owner Assessment Policy (the "p" tag) from "none" to preferred Domain Owner Assessment Policy (the "p" tag) from "none" to
"quarantine" or from "quarantine" to "reject" by requesting the "quarantine" or from "quarantine" to "reject" by requesting the
stricter treatment for just a percentage of messages that produced stricter treatment for just a percentage of messages that produced
DMARC results of "fail". DMARC results of "fail".
Operational experience showed that the pct tag was usually not Operational experience showed that the "pct" tag was usually not
accurately applied, unless the value specified was either 0 or 100 accurately applied, unless the value specified was either 0 or 100
(the default), and the inaccuracies with other values varied widely (the default), and the inaccuracies with other values varied widely
from one implementation to another. The default value was easily from one implementation to another. The default value was easily
implemented, as it required no special processing on the part of the implemented, as it required no special processing on the part of the
Mail Receiver, while the value of 0 took on unintended significance Mail Receiver, while the value of 0 took on unintended significance
as a value used by some intermediaries and mailbox providers as an as a value used by some intermediaries and mailbox providers as an
indicator to deviate from standard handling of the message, usually indicator to deviate from standard handling of the message, usually
by rewriting the RFC5322.From header field in an effort to avoid by rewriting the RFC5322.From header field in an effort to avoid
DMARC failures downstream. DMARC failures downstream.
These custom actions when the "pct" tag was set to 0 proved valuable These custom actions when the "pct" tag was set to 0 proved value to
to the email community. In particular, header field rewriting by an the email community. In particular, header field rewriting by an
intermediary meant that a Domain Owner's aggregate reports could intermediary meant that a Domain Owner's aggregate reports could
reveal to the Domain Owner how much of its traffic was routing reveal to the Domain Owner how much of its traffic was routing
through intermediaries that don't rewrite the RFC5322.From header through intermediaries that don't rewrite the RFC5322.From header
field. Such information wasn't explicit in the aggregate reports field. Such information wasn't explicit in the aggregate reports
received; rather, sussing it out required work on the part of the received; rather, sussing it out required work on the part of the
Domain Owner to compare aggregate reports from before and after the Domain Owner to compare aggregate reports from before and after the
"p" value was changed and "pct=0" was included in the DMARC Policy "p" value was changed and "pct=0" was included in the DMARC Policy
Record, but the data was there. Consequently, knowing how much mail Record, but the data was there. Consequently, knowing how much mail
was subject to possible DMARC failure due to a lack of RFC5322.From was subject to possible DMARC failure due to a lack of RFC5322.From
header field rewriting by intermediaries could assist the Domain header field rewriting by intermediaries could assist the Domain
Owner in choosing whether to move from Monitoring Mode (#monitoring- Owner in choosing whether to move from Monitoring Mode
mode) to Enforcement (#enforcement). Armed with this knowledge, the (Section 3.2.12) to Enforcement (Section 3.2.9). Armed with this
Domain Owner could make an informed decision regarding subjecting its knowledge, the Domain Owner could make an informed decision regarding
mail traffic to possible DMARC failures based on the Domain Owner's subjecting its mail traffic to possible DMARC failures based on the
tolerance for such things. Domain Owner's tolerance for such things.
Because of the value provided by "pct=0" to Domain Owners, it was Because of the value provided by "pct=0" to Domain Owners, it was
logical to keep this functionality in the protocol; at the same time, logical to keep this functionality in the protocol; at the same time,
it didn't make sense to support a tag named "pct" that had only two it didn't make sense to support a tag named "pct" that had only two
valid values. This version of the DMARC mechanism, therefore, valid values. This version of the DMARC mechanism, therefore,
introduces the "t" tag as shorthand for "testing", with the valid introduces the "t" tag as shorthand for "testing", with the valid
values of "y" and "n", which are meant to be analogous in their values of "y" and "n", which are meant to be analogous in their
application by mailbox providers and intermediaries to the "pct" tag application by mailbox providers and intermediaries to the "pct" tag
values "0" and "100", respectively. values "0" and "100", respectively.
skipping to change at page 64, line 48 skipping to change at line 3017
Example 1: SPF in Strict Alignment: Example 1: SPF in Strict Alignment:
MAIL FROM: <sender@example.com> MAIL FROM: <sender@example.com>
From: sender@example.com From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800 Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org To: receiver@example.org
Subject: here's a sample Subject: here's a sample
In this case, the RFC5321.MailFrom domain and the Author Domain are In this case, the RFC5321.MailFrom domain and the Author Domain are
identical. Thus, the identifiers are in Strict Alignment. identical. Thus, the identifiers are in strict alignment.
Example 2: SPF in Relaxed Alignment: Example 2: SPF in Relaxed Alignment:
MAIL FROM: <sender@child.example.com> MAIL FROM: <sender@child.example.com>
From: sender@example.com From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800 Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org To: receiver@example.org
Subject: here's a sample Subject: here's a sample
skipping to change at page 65, line 26 skipping to change at line 3042
Example 3: No SPF Identifier Alignment: Example 3: No SPF Identifier Alignment:
MAIL FROM: <sender@example.net> MAIL FROM: <sender@example.net>
From: sender@child.example.com From: sender@child.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800 Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org To: receiver@example.org
Subject: here's a sample Subject: here's a sample
In this case, the RFC5321.MailFrom domain that is neither the same In this case, the RFC5321.MailFrom domain is neither the same as, a
as, a parent of, nor a child of the Author Domain. Thus, the parent of, nor a child of the Author Domain. Thus, the identifiers
identifiers are not in alignment. are not in alignment.
B.1.2. DKIM B.1.2. DKIM
The examples below assume that the DKIM signatures pass validation. The examples below assume that the DKIM signatures pass validation.
Alignment cannot exist with a DKIM signature that does not validate. Alignment cannot exist with a DKIM signature that does not validate.
Example 1: DKIM in Strict Alignment: Example 1: DKIM in Strict Alignment:
DKIM-Signature: v=1; ...; d=example.com; ... DKIM-Signature: v=1; ...; d=example.com; ...
From: sender@example.com From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800 Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org To: receiver@example.org
Subject: here's a sample Subject: here's a sample
In this case, the DKIM "d" tag and the Author Domain have identical In this case, the DKIM "d" tag and the Author Domain have identical
DNS domains. Thus, the identifiers are in Strict Alignment. DNS domains. Thus, the identifiers are in strict alignment.
Example 2: DKIM in Relaxed Alignment: Example 2: DKIM in Relaxed Alignment:
DKIM-Signature: v=1; ...; d=example.com; ... DKIM-Signature: v=1; ...; d=example.com; ...
From: sender@child.example.com From: sender@child.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800 Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org To: receiver@example.org
Subject: here's a sample Subject: here's a sample
In this case, the DKIM signature's "d" tag includes a DNS domain that In this case, the DKIM signature's "d" tag includes a DNS domain that
skipping to change at page 67, line 10 skipping to change at line 3122
* The version of DMARC being used is "DMARC1" ("v=DMARC1;") * The version of DMARC being used is "DMARC1" ("v=DMARC1;")
* Mail Receivers should not alter how they treat these messages * Mail Receivers should not alter how they treat these messages
because of this DMARC Policy Record ("p=none") because of this DMARC Policy Record ("p=none")
* Aggregate feedback reports are sent via email to the address * Aggregate feedback reports are sent via email to the address
"dmarc-feedback@example.com" ("rua=mailto:dmarc- "dmarc-feedback@example.com" ("rua=mailto:dmarc-
feedback@example.com") feedback@example.com")
* All messages from this Organizational Domain are subject to this * All messages from this Organizational Domain are subject to this
policy (no "t" tag present, so the default of "n" applies). policy (no "t" tag present, so the default of "n" applies)
To publish such a record, the DNS administrator for the Domain Owner To publish such a record, the DNS administrator for the Domain Owner
creates an entry like the following in the appropriate zone file creates an entry like the following in the appropriate zone file
(following the conventional zone file format): (following the conventional zone file format):
; DMARC Policy Record for the domain example.com ; DMARC Policy Record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=none; " _dmarc IN TXT ( "v=DMARC1; p=none; "
"rua=mailto:dmarc-feedback@example.com" ) "rua=mailto:dmarc-feedback@example.com" )
B.2.2. Entire Domain, Monitoring Mode, Per-Message Failure Reports B.2.2. Entire Domain, Monitoring Mode, Per-Message Failure Reports
skipping to change at page 67, line 32 skipping to change at line 3144
The Domain Owner from the previous example has used the aggregate The Domain Owner from the previous example has used the aggregate
reporting to discover some messaging systems that had not yet reporting to discover some messaging systems that had not yet
implemented DKIM correctly, but they are still seeing periodic implemented DKIM correctly, but they are still seeing periodic
authentication failures. To diagnose these intermittent problems, authentication failures. To diagnose these intermittent problems,
they wish to request per-message failure reports when authentication they wish to request per-message failure reports when authentication
failures occur. failures occur.
Not all Mail Receivers will honor such a request, but the Domain Not all Mail Receivers will honor such a request, but the Domain
Owner feels that any reports it does receive will be helpful enough Owner feels that any reports it does receive will be helpful enough
to justify publishing this record. The default per-message failure to justify publishing this record. The default per-message failure
report format ([RFC6591]) meets the Domain Owner's needs in this report format [RFC6591] meets the Domain Owner's needs in this
scenario. scenario.
The Domain Owner accomplishes this by adding the following to its The Domain Owner accomplishes this by adding the following to its
DMARC Policy Record from Appendix B.2.1: DMARC Policy Record from Appendix B.2.1:
* Per-message failure reports are sent via email to the address * Per-message failure reports are sent via email to the address
"auth-reports@example.com" ("ruf=mailto:auth-reports@example.com") "auth-reports@example.com" ("ruf=mailto:auth-reports@example.com")
To publish such a record, the DNS administrator for the Domain Owner To publish such a record, the DNS administrator for the Domain Owner
might create an entry like the following in the appropriate zone file might create an entry like the following in the appropriate zone file
skipping to change at page 68, line 33 skipping to change at line 3190
(following the conventional zone file format): (following the conventional zone file format):
; DMARC Policy Record for the domain example.com ; DMARC Policy Record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=none; " _dmarc IN TXT ( "v=DMARC1; p=none; "
"rua=mailto:dmarc-feedback@example.com; " "rua=mailto:dmarc-feedback@example.com; "
"ruf=mailto:auth-reports@thirdparty.example.net" ) "ruf=mailto:auth-reports@thirdparty.example.net" )
Because the address used in the "ruf" tag is outside the Because the address used in the "ruf" tag is outside the
Organizational Domain in which this record is published, conforming Organizational Domain in which this record is published, conforming
Mail Receivers MUST implement additional checks as described in Mail Receivers MUST implement additional checks as described in
Section 3 of [I-D.ietf-dmarc-aggregate-reporting]. To pass these Section 3 of [RFC9990]. To pass these additional checks, the Report
additional checks, the Report Consumer's Domain Owner will need to Consumer's Domain Owner will need to publish an additional DMARC
publish an additional DMARC Policy Record as follows: Policy Record as follows:
* Given the DMARC Policy Record published by the Domain Owner at * Given the DMARC Policy Record published by the Domain Owner at
"_dmarc.example.com", the DNS administrator for the Report "_dmarc.example.com", the DNS administrator for the Report
Consumer will need to publish a TXT resource record at Consumer will need to publish a TXT Resource Record at
"example.com._report._dmarc.thirdparty.example.net" with the value "example.com._report._dmarc.thirdparty.example.net" with the value
"v=DMARC1;" to authorize receipt of the reports. "v=DMARC1;" to authorize receipt of the reports.
To publish such a record, the DNS administrator for example.net might To publish such a record, the DNS administrator for example.net might
create an entry like the following in the appropriate zone file create an entry like the following in the appropriate zone file
(following the conventional zone file format): (following the conventional zone file format):
; zone file for thirdparty.example.net ; zone file for thirdparty.example.net
; Accept DMARC reports on behalf of example.com ; Accept DMARC reports on behalf of example.com
example.com._report._dmarc IN TXT "v=DMARC1;" example.com._report._dmarc IN TXT "v=DMARC1;"
B.2.4. Overriding destination addresses B.2.4. Overriding Destination Addresses
The third party Report Consumer can also publish "rua" and "ruf" tags The third-party Report Consumer can also publish "rua" and "ruf" tags
in order to override the specific address published by example.com in order to override the specific address published by example.com
with a different address in the same third party domain. This may be with a different address in the same third-party domain. This may be
necessary if the third party Report Consumer has changed its email necessary if the third-party Report Consumer has changed its email
address, or want to guard against typos in the DMARC Policy Record of address or wants to guard against typos in the DMARC Policy Record of
the Author Domain. Intermediaries and other third parties should the Author Domain. Intermediaries and other third parties should
refer to Section 3 of [I-D.ietf-dmarc-aggregate-reporting] for the refer to Section 3 of [RFC9990] for the full details of this
full details of this mechanism. mechanism.
The third party Report Consumer accomplishes this by adding the The third-party Report Consumer accomplishes this by adding the
following to its DMARC Policy Record from Appendix B.2.3: following to its DMARC Policy Record from Appendix B.2.3:
* The override address for aggregate reports is "aggregate- * The override address for aggregate reports is "aggregate-
reports@thirdparty.example.net" ("rua=mailto:aggregate- reports@thirdparty.example.net" ("rua=mailto:aggregate-
reports@thirdparty.example.net") reports@thirdparty.example.net")
* The override address for failure reports is "failure- * The override address for failure reports is "failure-
reports@thirdparty.example.net" ("ruf=mailto:failure- reports@thirdparty.example.net" ("ruf=mailto:failure-
reports@thirdparty.example.net") reports@thirdparty.example.net")
To publish such a record, the DNS administrator for example.net might To publish such a record, the DNS administrator for example.net might
create an entry like the following in the appropriate zone file create an entry like the following in the appropriate zone file
(following the conventional zone file format): (following the conventional zone file format):
; zone file for thirdparty.example.net ; zone file for thirdparty.example.net
; Accept DMARC reports on behalf of example.com ; Accept DMARC reports on behalf of example.com
; Override destination mailboxes ; Override destination mailboxes
example.com._report._dmarc IN TXT ( example.com._report._dmarc IN TXT (
"v=DMARC1; " "v=DMARC1; "
"rua=mailto:aggregate-reports@thirdparty.example.net; " "rua=mailto:aggregate-reports@thirdparty.example.net; "
"ruf=mailto:failure-reports@thirdparty.example.net" ) "ruf=mailto:failure-reports@thirdparty.example.net" )
In this case only the "ruf" tag is actually overridden, because, in In this case, only the "ruf" tag is actually overridden, because in
the previous example, failure reporting is the only reporting type the previous example, failure reporting is the only reporting type
that was directed to the third party Report Consumer. that was directed to the third-party Report Consumer.
B.2.5. Subdomain, Testing, and Multiple Aggregate Report URIs B.2.5. Subdomain, Testing, and Multiple Aggregate Report URIs
The Domain Owner has implemented SPF and DKIM in a subdomain used for The Domain Owner has implemented SPF and DKIM in a subdomain used for
pre-production testing of messaging services. It now wishes to pre-production testing of messaging services. It now wishes to
express a handling preference for messages from this subdomain that express a handling preference for messages from this subdomain that
fail DMARC validation to indicate to participating Mail Receivers fail DMARC validation to indicate to participating Mail Receivers
that use of this domain is not valid. that use of this domain is not valid.
As a first step, it will express that it considers messages using As a first step, it will express that it considers messages using
this subdomain that fail DMARC validation to be suspicious. The goal this subdomain that fail DMARC validation to be suspicious. The goal
here will be to enable examination of messages sent to mailboxes here will be to enable examination of messages sent to mailboxes
hosted by participating Mail Receivers as a method for hosted by participating Mail Receivers as a method for
troubleshooting any existing authentication issues. Aggregate troubleshooting any existing authentication issues. Aggregate
feedback reports will be sent to a mailbox within the Organizational feedback reports will be sent to a mailbox within the Organizational
Domain, and to a mailbox at a Report Consumer selected and authorized Domain and to a mailbox at a Report Consumer selected and authorized
to receive them by the Domain Owner. to receive them by the Domain Owner.
The Domain Owner will accomplish this by constructing a DMARC Policy The Domain Owner will accomplish this by constructing a DMARC Policy
Record indicating that: Record indicating that:
* The version of DMARC being used is "DMARC1" ("v=DMARC1;") * The version of DMARC being used is "DMARC1" ("v=DMARC1;")
* It is applied only to this subdomain (the DMARC Policy Record is * It is applied only to this subdomain (the DMARC Policy Record is
published at "_dmarc.test.example.com" and not published at "_dmarc.test.example.com" and not
"_dmarc.example.com") "_dmarc.example.com")
skipping to change at page 70, line 33 skipping to change at line 3286
* Aggregate feedback reports are sent via email to the addresses * Aggregate feedback reports are sent via email to the addresses
"dmarc-feedback@example.com" and "example-tld- "dmarc-feedback@example.com" and "example-tld-
test@thirdparty.example.net" ("rua=mailto:dmarc- test@thirdparty.example.net" ("rua=mailto:dmarc-
feedback@example.com, mailto:example-tld- feedback@example.com, mailto:example-tld-
test@thirdparty.example.net") test@thirdparty.example.net")
* The Domain Owner desires only that an actor performing a DMARC * The Domain Owner desires only that an actor performing a DMARC
validation check apply any special handling rules it might have in validation check apply any special handling rules it might have in
place, such as rewriting the RFC53322.From header field; the place, such as rewriting the RFC53322.From header field; the
Domain Owner is testing its setup at this point and so does not Domain Owner is testing its setup at this point and so does not
want the Domain Owner Assessment Policy to be applied. ("t=y") want the Domain Owner Assessment Policy to be applied ("t=y").
To publish such a record, the DNS administrator for the Domain Owner To publish such a record, the DNS administrator for the Domain Owner
might create an entry like the following in the appropriate zone file might create an entry like the following in the appropriate zone file
(following the conventional zone file format): (following the conventional zone file format):
; DMARC Policy Record for the domain test.example.com ; DMARC Policy Record for the domain test.example.com
_dmarc IN TXT ( "v=DMARC1; p=quarantine; " _dmarc IN TXT ( "v=DMARC1; p=quarantine; "
"rua=mailto:dmarc-feedback@example.com," "rua=mailto:dmarc-feedback@example.com,"
"mailto:tld-test@thirdparty.example.net; " "mailto:tld-test@thirdparty.example.net; "
"t=y" ) "t=y" )
skipping to change at page 71, line 26 skipping to change at line 3319
(following the conventional zone file format): (following the conventional zone file format):
; DMARC Policy Record for the domain test.example.com ; DMARC Policy Record for the domain test.example.com
_dmarc IN TXT ( "v=DMARC1; p=reject; " _dmarc IN TXT ( "v=DMARC1; p=reject; "
"rua=mailto:dmarc-feedback@example.com," "rua=mailto:dmarc-feedback@example.com,"
"mailto:tld-test@thirdparty.example.net" ) "mailto:tld-test@thirdparty.example.net" )
B.3. Mail Receiver Example B.3. Mail Receiver Example
A Mail Receiver that wants to participate in DMARC should already be A Mail Receiver that wants to participate in DMARC should already be
checking SPF and DKIM, and possess the ability to collect relevant checking SPF and DKIM and possess the ability to collect relevant
information from various email-processing stages to provide feedback information from various email-processing stages to provide feedback
to Domain Owners (possibly via Report Consumers). to Domain Owners (possibly via Report Consumers).
B.3.1. SMTP Session Example B.3.1. SMTP Session Example
An optimal DMARC-enabled Mail Receiver performs validation and An optimal DMARC-enabled Mail Receiver performs validation and
Identifier Alignment checking during the SMTP [RFC5321] conversation. Identifier Alignment checking during the SMTP [RFC5321] conversation.
Before returning a final reply to the DATA command, the Mail Before returning a final reply to the DATA command, the Mail
Receiver's MTA has performed: Receiver's MTA has performed:
skipping to change at page 72, line 41 skipping to change at line 3383
DMARC check yields that the message is to be rejected, then the Mail DMARC check yields that the message is to be rejected, then the Mail
Receiver replies with a 5xy code to inform the sender of failure. If Receiver replies with a 5xy code to inform the sender of failure. If
the DMARC check cannot be resolved due to transient network errors, the DMARC check cannot be resolved due to transient network errors,
then the Mail Receiver replies with a 4xy code to inform the sender then the Mail Receiver replies with a 4xy code to inform the sender
as to the need to reattempt delivery later. If the DMARC check as to the need to reattempt delivery later. If the DMARC check
yields a passing message, then the Mail Receiver continues with email yields a passing message, then the Mail Receiver continues with email
processing, perhaps using the result of the DMARC check as an input processing, perhaps using the result of the DMARC check as an input
to additional processing modules such as a domain reputation query. to additional processing modules such as a domain reputation query.
Before exiting DMARC-specific processing, the Mail Receiver checks to Before exiting DMARC-specific processing, the Mail Receiver checks to
see if the Author Domain DMARC Policy Record requests AFRF-based see if the Author Domain DMARC Policy Record requests reporting based
reporting. If so, then the Mail Receiver can emit an AFRF to the on an Authentication Failure Reporting Format (AFRF). If so, then
reporting address supplied in the DMARC Policy Record. the Mail Receiver can emit an AFRF to the reporting address supplied
in the DMARC Policy Record.
At the exit of DMARC-specific processing, the Mail Receiver captures At the exit of DMARC-specific processing, the Mail Receiver captures
(through logging or direct insertion into a data store) the result of (through logging or direct insertion into a data store) the result of
DMARC processing. Captured information is used to build feedback for DMARC processing. Captured information is used to build feedback for
Domain Owner consumption. This is unnecessary if the Domain Owner Domain Owner consumption. This is unnecessary if the Domain Owner
has not requested aggregate reports, i.e., no "rua" tag was found in has not requested aggregate reports, i.e., no "rua" tag was found in
the policy record. the policy record.
B.4. Organizational and Policy Domain Tree Walk Examples B.4. Organizational and Policy Domain Tree Walk Examples
If an Author Domain has no DMARC Policy Record, a Mail Receiver uses If an Author Domain has no DMARC Policy Record, a Mail Receiver uses
a tree walk to find the DMARC Policy. a Tree Walk to find the DMARC Policy.
If the DMARC Policy Record allows relaxed alignment and the SPF- or If the DMARC Policy Record allows relaxed alignment and the SPF- or
DKIM-Authenticated Identifiers are different from the Author Domain, DKIM-Authenticated Identifiers are different from the Author Domain,
a Mail Receiver uses a tree walk to discover the respective a Mail Receiver uses a Tree Walk to discover the respective
Organizational Domains to determine Identifier Alignment. Organizational Domains to determine Identifier Alignment.
B.4.1. Simple Organizational and Policy Example B.4.1. Simple Organizational and Policy Example
A Mail Receiver receives an email with: A Mail Receiver receives an email with:
* Author Domain: example.com * Author Domain: example.com
* RFC5321.MailFrom Domain: example.com * RFC5321.MailFrom Domain: example.com
* DKIM-Authenticated Identifier: signing.example.com * DKIM-Authenticated Identifier: signing.example.com
In this example, "_dmarc.example.com" and In this example, "_dmarc.example.com" and
"_dmarc.signing.example.com" both have DMARC Policy Records while "_dmarc.signing.example.com" both have DMARC Policy Records, while
"_dmarc.com" does not. If SPF or DKIM yield pass results, they still "_dmarc.com" does not. If SPF or DKIM yield "pass" results, they
have to be aligned to support a DMARC pass. Since not all domains still have to be aligned to support a DMARC pass. Since not all
are the same, if the alignment is relaxed then the tree walk is domains are the same, if the alignment is relaxed, then the Tree Walk
performed to determine the Organizational Domain for each. is performed to determine the Organizational Domain for each.
To determine the Organizational Domain for the Author Domain, query To determine the Organizational Domain for the Author Domain, query
"_dmarc.example.com" and "_dmarc.com"; "example.com" is the last "_dmarc.example.com" and "_dmarc.com"; "example.com" is the last
element of the DNS tree with a DMARC Policy Record, so it is the element of the DNS tree with a DMARC Policy Record, so it is the
Organizational Domain for "example.com". Organizational Domain for "example.com".
For the RFC5321.MailFrom domain, the Organizational Domain already For the RFC5321.MailFrom domain, the Organizational Domain already
found for "example.com" is "example.com", so SPF is aligned. found for "example.com" is "example.com", so SPF is aligned.
To determine the Organizational Domain for the DKIM-Authenticated To determine the Organizational Domain for the DKIM-Authenticated
Identifier, query "_dmarc.signing.example.com", "_dmarc.example.com", Identifier, query "_dmarc.signing.example.com", "_dmarc.example.com",
and "_dmarc.com". Both "signing.example.com" and "example.com" have and "_dmarc.com". Both "signing.example.com" and "example.com" have
DMARC Policy Records, but "example.com" is the highest element in the DMARC Policy Records, but "example.com" is the highest element in the
tree with a DMARC Policy Record (it has the fewest labels), so tree with a DMARC Policy Record (it has the fewest labels), so
"example.com" is the Organizational Domain. Since this is also the "example.com" is the Organizational Domain. Since this is also the
Organizational Domain for the Author Domain, DKIM is aligned for Organizational Domain for the Author Domain, DKIM is aligned for
relaxed alignment. relaxed alignment.
Since both SPF and DKIM are aligned, they can be used to determine if Since both SPF and DKIM are aligned, they can be used to determine if
the message has a DMARC pass result. If the result is not pass, then the message has a DMARC "pass" result. If the result is not "pass",
the policy domain's DMARC Policy Record is used to determine the then the policy domain's DMARC Policy Record is used to determine the
appropriate policy. In this case, since the RFC5322.From domain has appropriate policy. In this case, since the RFC5322.From domain has
a DMARC Policy Record, that is the policy domain. a DMARC Policy Record, that is the policy domain.
B.4.2. Deep Tree Walk Example B.4.2. Deep Tree Walk Example
A Mail Receiver receives an email with: A Mail Receiver receives an email with:
* Author Domain: a.b.c.d.e.f.g.h.i.j.k.example.com * Author Domain: a.b.c.d.e.f.g.h.i.j.k.example.com
* RFC5321.MailFrom Domain: example.com * RFC5321.MailFrom Domain: example.com
* DKIM-Authenticated Identifier: signing.example.com * DKIM-Authenticated Identifier: signing.example.com
Both "_dmarc.example.com" and "_dmarc.signing.example.com" have DMARC Both "_dmarc.example.com" and "_dmarc.signing.example.com" have DMARC
Policy Records, while "_dmarc.com" does not. If SPF or DKIM yield Policy Records, while "_dmarc.com" does not. If SPF or DKIM yield
pass results, they still have to be aligned to support a DMARC pass. "pass" results, they still have to be aligned to support a DMARC
Since not all domains are the same, if the alignment is relaxed then pass. Since not all domains are the same, if the alignment is
the tree walk is performed to determine the Organizational Domain for relaxed, then the Tree Walk is performed to determine the
each. Organizational Domain for each.
To determine the Organizational Domain For the Author Domain, query To determine the Organizational Domain for the Author Domain, query
"_dmarc.a.b.c.d.e.f.g.h.i.j.k.example.com", then query "_dmarc.a.b.c.d.e.f.g.h.i.j.k.example.com"; then query
"_dmarc.g.h.i.j.k.example.com" (skipping the intermediate names), "_dmarc.g.h.i.j.k.example.com" (skipping the intermediate names);
then query "_dmarc.h.i.j.k.example.com", "_dmarc.i.j.k.example.com", then query "_dmarc.h.i.j.k.example.com", "_dmarc.i.j.k.example.com",
"_dmarc.j.k.example.com", "_dmarc.k.example.com", "_dmarc.j.k.example.com", "_dmarc.k.example.com",
"_dmarc.example.com", and "_dmarc.com". None of "_dmarc.example.com", and "_dmarc.com". None of
"a.b.c.d.e.f.g.h.i.j.k.example.com", "g.h.i.j.k.example.com", "a.b.c.d.e.f.g.h.i.j.k.example.com", "g.h.i.j.k.example.com",
"h.i.j.k.example.com", "i.j.k.example.com", "j.k.example.com", or "h.i.j.k.example.com", "i.j.k.example.com", "j.k.example.com", or
"k.example.com" have a DMARC Policy Record. "k.example.com" have a DMARC Policy Record.
Since "example.com" is the last element of the DNS tree with a DMARC Since "example.com" is the last element of the DNS tree with a DMARC
Policy Record, it is the Organizational Domain for Policy Record, it is the Organizational Domain for
"a.b.c.d.e.f.g.h.i.j.k.example.com". "a.b.c.d.e.f.g.h.i.j.k.example.com".
For the RFC5321.MailFrom domain, the Organizational domain already For the RFC5321.MailFrom domain, the Organizational Domain already
found for "example.com" is "example.com". SPF is aligned. found for "example.com" is "example.com". SPF is aligned.
For the DKIM-Authenticated Identifier, query For the DKIM-Authenticated Identifier, query
"_dmarc.signing.example.com", "_dmarc.example.com", and "_dmarc.com". "_dmarc.signing.example.com", "_dmarc.example.com", and "_dmarc.com".
Both "signing.example.com" and "example.com" have DMARC Policy Both "signing.example.com" and "example.com" have DMARC Policy
Records, but "example.com" is the highest element in the tree with a Records, but "example.com" is the highest element in the tree with a
DMARC Policy Record, so "example.com" is the Organizational Domain. DMARC Policy Record, so "example.com" is the Organizational Domain.
Since this is also the Organizational Domain for the Author Domain, Since this is also the Organizational Domain for the Author Domain,
DKIM is aligned for relaxed alignment. DKIM is aligned for relaxed alignment.
Since both SPF and DKIM are aligned, they can be used to determine if Since both SPF and DKIM are aligned, they can be used to determine if
the message has a DMARC pass result. If the results for both are not the message has a DMARC "pass" result. If the results for both are
pass, then the policy domain's DMARC Policy Record is used to not "pass", then the policy domain's DMARC Policy Record is used to
determine the appropriate policy. In this case, the Author Domain determine the appropriate policy. In this case, the Author Domain
does not have a DMARC Policy Record, so the policy domain is the does not have a DMARC Policy Record, so the policy domain is the
highest element in the DNS tree with a DMARC Policy Record, highest element in the DNS tree with a DMARC Policy Record,
example.com. example.com.
B.4.3. Example with a PSD DMARC Policy Record B.4.3. Example with a PSD DMARC Policy Record
In rare cases, a PSD publishes a DMARC Policy Record with a psd tag, In rare cases, a PSD publishes a DMARC Policy Record with a "psd"
which the tree walk must take into account. tag, which the Tree Walk must take into account.
A Mail Receiver receives an email with: A Mail Receiver receives an email with:
* Author Domain: giant.bank.example * Author Domain: giant.bank.example
* RFC5321.MailFrom Domain: mail.giant.bank.example * RFC5321.MailFrom Domain: mail.giant.bank.example
* DKIM-Authenticated Identifier: mail.mega.bank.example * DKIM-Authenticated Identifier: mail.mega.bank.example
In this case, "_dmarc.bank.example" has a DMARC Policy Record which In this case, "_dmarc.bank.example" has a DMARC Policy Record that
includes the "psd=y" tag, and "_dmarc.example" does not have a DMARC includes the "psd=y" tag, and "_dmarc.example" does not have a DMARC
Policy Record. While "_dmarc.giant.bank.example" has a DMARC Policy Policy Record. While "_dmarc.giant.bank.example" has a DMARC Policy
Record without a "psd" tag, "_dmarc.mega.bank.example" and Record without a "psd" tag, "_dmarc.mega.bank.example" and
"_dmarc.mail.mega.bank.example" have no DMARC Policy Records. "_dmarc.mail.mega.bank.example" have no DMARC Policy Records.
Since the three domains are all different, tree walks find their Since the three domains are all different, Tree Walks find their
Organizational Domains to see which are aligned. Organizational Domains to see which are aligned.
For the Author Domain "giant.bank.example", the tree walk finds the For the Author Domain "giant.bank.example", the Tree Walk finds both
DMARC Policy Record at "_dmarc.giant.bank.example", then the DMARC the DMARC Policy Record at "_dmarc.giant.bank.example" and then the
Policy Record at "_dmarc.bank.example", and stops because of the DMARC Policy Record at "_dmarc.bank.example" and stops because of the
"psd=y" flag. The Organizational Domain is "giant.bank.example" "psd=y" flag. The Organizational Domain is "giant.bank.example"
because it is the domain directly below the one with "psd=y". Since because it is the domain directly below the one with "psd=y". Since
the Organizational Domain has a DMARC Policy Record, it is also the the Organizational Domain has a DMARC Policy Record, it is also the
policy domain. policy domain.
For the RFC5321.MailFrom domain "mail.giant.bank.example", the tree For the RFC5321.MailFrom domain "mail.giant.bank.example", the Tree
walk finds no DMARC Policy Record at Walk finds no DMARC Policy Record at "_dmarc.mail.giant.bank.example"
"_dmarc.mail.giant.bank.example", but does find both the DMARC Policy but does find both the DMARC Policy Record at
Record at "_dmarc.giant.bank.example" and then the DMARC Policy "_dmarc.giant.bank.example" and then the DMARC Policy Record at
Record at "_dmarc.bank.example", and stops because of the "psd=y" "_dmarc.bank.example" and stops because of the "psd=y" flag. Again,
flag. Again the Organizational Domain is "giant.bank.example" the Organizational Domain is "giant.bank.example" because it is the
because it is the domain directly below the one with "psd=y". Since domain directly below the one with "psd=y". Since this is the same
this is the same Organizational Domain as the Author Domain, SPF is Organizational Domain as the Author Domain, SPF is aligned.
aligned.
For the DKIM-Authenticated Identifier "mail.mega.bank.example", the For the DKIM-Authenticated Identifier "mail.mega.bank.example", the
tree walk finds no DMARC Policy Records at Tree Walk finds no DMARC Policy Records at
"_dmarc.mail.mega.bank.example" or "_dmarc.mega.bank.example", then "_dmarc.mail.mega.bank.example" or "_dmarc.mega.bank.example", then
finds the DMARC Policy Record at "_dmarc.bank.example" and stops finds the DMARC Policy Record at "_dmarc.bank.example", and stops
because of the "psd=y" flag. The Organizational Domain is because of the "psd=y" flag. The Organizational Domain is
"mega.bank.example", so DKIM is not aligned. "mega.bank.example", so DKIM is not aligned.
Since SPF is aligned, it can be used to determine if the message has Since SPF is aligned, it can be used to determine if the message has
a DMARC pass result. If the result is not pass, then the policy a DMARC "pass" result. If the result is not "pass", then the policy
domain's DMARC Policy Record is used to determine the appropriate domain's DMARC Policy Record is used to determine the appropriate
policy. policy.
B.5. Utilization of Aggregate Feedback: Example B.5. Utilization of Aggregate Feedback: Example
Aggregate feedback is consumed by Domain Owners to enable their Aggregate feedback is consumed by Domain Owners to enable their
understanding of how a given domain is being processed by the Mail understanding of how a given domain is being processed by the Mail
Receiver. Aggregate reporting data on emails that pass all Receiver. Aggregate reporting data on emails that pass all
underlying authentication checks is used by Domain Owners to validate underlying authentication checks is used by Domain Owners to validate
that their authentication practices remain accurate. For example, if that their authentication practices remain accurate. For example, if
skipping to change at page 76, line 28 skipping to change at line 3564
Owner can use aggregate report data to validate ongoing Owner can use aggregate report data to validate ongoing
authentication practices of the third party. authentication practices of the third party.
Data on email that only partially passes underlying authentication Data on email that only partially passes underlying authentication
checks provides visibility into problems that need to be addressed by checks provides visibility into problems that need to be addressed by
the Domain Owner. For example, if either SPF or DKIM fails to the Domain Owner. For example, if either SPF or DKIM fails to
produce an Authenticated Identifier, the Domain Owner is provided produce an Authenticated Identifier, the Domain Owner is provided
with enough information to either directly correct the problem or with enough information to either directly correct the problem or
understand where authentication-breaking changes are being introduced understand where authentication-breaking changes are being introduced
in the email transmission path. If authentication-breaking changes in the email transmission path. If authentication-breaking changes
due to email transmission path cannot be directly corrected, then the due to the email transmission path cannot be directly corrected, then
Domain Owner at least maintains an understanding of the effect of the Domain Owner at least maintains an understanding of the effect of
DMARC-based policies upon the Domain Owner's email. DMARC-based policies upon the Domain Owner's email.
Data on email that fails all underlying authentication checks Data on email that fails all underlying authentication checks
provides baseline visibility on how the Domain Owner's domain is provides baseline visibility on how the Domain Owner's domain is
being received at the Mail Receiver. Based on this visibility, the being received at the Mail Receiver. Based on this visibility, the
Domain Owner can begin deployment of authentication technologies Domain Owner can begin deployment of authentication technologies
across uncovered email sources, if the mail that is failing the across uncovered email sources if the mail that is failing the checks
checks was generated by or on behalf of the Domain Owner. Data was generated by or on behalf of the Domain Owner. Data regarding
regarding failing authentication checks can also allow the Domain failing authentication checks can also allow the Domain Owner to come
Owner to come to an understanding of how its domain is being misused. to an understanding of how its domain is being misused.
Appendix C. Changes from RFC 7489 Appendix C. Changes from RFC 7489
This document is intended to render [RFC7489] obsolete. As one might This document is intended to render [RFC7489] obsolete. As one might
guess, that means there are significant differences between RFC 7489 guess, that means there are significant differences between [RFC7489]
and this document. This section will summarize those changes. and this document. This section will summarize those changes.
C.1. Informational vs. Standards Track C.1. Informational vs. Standards Track
RFC 7489 was not the product of any IETF work stream, but was instead [RFC7489] was not the product of any IETF work stream but was instead
published into the RFC series by the Independent Submissions Editor published into the RFC Series by the Independent Submissions Editor
and is classified as an Informational RFC. and classified as an Informational RFC.
This document, by contrast, is intended to be Internet Standards This document, by contrast, is an Internet Standards Track document.
Track.
C.2. Changes to Terminology and Definitions C.2. Changes to Terminology and Definitions
The following changes were made to the Terminology and Definitions The following changes were made to the "Terminology and Definitions"
section. section.
C.2.1. Terms Added C.2.1. Terms Added
These terms were added: These terms were added:
* Domain Owner Assessment Policy * Domain Owner Assessment Policy
* Enforcement * Enforcement
* Monitoring Mode * Monitoring Mode
* Non-existent Domains * Non-existent Domains
* Public Suffix Domain (PSD) * Public Suffix Domain (PSD)
* Public Suffix Operator (PSO) * Public Suffix Operator (PSO)
* PSO Controlled Domain Names
* PSO-Controlled Domain Names
C.2.2. Definitions Updated C.2.2. Definitions Updated
These definitions were updated: These definitions were updated:
* Organizational Domain * Organizational Domain
* Report Receiver (renamed to Report Consumer) * Report Receiver (renamed to Report Consumer)
C.3. Policy Discovery and Organizational Domain Determination C.3. Policy Discovery and Organizational Domain Determination
The algorithms for DMARC policy discovery and for determining the The algorithms for DMARC policy discovery and for determining the
Organizational Domain have been changed. Specifically, reliance on a Organizational Domain have been changed. Specifically, reliance on a
Public Suffix List (PSL) has been replaced by a technique called a Public Suffix List (PSL) has been replaced by a technique called a
"DNS Tree Walk", and the methodology for the DNS Tree Walk is "DNS Tree Walk", and the methodology for the DNS Tree Walk is
explained in detail in this document. explained in detail in this document.
The DNS Tree Walk also incorporates PSD policy discovery, which was The DNS Tree Walk also incorporates PSD policy discovery, which was
introduced in [RFC9091]. That RFC was an Experimental RFC, and the introduced in [RFC9091]. That RFC was an Experimental RFC, and the
results of that experiment were that the RFC was not implemented as results of that experiment were that the RFC was not implemented as
written. Instead, this document redefines the algorithm for PSD written. Instead, this document redefines the algorithm for PSD
policy discovery, and thus obsoletes [RFC9091]. Specifically, the policy discovery and thus obsoletes [RFC9091]. Specifically, the DNS
DNS Tree Walk defined in this document obviates the need for a PSD Tree Walk defined in this document obviates the need for a PSD DMARC
DMARC registry, and that PSD DMARC registry is what made RFC 9091 an registry, and that PSD DMARC registry is what made [RFC9091] an
Experimental RFC. Experimental RFC.
These algorithm changes introduce the possibility of interoperability These algorithm changes introduce the possibility of interoperability
issues where a Domain Owner expects a DMARC Policy Record or an issues where a Domain Owner expects a DMARC Policy Record or an
Organizational Domain to be identified by the Tree Walk process, but Organizational Domain to be identified by the Tree Walk process, but
a Mail Receiver using an RFC 7489-based implementation of DMARC and a Mail Receiver using an implementation of DMARC based on [RFC7489]
relying on a PSL might arrive at a different answer. and relying on a PSL might arrive at a different answer.
This issue is entirely avoided by the use of Strict Alignment and This issue is entirely avoided by the use of strict alignment and
publishing explicit DMARC Policy Records for all Author Domains used publishing explicit DMARC Policy Records for all Author Domains used
in an organization's email. in an organization's email.
C.4. Reporting C.4. Reporting
Discussion of both aggregate and failure reporting have been moved to Discussion of both aggregate and failure reporting has been moved to
separate documents dedicated to the topics. separate documents dedicated to the topics.
In addition, the ability to specify a maximum report size in the In addition, the ability to specify a maximum report size in the
DMARC URI has been removed. DMARC URI has been removed.
C.5. Tags C.5. Tags
Several tags have been added to the "DMARC Policy Record Format" Several tags have been added to the "DMARC Policy Record Format"
section of this document since RFC 7489 was published, and at the section of this document since [RFC7489] was published, and at the
same time, several others were removed. same time, several others were removed.
C.5.1. Tags Added C.5.1. Tags Added
* np - Policy for non-existent domains (Imported from [RFC9091]) np: Policy for non-existent domains (imported from [RFC9091]).
* psd - Flag indicating whether a domain is a Public Suffix Domain
* t - Replacement for some pct tag functionality. See Appendix A.6 psd: Flag indicating whether a domain is a Public Suffix Domain.
for further discussion
t: Replacement for some "pct" tag functionality. See Appendix A.6
for further discussion.
C.5.2. Tags Removed C.5.2. Tags Removed
* pct - Tag requesting application of DMARC policy to only a pct: Tag requesting application of the DMARC policy to only a
percentage of messages. See Appendix A.6 for discussion percentage of messages. See Appendix A.6 for discussion.
* rf - Tag specifying requested format of failure reports
* ri - Tag specifying requested interval between aggregate reports rf: Tag specifying requested format of failure reports.
ri Tag specifying requested interval between aggregate reports.
C.6. Expansion of Domain Owner Actions Section C.6. Expansion of Domain Owner Actions Section
RFC 7489 had just two paragraphs in its Domain Owner Actions section, [RFC7489] only had two paragraphs in its "Domain Owner Actions"
and while the content of those paragraphs was correct, it was section, and while the content of those paragraphs was correct, it
minimalist in its approach to providing guidance to domain owners on was minimalist in its approach to providing guidance to Domain Owners
just how to implement DMARC. on just how to implement DMARC.
This document provides much more detail and explanatory text to a This document provides much more detail and explanatory text to a
Domain Owner, focusing not just on what to do to implement DMARC, but Domain Owner, focusing not just on what to do to implement DMARC but
also on the reasons for each step and the repercussions of each also on the reasons for each step and the repercussions of each
decision. decision.
In particular, this document makes explicit that domains for general- In particular, this document makes explicit that domains for general-
purpose email SHOULD NOT deploy a DMARC policy of p=reject. See purpose email SHOULD NOT deploy a DMARC policy of "p=reject". See
Section 7.4 for further discussion of this topic. Section 7.4 for further discussion of this topic.
C.7. Report Generator Recommendations C.7. Report Generator Recommendations
In the cases where a DMARC Policy Record specifies multiple In the cases where a DMARC Policy Record specifies multiple
destinations for either aggregate reports or failure reports, RFC destinations for either aggregate reports or failure reports,
7489 stated: [RFC7489] stated:
Receivers **MAY** impose a limit on the number of URIs to which they | Receivers MAY impose a limit on the number of URIs to which they
will send reports but **MUST** support the ability to send to at least | will send reports but MUST support the ability to send to at least
two. | two.
This document in Section 4.6 says: Section 4.6 of this document says:
A report **SHOULD** be sent to each listed URI provided in the DMARC | A report SHOULD be sent to each listed URI provided in the DMARC
Policy Record. | Policy Record.
C.8. Removal of RFC 7489 Appendix A.5 C.8. Removal of RFC 7489, Appendix A.5
One of the appendices in RFC 7489, specifically Appendix A.5, has One of the appendices in [RFC7489], specifically Appendix A.5, has
been removed from the text with this update. The appendix was titled been removed from the text with this update. The appendix was titled
"Issues with ADSP in Operation" and it contained a list of issues "Issues with ADSP in Operation", and it contained a list of issues
associated with ADSP that influenced the direction of DMARC. The associated with ADSP that influenced the direction of DMARC. The
ADSP protocol was moved to "Historic" status in 2013 and working ADSP protocol was moved to "Historic" status in 2013 and working
group consensus was that such a discussion of ADSP's influence on group consensus was that such a discussion of ADSP's influence on
DMARC was no longer relevant. DMARC was no longer relevant.
C.9. RFC 7489 Errata Summary C.9. RFC 7489 Errata Summary
This document and its companion documents This document and its companion documents ([RFC9990] and [RFC9991])
([I-D.ietf-dmarc-aggregate-reporting] and address the following errata filed against [RFC7489] since that
[I-D.ietf-dmarc-failure-reporting]) address the following errata document's publication in March, 2015. More details on each of these
filed against [RFC7489] since that document's publication in March, can be found at <https://www.rfc-editor.org/
2015. More details on each of these can be found at https://www.rfc- errata_search.php?rfc=7489>.
editor.org/errata_search.php?rfc=7489 (https://www.rfc-editor.org/
errata_search.php?rfc=7489)
C.9.1. RFC Errata, Erratum ID 5365, RFC 7489, Section 7.2.1.1 C.9.1. RFC Errata, Erratum ID 5365, RFC 7489, Section 7.2.1.1
(https://www.rfc-editor.org/errata/eid5365)
Addressed in [I-D.ietf-dmarc-aggregate-reporting]. See <https://www.rfc-editor.org/errata/eid5365>. This erratum is
addressed in [RFC9990].
C.9.2. RFC Errata, Erratum ID 5371, RFC 7489, Section 7.2.1.1 C.9.2. RFC Errata, Erratum ID 5371, RFC 7489, Section 7.2.1.1
(https://www.rfc-editor.org/errata/eid5371)
Addressed in [I-D.ietf-dmarc-aggregate-reporting]. See <https://www.rfc-editor.org/errata/eid5371>. This erratum is
addressed in [RFC9990].
C.9.3. RFC Errata, Erratum ID 5440, RFC 7489, Sections 7.1, B.2.1, C.9.3. RFC Errata, Erratum ID 5440, RFC 7489, Section 7.1 and
B.2.3, and B.2.4 (https://www.rfc-editor.org/errata/eid5440) Appendices B.2.1, B.2.3, and B.2.4
This erratum references several mentions in RFC 7489 of the "v=" tag See <https://www.rfc-editor.org/errata/eid5440>. This erratum
from the Domain Owner Assessment Policy and/or its value, references several mentions in [RFC7489] of the "v=" tag from the
specifically mentions that were not, but should have been, Domain Owner Assessment Policy and/or its value, specifically
"v=DMARC1;". Some of those mentions are preserved in this document mentions that were not, but should have been, "v=DMARC1;". Some of
and those mentions have been addressed as per the erratum. The rest those mentions are preserved in this document, and those mentions
have moved to [I-D.ietf-dmarc-aggregate-reporting] and are addressed have been addressed as per the erratum. The rest have moved to
there. [RFC9990] and are addressed there.
C.9.4. RFC Errata, Erratum ID 6439, RFC 7489, Section 7.1 C.9.4. RFC Errata, Erratum ID 6439, RFC 7489, Section 7.1
(https://www.rfc-editor.org/errata/eid6439)
Addressed in [I-D.ietf-dmarc-aggregate-reporting]. See <https://www.rfc-editor.org/errata/eid6439>. This erratum is
addressed in [RFC9990].
C.9.5. RFC Errata, Erratum ID 5221, RFC 7489, Appendix C C.9.5. RFC Errata, Erratum ID 5221, RFC 7489, Appendix C
(https://www.rfc-editor.org/errata/eid5221)
The regular expression pattern for IP addresses has been removed from See <https://www.rfc-editor.org/errata/eid5221>. The regular
this document and from [I-D.ietf-dmarc-aggregate-reporting]. expression pattern for IP addresses has been removed from this
document and from [RFC9990].
C.9.6. RFC Errata, Erratum ID 5229, RFC 7489, Appendix C C.9.6. RFC Errata, Erratum ID 5229, RFC 7489, Appendix C
(https://www.rfc-editor.org/errata/eid5229)
Addressed in [I-D.ietf-dmarc-aggregate-reporting]. See <https://www.rfc-editor.org/errata/eid5229>. This erratum is
addressed in [RFC9990].
C.9.7. RFC Errata, Erratum 5495, RFC 7489, Section 6.6.3 C.9.7. RFC Errata, Erratum 5495, RFC 7489, Section 6.6.3
(https://www.rfc-editor.org/errata/eid5495)
This erratum is in reference to the description of the process See <https://www.rfc-editor.org/errata/eid5495>. This erratum is in
documented in RFC 7489 for the applicable DMARC policy for an email reference to the description of the process documented in [RFC7489]
message. The process for doing this has drastically changed in for the applicable DMARC policy for an email message. The process
DMARCbis, and so the text identified in this erratum no longer for doing this has drastically changed in this document, and so the
exists. text identified in this erratum no longer exists.
C.9.8. RFC Errata, Erratum ID 6485, RFC 7489, Section 7.2.1.1 C.9.8. RFC Errata, Erratum ID 6485, RFC 7489, Section 7.2.1.1
(https://www.rfc-editor.org/errata/eid6485)
Addressed in [I-D.ietf-dmarc-aggregate-reporting]. See <https://www.rfc-editor.org/errata/eid6485>. This erratum is
addressed in [RFC9990].
C.9.9. RFC Errata, Erratum ID 6729, RFC 7489, Section 3.2 C.9.9. RFC Errata, Erratum ID 6729, RFC 7489, Section 3.2
(https://www.rfc-editor.org/errata/eid6729)
This erratum is in reference to a search of the Public Suffix List See <https://www.rfc-editor.org/errata/eid6729>. This erratum is in
(PSL) as part of finding a DMARC Policy Record (a.k.a., Domain Owner reference to a search of the Public Suffix List (PSL) as part of
Assessment Policy). The PSL is no longer relied upon for this finding a DMARC Policy Record (a.k.a., Domain Owner Assessment
practice, and the text at issue has been removed from this document. Policy). The PSL is no longer relied upon for this practice, and the
text at issue has been removed from this document.
C.9.10. RFC Errata, Erratum ID 7099, RFC 7489, Section 7.2.1.1 C.9.10. RFC Errata, Erratum ID 7099, RFC 7489, Section 7.2.1.1
(https://www.rfc-editor.org/errata/eid7099)
Addressed in [I-D.ietf-dmarc-aggregate-reporting]. See <https://www.rfc-editor.org/errata/eid7099>. This erratum is
addressed in [RFC9990].
C.9.11. RFC Errata, Erratum ID 7100, RFC 7489, Section 7.2.1.1 C.9.11. RFC Errata, Erratum ID 7100, RFC 7489, Section 7.2.1.1
(https://www.rfc-editor.org/errata/eid7100)
Addressed in [I-D.ietf-dmarc-aggregate-reporting]. See <https://www.rfc-editor.org/errata/eid7100>. This erratum is
addressed in [RFC9990].
C.9.12. RFC Errata, Erratum ID 7835, RFC 7489, Section 6.6.3 C.9.12. RFC Errata, Erratum ID 7835, RFC 7489, Section 6.6.3
(https://www.rfc-editor.org/errata/eid7835)
This erratum is in reference to the description of the process See <https://www.rfc-editor.org/errata/eid7835>. This erratum is in
documented in RFC 7489 for the applicable DMARC policy for an email reference to the description of the process documented in [RFC7489]
message. The process for doing this has drastically changed in for the applicable DMARC policy for an email message. The process
DMARCbis, and so the text identified in this erratum no longer for doing this has drastically changed in this document, and so the
exists. text identified in this erratum no longer exists.
C.9.13. RFC Errata, Erratum ID 7865, RFC 7489, Appendix C C.9.13. RFC Errata, Erratum ID 7865, RFC 7489, Appendix C
(https://www.rfc-editor.org/errata/eid7865)
The regular expression pattern for IP addresses has been removed from See <https://www.rfc-editor.org/errata/eid7865>. The regular
this document and from [I-D.ietf-dmarc-aggregate-reporting]. expression pattern for IP addresses has been removed from this
document and from [RFC9990].
C.9.14. RFC Errata, Erratum ID 5151, RFC 7489, Section 1 C.9.14. RFC Errata, Erratum ID 5151, RFC 7489, Section 1
(https://www.rfc-editor.org/errata/eid5151)
This erratum is in reference to the Introduction section of RFC 7489. See <https://www.rfc-editor.org/errata/eid5151>. This erratum is in
That section has been substantially rewritten in DMARCbis, and the reference to the Introduction section of [RFC7489]. That section has
text at issue for this erratum no longer exists. been substantially rewritten in this document, and the text at issue
for this erratum no longer exists.
C.9.15. RFC Errata, Erratum ID 5774, RFC 7489, Appendix C C.9.15. RFC Errata, Erratum ID 5774, RFC 7489, Appendix C
(https://www.rfc-editor.org/errata/eid5774)
Addressed in [I-D.ietf-dmarc-aggregate-reporting]. See <https://www.rfc-editor.org/errata/eid5774>. This erratum is
addressed in [RFC9990].
C.10. General Editing and Formatting C.10. General Editing and Formatting
A great deal of the content from RFC 7489 was preserved in this A great deal of the content from [RFC7489] was preserved in this
document, but much of it was subject to either minor editing, re- document, but much of it was subject to minor editing and the
ordering of sections, and/or both. reordering of sections, or both.
Acknowledgements Acknowledgements
This reworking of the DMARC mechanism specified in [RFC7489] is the The reworking of the DMARC mechanism specified in [RFC7489] is the
result of contributions from many participants in the IETF Working result of contributions from many participants in the DMARC Working
Group dedicated to this effort. Although the contributors are too Group. Although the contributors are too numerous to mention,
numerous to mention, significant contributions were made by Kurt significant contributions were made by Kurt Andersen, Laura Atkins,
Andersen, Laura Atkins, Seth Blank, Alex Brotman, Dave Crocker, Seth Blank, Alex Brotman, Dave Crocker, Douglas E. Foster, Ned Freed,
Douglas E. Foster, Ned Freed, Mike Hammer, Steven M. Jones, Scott Mike Hammer, Steven M. Jones, Scott Kitterman, Murray S. Kucherawy,
Kitterman, Murray S. Kucherawy, Barry Leiba, Alessandro Vesely, and Barry Leiba, Alessandro Vesely, and Tim Wicinski.
Tim Wicinski.
The authors and contributors also recognize that this document would The authors and contributors also recognize that this document would
not have been possible without the work done by those who had a hand not have been possible without the work done by those who had a hand
in producing [RFC7489]. The Acknowledgements section from that in producing [RFC7489]. The Acknowledgements section from that
document is preserved in full below. document is preserved in full below.
Acknowledgements - RFC 7489 Acknowledgements - RFC 7489
DMARC and the draft version of this document submitted to the DMARC and the earlier draft version of this document that was
Independent Submission Editor were the result of lengthy efforts by submitted to the Independent Submission Editor were the result of
an informal industry consortium: DMARC.org (see https://dmarc.org lengthy efforts by an informal industry consortium: DMARC.org (see
(https://dmarc.org)). Participating companies included Agari, <https://dmarc.org>). Participating companies included Agari,
American Greetings, AOL, Bank of America, Cloudmark, Comcast, American Greetings, AOL, Bank of America, Cloudmark, Comcast,
Facebook, Fidelity Investments, Google, JPMorgan Chase & Company, Facebook, Fidelity Investments, Google, JPMorgan Chase & Company,
LinkedIn, Microsoft, Netease, PayPal, ReturnPath, The Trusted Domain LinkedIn, Microsoft, Netease, PayPal, ReturnPath, The Trusted Domain
Project, and Yahoo!. Although the contributors and supporters are Project, and Yahoo!. Although the contributors and supporters are
too numerous to mention, notable individual contributions were made too numerous to mention, notable individual contributions were made
by J. Trent Adams, Michael Adkins, Monica Chew, Dave Crocker, Tim by J. Trent Adams, Michael Adkins, Monica Chew, Dave Crocker, Tim
Draegen, Steve Jones, Franck Martin, Brett McDowell, and Paul Midgen. Draegen, Steve Jones, Franck Martin, Brett McDowell, and Paul Midgen.
The contributors would also like to recognize the invaluable input The contributors would also like to recognize the invaluable input
and guidance that was provided early on by J.D. Falk. and guidance that was provided early on by J.D. Falk.
Additional contributions within the IETF context were made by Kurt Additional contributions within the IETF context were made by Kurt
Andersen, Michael Jack Assels, Les Barstow, Anne Bennett, Jim Fenton, Andersen, Michael Jack Assels, Les Barstow, Anne Bennett, Jim Fenton,
J. Gomez, Mike Jones, Scott Kitterman, Eliot Lear, John Levine, S. J. Gomez, Mike Jones, Scott Kitterman, Eliot Lear, John Levine,
Moonesamy, Rolf Sonneveld, Henry Timmes, and Stephen J. Turnbull. S. Moonesamy, Rolf Sonneveld, Henry Timmes, and Stephen J. Turnbull.
Authors' Addresses Authors' Addresses
Todd M. Herr Todd M. Herr (editor)
Valimail Valimail
Email: todd@someguyinva.com Email: todd@someguyinva.com
John Levine John Levine (editor)
Standcore LLC Standcore LLC
Email: standards@standcore.com Email: standards@standcore.com
 End of changes. 429 change blocks. 
1205 lines changed or deleted 1244 lines changed or added

This html diff was produced by rfcdiff 1.48.