-
Notifications
You must be signed in to change notification settings - Fork 6
/
draft-ietf-dmarc-dmarcbis-11.xml
2770 lines (2533 loc) · 134 KB
/
draft-ietf-dmarc-dmarcbis-11.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
<rfc version="3" ipr="trust200902" docName="draft-ietf-dmarc-dmarcbis-11" submissionType="IETF" category="std" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" obsoletes="7489" consensus="true">
<front>
<title abbrev="DMARCbis">Domain-based Message Authentication, Reporting, and Conformance (DMARC)</title><seriesInfo value="draft-ietf-dmarc-dmarcbis-11" stream="IETF" status="standard" name="Internet-Draft"></seriesInfo>
<author initials="T." surname="Herr (ed)" fullname="Todd M. Herr"><organization>Valimail</organization><address><postal><street></street>
</postal><email>[email protected]</email>
</address></author>
<author initials="J." surname="Levine (ed)" fullname="John Levine"><organization>Standcore LLC</organization><address><postal><street></street>
</postal><email>[email protected]</email>
</address></author>
<date/>
<area>Application</area>
<workgroup>DMARC</workgroup>
<abstract>
<t>This document describes the Domain-based Message Authentication,
Reporting, and Conformance (DMARC) protocol.</t>
<t>DMARC permits the owner of an email author's domain name to enable
verification of the domain's use, to indicate the Domain Owner's or
Public Suffix Operator's message handling preference regarding failed
verification, and to request reports about use of the domain name.
Mail receiving organizations can use this information when evaluating
handling choices for incoming mail.</t>
<t>This document obsoletes RFC 7489.</t>
</abstract>
</front>
<middle>
<section anchor="introduction"><name>Introduction</name>
<t>RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING:
The source for this draft is maintained in GitHub at:
<eref target="https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis">https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis</eref></t>
<t>Abusive email often includes unauthorized and deceptive use of a
domain name in the RFC5322.From header field. The domain typically
belongs to an organization expected to be known to - and presumably
trusted by - the recipient. The Sender Policy Framework (SPF) <xref target="RFC7208"></xref>
and DomainKeys Identified Mail (DKIM) <xref target="RFC6376"></xref> protocols provide
domain-level authentication but are not directly associated with the
RFC5322.From domain. DMARC leverages these two protocols, providing a method
for Domain Owners to publish a DNS record describing the email authentication
policies for the RFC5322.From domain and to request specific handling
for messages using that domain that fail authentication checks.</t>
<t>As with SPF and DKIM, DMARC classes results as "pass" or "fail". In order
to get a DMARC result of "pass", a pass from either SPF or DKIM is required.
In addition, the passed domain must be "aligned" with the RFC5322.From domain
in one of two modes - "relaxed" or "strict". The mode is expressed in the
domain's DMARC policy record. Domains are said to be "in relaxed alignment"
if they have the same "Organizational Domain", which is the domain at the
top of the domain hierarchy for the RFC5322.From domain while having the
same administrative authority as the RFC5322.From domain. Domains are "in
strict alignment" if and only if they are identical.</t>
<t>A DMARC pass indicates only that the RFC5322.From domain has been
authenticated for that message. Authentication does not carry an
explicit or implicit value assertion about that message or about
the Domain Owner. Furthermore, a mail-receiving organization that performs
DMARC verification can choose to honor the Domain Owner's requested
message handling for authentication failures, but it is under no
obligation to do so; it might choose different actions entirely.</t>
<t>For a mail-receiving organization supporting DMARC, a message that
passes verification is part of a message stream that is reliably
associated with the RFC5322.From field Domain Owner. Therefore,
reputation assessment of that stream by the mail-receiving organization
is not encumbered by accounting for unauthorized use of that domain
in the RFC5322.From field. A message that fails this verification
is not necessarily associated with the Domain Owner's domain and its
reputation.</t>
<t>DMARC policy records can also cover non-existent sub-domains, below the
"Organizational Domain", as well as domains at the top of the name hierarchy,
controlled by Public Suffix Operators (PSOs).</t>
<t>DMARC, in the associated <xref target="DMARC-Aggregate-Reporting"></xref> and <xref target="DMARC-Failure-Reporting"></xref>
documents, also specifies a reporting framework. Using it, a mail-receiving
domain can generate regular reports about messages that claim to be from
a domain publishing DMARC policies, sending those reports to the address(es)
specified by the Domain Owner in the latter's DMARC policy record. Domain
Owners can use these reports, especially the aggregate reports, to identify
not only sources of mail attempting to fraudulently use their domain, but also
(and perhaps more importantly) gaps in their own authentication practices. However,
as with honoring the Domain Owner's stated mail handling preference, a mail-receiving
organization supporting DMARC is under no obligation to send requested reports,
although it is recommended that they do send aggregate reports.</t>
<t>Use of DMARC creates some interoperability challenges that require due
consideration before deployment, particularly with configurations that
can cause mail to be rejected. These are discussed in <xref target="other-topics"></xref>.</t>
</section>
<section anchor="requirements"><name>Requirements</name>
<t>Specification of DMARC is guided by the following high-level goals,
security dependencies, detailed requirements, and items that are
documented as out of scope.</t>
<section anchor="high-level-goals"><name>High-Level Goals</name>
<t>DMARC has the following high-level goals:</t>
<ul>
<li><t>Allow Domain Owners and PSOs to assert their desired message handling
for authentication failures for messages purporting to have authorship
within the domain.</t>
</li>
<li><t>Allow Domain Owners and PSOs to verify their authentication deployment.</t>
</li>
<li><t>Minimize implementation complexity for both senders and receivers,
as well as the impact on handling and delivery of legitimate
messages.</t>
</li>
<li><t>Reduce the amount of successfully delivered spoofed email.</t>
</li>
<li><t>Work at Internet scale.</t>
</li>
</ul>
</section>
<section anchor="anti-phishing"><name>Anti-Phishing</name>
<t>DMARC is designed to prevent bad actors from sending mail that claims
to come from legitimate senders, particularly senders of transactional
email (official mail that is about business transactions). One of the
primary uses of this kind of spoofed mail is phishing (enticing users
to provide information by pretending to be the legitimate service
requesting the information). Thus, DMARC is significantly informed
by ongoing efforts to enact large-scale, Internet-wide anti-phishing
measures.</t>
<t>Although DMARC can only be used to combat specific forms of
exact-domain spoofing directly, the DMARC mechanism has been found
to be useful in the creation of reliable and defensible message streams.</t>
<t>DMARC does not attempt to solve all problems with spoofed or
otherwise fraudulent email. In particular, it does not address the
use of visually similar domain names ("cousin domains") or abuse of
the RFC5322.From human-readable <display-name>.</t>
</section>
<section anchor="scalability"><name>Scalability</name>
<t>Scalability is a major issue for systems that need to operate in a
system as widely deployed as current SMTP email. For this reason,
DMARC seeks to avoid the need for third parties or pre-sending
agreements between senders and receivers. This preserves the
positive aspects of the current email infrastructure.</t>
<t>Although DMARC does not introduce third-party senders (namely
external agents authorized to send on behalf of an operator) to the
email-handling flow, it also does not preclude them. Such third
parties are free to provide services in conjunction with DMARC.</t>
</section>
<section anchor="out-of-scope"><name>Out of Scope</name>
<t>Several topics and issues are specifically out of scope for this
work. These include the following:</t>
<ul>
<li><t>Different treatment of messages that are not authenticated versus
those that fail authentication;</t>
</li>
<li><t>Evaluation of anything other than RFC5322.From header field;</t>
</li>
<li><t>Multiple reporting formats;</t>
</li>
<li><t>Publishing policy other than via the DNS;</t>
</li>
<li><t>Reporting or otherwise evaluating other than the last-hop IP
address;</t>
</li>
<li><t>Attacks in the RFC5322.From header field, also known as "display name"
attacks;</t>
</li>
<li><t>Authentication of entities other than domains, since DMARC is
built upon SPF and DKIM, which authenticate domains; and</t>
</li>
<li><t>Content analysis.</t>
</li>
</ul>
</section>
</section>
<section anchor="terminology"><name>Terminology and Definitions</name>
<t>This section defines terms used in the rest of the document.</t>
<section anchor="conventions-used-in-this-document"><name>Conventions Used in This Document</name>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 <xref target="RFC2119"></xref> and <xref target="RFC8174"></xref>
when, and only when, they appear in all capitals, as shown here.</t>
<t>Readers are encouraged to be familiar with the contents of
<xref target="RFC5598"></xref>. In particular, that document defines various roles in
the messaging infrastructure that can appear the same or separate in
various contexts. For example, a Domain Owner could, via the
messaging security mechanisms on which DMARC is based, delegate the
ability to send mail as the Domain Owner to a third party with
another role. This document does not address the distinctions among
such roles; the reader is encouraged to become familiar with that
material before continuing.</t>
</section>
<section anchor="definitions"><name>Definitions</name>
<t>The following sections define terms used in this document.</t>
<section anchor="authenticated-identifiers"><name>Authenticated Identifiers</name>
<t>Domain-level identifiers that are verified using authentication technologies
are referred to as "Authenticated Identifiers". See <xref target="authentication-mechanisms"></xref>
for details about the supported mechanisms.</t>
</section>
<section anchor="author-domain"><name>Author Domain</name>
<t>The domain name of the apparent author, as extracted from the RFC5322.From header field.</t>
</section>
<section anchor="domain-owner"><name>Domain Owner</name>
<t>An entity or organization that owns a DNS domain. The
term "owns" here indicates that the entity or organization being
referenced holds the registration of that DNS domain. Domain
Owners range from complex, globally distributed organizations, to
service providers working on behalf of non-technical clients, to
individuals responsible for maintaining personal domains. This
specification uses this term as analogous to an Administrative
Management Domain as defined in <xref target="RFC5598"></xref>. It can also refer
to delegates, such as Report Consumers, when those are outside of
their immediate management domain.</t>
</section>
<section anchor="identifier-alignment"><name>Identifier Alignment</name>
<t>When the domain in the address in the RFC5322.From header field has the
same Organizational Domain as a domain verified by an authenticated
identifier, it has Identifier Alignment. (see <xref target="organizational-domain"></xref>)</t>
</section>
<section anchor="mail-receiver"><name>Mail Receiver</name>
<t>The entity or organization that receives and processes email. Mail
Receivers operate one or more Internet-facing Mail Transport Agents (MTAs).</t>
</section>
<section anchor="non-existent-domains"><name>Non-existent Domains</name>
<t>For DMARC purposes, a non-existent domain is consistent with the meaning
of the term as described in <xref target="RFC8020"></xref>. That is, if the response code received
for a query for a domain name is NXDOMAIN, then the domain name and all the
names under it do not exist.</t>
</section>
<section anchor="organizational-domain"><name>Organizational Domain</name>
<t>The Organizational Domain is typically a domain that was registered with
a domain name registrar. More formally, it is any Public Suffix Domain
plus one label. The Organizational Domain for the domain in the
RFC5322.From domain is determined by applying the algorithm found in
<xref target="organizational-domain-discovery"></xref>.</t>
</section>
<section anchor="public-suffix-domain"><name>Public Suffix Domain (PSD)</name>
<t>The global Internet Domain Name System (DNS) is documented in
numerous RFCs. It defines a tree of names starting with root, ".",
immediately below which are Top-Level Domain names such as ".com" and
".us". The domain name structure consists of a tree of names, each
of which is made of a sequence of words ("labels") separated by
period characters. The root of the tree is simply called ".". The
Internet community at large, through processes and policies external
to this work, selects points in this tree at which to register domain
names "owned" by independent organizations. Real-world examples of
these points are ".com", ".org", ".us", and ".gov.uk". Names at which
such registrations occur are called "Public Suffix Domains (PSDs)", and
a registration consists of a label selected by the registrant to which
a desirable PSD is appended. For example, "ietf.org" is a registered
domain name, and ".org" is its PSD.</t>
</section>
<section anchor="public-suffix-operator"><name>Public Suffix Operator (PSO)</name>
<t>A Public Suffix Operator is an organization that manages operations
within a PSD, particularly the DNS records published for names at and
under that domain name.</t>
</section>
<section anchor="pso-controlled-domain-names"><name>PSO Controlled Domain Names</name>
<t>PSO-Controlled Domain Names are names in the DNS that are managed by
a PSO and are not available for use as Organizational Domains. PSO-
Controlled Domain Names may have one (e.g., ".com") or more (e.g.,
".co.uk") name components, depending on PSD policy.</t>
</section>
<section anchor="report-consumer"><name>Report Consumer</name>
<t>An operator that receives reports from another operator implementing the
reporting mechanisms described in this document and/or the documents
<xref target="DMARC-Aggregate-Reporting"></xref> and <xref target="DMARC-Failure-Reporting"></xref>. Such an
operator might be receiving reports about messages related to a domain
for which it is the Domain Owner or PSO, or reports about messages related
to another operator's domain. This term applies collectively to the
system components that receive and process these reports and the organizations
that operate them.</t>
</section>
</section>
</section>
<section anchor="overview-and-key-concepts"><name>Overview and Key Concepts</name>
<t>This section provides a general overview of the design and operation
of the DMARC environment.</t>
<section anchor="dmarc-basics"><name>DMARC Basics</name>
<t>DMARC permits a Domain Owner or PSO to enable verification of a domain's
use in an email message, to indicate the Domain Owner's or PSO's message
handling preference regarding failed verification, and to request reports
about use of the domain name. All information about a Domain Owner's or
PSO's DMARC policy is published and retrieved via the DNS.</t>
<t>DMARC's verification function is based on whether the RFC5322.From
domain is aligned with a domain name used in a supported authentication
mechanism, as described in <xref target="authentication-mechanisms"></xref>. When a DMARC policy
exists for the domain name found in the RFC5322.From header field, and that
domain name is not verified through an aligned supported authentication
mechanism, the handling of that message can be affected based on the
DMARC policy when delivered to a participating Mail Receiver.</t>
<t>A message satisfies the DMARC checks if at least one of the supported
authentication mechanisms:</t>
<ol>
<li><t>produces a "pass" result, and</t>
</li>
<li><t>produces that result based on an identifier that is in alignment,
as described in <xref target="identifier-alignment-explained"></xref>.</t>
</li>
</ol>
<t>It is important to note that the authentication mechanisms employed
by DMARC authenticate only a DNS domain and do not authenticate the
local-part of any email address identifier found in a message, nor do
they validate the legitimacy of message content.</t>
<t>DMARC's feedback component involves the collection of information
about received messages claiming to be from the Author Domain
for periodic aggregate reports to the Domain Owner or PSO. The
parameters and format for such reports are discussed in
<xref target="DMARC-Aggregate-Reporting"></xref></t>
<t>A DMARC-enabled Mail Receiver might also generate per-message reports
that contain information related to individual messages that fail
authentication checks. Per-message failure reports are a useful source of
information when debugging deployments (if messages can be determined
to be legitimate even though failing authentication) or in analyzing
attacks. The capability for such services is enabled by DMARC but
defined in other referenced material such as <xref target="RFC6591"></xref> and
<xref target="DMARC-Failure-Reporting"></xref></t>
</section>
<section anchor="use-of-rfc5322-from"><name>Use of RFC5322.From</name>
<t>One of the most obvious points of security scrutiny for DMARC is the
choice to focus on an identifier, namely the RFC5322.From address,
which is part of a body of data that has been trivially forged
throughout the history of email. This field is the one used by end
users to identify the source of the message, and so it has always
been a prime target for abuse through such forgery and other means.</t>
<t>Several points suggest that it is the most correct and safest thing
to do in this context:</t>
<ul>
<li><t>Of all the identifiers that are part of the message itself, this
is the only one guaranteed to be present.</t>
</li>
<li><t>It seems the best choice of an identifier on which to focus, as
most MUAs display some or all of the contents of that field in a
manner strongly suggesting those data as reflective of the true
originator of the message.</t>
</li>
<li><t>Many high-profile email sources, such as email service providers,
require that the sending agent have authenticated before email
can be generated. Thus, for these mailboxes, the mechanism
described in this document provides recipient end users with strong
evidence that the message was indeed originated by the agent they
associate with that mailbox, if the end user knows that these
various protections have been provided.</t>
</li>
<li><t>The absence of a single, properly formed RFC5322.From header field
renders the message invalid. Handling of such a message is outside
of the scope of this specification.</t>
</li>
</ul>
<t>Since the sorts of mail typically protected by DMARC participants
tend to only have single Authors, DMARC participants generally
operate under a slightly restricted profile of RFC5322 with respect
to the expected syntax of this field. See <xref target="mail-receiver-actions"></xref>
for details.</t>
</section>
<section anchor="authentication-mechanisms"><name>Authentication Mechanisms</name>
<t>The following mechanisms for determining Authenticated Identifiers
are supported in this version of DMARC:</t>
<ul>
<li><t>DKIM, <xref target="RFC6376"></xref>, which provides a domain-level identifier in the content of
the "d=" tag of a verified DKIM-Signature header field.</t>
</li>
<li><t>SPF, <xref target="RFC7208"></xref>, which can authenticate both the domain found in
an SMTP <xref target="RFC5321"></xref> HELO/EHLO command (the HELO identity) and the domain
found in an SMTP MAIL command (the MAIL FROM identity). As noted earlier,
however, DMARC relies solely on SPF authentication of the domain found in
SMTP MAIL FROM command. Section 2.4 of <xref target="RFC7208"></xref> describes MAIL FROM
processing for cases in which the MAIL command has a null path.</t>
</li>
</ul>
</section>
<section anchor="identifier-alignment-explained"><name>Identifier Alignment Explained</name>
<t>Email authentication technologies authenticate various (and
disparate) aspects of an individual message. For example, DKIM <xref target="RFC6376"></xref>
authenticates the domain that affixed a signature to the message,
while SPF <xref target="RFC7208"></xref> can authenticate either the domain that appears in the
RFC5321.MailFrom (MAIL FROM) portion of an SMTP <xref target="RFC5321"></xref> conversation or the
RFC5321.EHLO/HELO domain, or both. These may be different domains, and they
are typically not visible to the end user.</t>
<t>DMARC authenticates use of the RFC5322.From domain by requiring either
that it have the same Organizational Domain as an Authenticated Identifier
(a condition known as "relaxed alignment") or that it be identical to the
domain of the Authenticated Identifier (a condition known as "strict
alignment"). The choice of relaxed or strict alignment is left to the Domain
Owner and is expressed in the domain's DMARC policy record. Domain names
in this context are to be compared in a case-insensitive manner, per <xref target="RFC4343"></xref>.</t>
<t>It is important to note that Identifier Alignment cannot occur with a
message that is not valid per <xref target="RFC5322"></xref>, particularly one with a
malformed, absent, or repeated RFC5322.From header field, since in that case
there is no reliable way to determine a DMARC policy that applies to
the message. Accordingly, DMARC operation is predicated on the input
being a valid RFC5322 message object, and handling of such
non-compliant cases is outside of the scope of this specification.
Further discussion of this can be found in <xref target="extract-author-domain"></xref>.</t>
<t>Each of the underlying authentication technologies that DMARC takes
as input yields authenticated domains as their outputs when they
succeed.</t>
<section anchor="dkim-identifiers"><name>DKIM-Authenticated Identifiers</name>
<t>DMARC requires Identifier Alignment based on the result of a DKIM
authentication because a message can bear a valid signature from any
domain, including domains used by a mailing list or even a bad actor.
Therefore, merely bearing a valid signature is not enough to infer
authenticity of the Author Domain.</t>
<t>DMARC permits Identifier Alignment based on the result of a DKIM
authentication to be strict or relaxed. (Note that these terms are
not related to DKIM's "simple" and "relaxed" canonicalization modes.)</t>
<t>In relaxed mode, the Organizational Domains of both the DKIM-authenticated
signing domain (taken from the value of the d= tag in the signature)
and that of the RFC5322.From domain must be equal if the identifiers
are to be considered to be aligned. In strict mode, only an exact match
between both Fully Qualified Domain Names (FQDNs) is considered to produce
Identifier Alignment.</t>
<t>To illustrate, in relaxed mode, if a verified DKIM signature
successfully verifies with a "d=" domain of "example.com", and the
RFC5322.From address is "[email protected]", the DKIM "d="
domain and the RFC5322.From domain are considered to be "in alignment",
because both domains have the same Organizational Domain of "example.com".
In strict mode, this test would fail because the d= domain does not
exactly match the RFC5322.From domain.</t>
<t>However, a DKIM signature bearing a value of "d=com" would never allow
an "in alignment" result, as "com" should be identified as a PSD and
therefore cannot be an Organizational Domain.</t>
<t>Note that a single email can contain multiple DKIM signatures, and it
is considered to produce a DMARC "pass" result if any DKIM signature
is aligned and verifies.</t>
</section>
<section anchor="spf-identifiers"><name>SPF-Authenticated Identifiers</name>
<t>DMARC permits Identifier Alignment based on the result of an SPF
authentication. As with DKIM, Identifier Alignement can be either
strict or relaxed.</t>
<t>In relaxed mode, the Organizational Domains of the SPF-authenticated
domain and RFC5322.From domain must be equal if the identifiers are
to be considered to be aligned. In strict mode, the two FQDNs must
match exactly in order for them to be considered to be aligned.</t>
<t>For example, in relaxed mode, if a message passes an SPF check with an
RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address
portion of the RFC5322.From header field contains
"[email protected]", the Authenticated RFC5321.MailFrom domain
identifier and the RFC5322.From domain are considered to be "in
alignment" because they have the same Organizational Domain
("example.com"). In strict mode, this test would fail because the
two domains are not identical.</t>
<t>The reader should note that SPF alignment checks in DMARC rely solely
on the RFC5321.MailFrom domain. This differs from section 2.3 of
<xref target="RFC7208"></xref>, which recommends that SPF checks be done on not only the
"MAIL FROM" but also on a separate check of the "HELO" identity.</t>
</section>
<section anchor="alignment-and-extension-technologies"><name>Alignment and Extension Technologies</name>
<t>If in the future DMARC is extended to include the use of other
authentication mechanisms, the extensions will need to allow for
domain identifier extraction so that alignment with the RFC5322.From
domain can be verified.</t>
</section>
</section>
<section anchor="flow-diagram"><name>Flow Diagram</name>
<sourcecode type="ascii-art"> +---------------+ +--------------------+
| Author Domain |< . . . . . . . . . . . . | Return-Path Domain |
+---------------+ . +--------------------+
| . ^
V V .
+-----------+ +--------+ +----------+ v
| MSA |<***>| DKIM | | DMARC | +----------+
| Service | | Signer | | Verifier |<***>| SPF |
+-----------+ +--------+ +----------+ * | Verifier |
| ^ * +----------+
| * *
V v *
+------+ (~~~~~~~~~~~~) +------+ * +----------+
| sMTA |------->( other MTAs )----->| rMTA | **>| DKIM |
+------+ (~~~~~~~~~~~~) +------+ | Verifier |
| +----------+
| ^
V .
+-----------+ .
+---------+ | MDA | v
| User |<--| Filtering | +-----------+
| Mailbox | | Engine | | DKIM |
+---------+ +-----------+ | Signing |
| Domain(s) |
+-----------+
MSA = Mail Submission Agent
MDA = Mail Delivery Agent
</sourcecode>
<t>The above diagram shows a simple flow of messages through a
DMARC-aware system. Solid lines denote the actual message flow,
dotted lines involve DNS queries used to retrieve message policy
related to the supported message authentication schemes, and asterisk
lines indicate data exchange between message-handling modules and
message authentication modules. "sMTA" is the sending MTA, and "rMTA"
is the receiving MTA.</t>
<t>Put simply, when a message reaches a DMARC-aware rMTA, a DNS query
will be initiated to determine if a DMARC policy exists that applies
to the author domain. If a policy is found, the rMTA will use the results
of SPF and DKIM verification checks to determine the ultimate DMARC
authentication status. The DMARC status can then factor into the
message handling decision made by the recipient's mail system.</t>
<t>More details on specific actions for the parties involved can be
found in <xref target="domain-owner-actions"></xref> and <xref target="mail-receiver-actions"></xref>.</t>
</section>
<section anchor="dns-tree-walk"><name>DNS Tree Walk</name>
<t>The DMARC protocol defines a method for communicating information
through the publishing of records in DNS. Both the content of the
records and their location in the DNS hierarchy are used for two
purposes: policy discovery (see <xref target="dmarc-policy-discovery"></xref>) and Organizational
Domain determination (see <xref target="organizational-domain-discovery"></xref>).</t>
<t>The relevant DMARC record for these purposes is not necessarily the DMARC
policy record found in DNS at the same level as the name label for
the domain in question. Instead, some domains will inherit their
DMARC policy records from parent domains one level or more above
them in the DNS hierarchy. Similarly, the Organizational Domain
may be found at a higher level in the DNS hierarchy.</t>
<t>These records are discovered through the technique described here,
known colloquially as the "DNS Tree Walk". The target of any DNS Tree
Walk is a valid DMARC policy record, but the rules defining required
content for that record depend on the reason for performing the Tree
Walk.</t>
<t>To prevent possible abuse of the DNS, a shortcut is built into the
process so that domains that have more than five labels do not result
in more than five DNS queries.</t>
<t>The generic steps for a DNS Tree Walk are as follows:</t>
<ol>
<li><t>Query the DNS for a DMARC TXT record at the DNS domain matching the one
found in the domain(s) described above. A possibly empty set of records
is returned.</t>
</li>
<li><t>Records that do not start with a "v=" tag that identifies the
current version of DMARC are discarded. If multiple DMARC records are
returned, they are all discarded.
If a single record remains and it contains a "psd=n" tag, stop.</t>
</li>
<li><t>Determine the target for additional queries (if needed; see the note in
<xref target="organizational-domain-discovery"></xref>), using steps 4 through 8 below.</t>
</li>
<li><t>Break the subject DNS domain name into a set of "n" ordered
labels. Number these labels from right to left; e.g., for
"a.mail.example.com", "com" would be label 1, "example" would be
label 2, "mail" would be label 3, and so forth.</t>
</li>
<li><t>Count the number of labels found in the subject DNS domain. Let that
number be "x". If x < 5, remove the left-most (highest-numbered)
label from the subject domain. If x >= 5, remove the left-most
(highest-numbered) labels from the subject domain until 4 labels remain.
The resulting DNS domain name is the new target for subsequent lookups.</t>
</li>
<li><t>Query the DNS for a DMARC TXT record at the DNS domain matching this
new target in place of the RFC5322.From domain in the message. A possibly
empty set of records is returned.</t>
</li>
<li><t>Records that do not start with a "v=" tag that identifies the
current version of DMARC are discarded. If multiple DMARC records are
returned for a single target, they are all discarded.
If a single record remains and it contains a "psd=n" or "psd=y" tag, stop.</t>
</li>
<li><t>Determine the target for additional queries by removing a single label
from the target domain as described in step 5 and repeating steps 6 and
7 until the process stops or there are no more labels remaining.</t>
</li>
</ol>
<t>To illustrate, for a message with the arbitrary RFC5322.From domain of
"a.b.c.d.e.mail.example.com", a full DNS Tree Walk would require the following
five queries, in order to locate the policy or Organizational Domain:</t>
<ul>
<li>_dmarc.a.b.c.d.e.mail.example.com</li>
<li>_dmarc.e.mail.example.com</li>
<li>_dmarc.mail.example.com</li>
<li>_dmarc.example.com</li>
<li>_dmarc.com</li>
</ul>
</section>
<section anchor="dmarc-policy-discovery"><name>DMARC Policy Discovery</name>
<t>For policy discovery, a DNS Tree Walk starts at the point in the DNS
hierarchy that matches the domain in the RFC5322.From header of the
message. The DMARC policy to be applied to the message will be the record
found at one of these three locations:</t>
<ul>
<li>The RFC5322.From domain</li>
<li>The Organizational Domain (as determined by a separate DNS Tree Walk) of
the RFC5322.From domain</li>
<li>The Public Suffix Domain of the RFC5322.From domain</li>
</ul>
<t>If the DMARC policy to be applied is that of the RFC5322.From domain, then the
DMARC policy is taken from the p= tag of the record. If the DMARC policy is
taken from either the Organizational Domain or the Public Suffix Domain and that
domain is different than the RFC5322.From domain, then the DMARC policy is taken
from the sp= tag (if any) if the RFC5322.From domain exists and the np= tag (if any)
if the RFC5322.From domain does not exist. In the absence of applicable sp= or np=
tags, the p= tag policy is used for subdomains.</t>
<t>If a retrieved policy record does not contain a valid "p" tag, or contains
an "sp" or "np" tag that is not valid, then:</t>
<ul>
<li><t>If a "rua" tag is present and contains at least one
syntactically valid reporting URI, the Mail Receiver SHOULD
act as if a record containing a valid "v" tag and "p=none"
was retrieved, and continue processing;</t>
</li>
<li><t>Otherwise, the Mail Receiver applies no DMARC processing to
this message.</t>
</li>
</ul>
<t>If the set produced by the DNS Tree Walk contains no DMARC policy
record (i.e., any indication that there is no such record as opposed
to a transient DNS error), Mail Receivers MUST NOT apply the DMARC
mechanism to the message.</t>
<t>Handling of DNS errors when querying for the DMARC policy record is
left to the discretion of the Mail Receiver. For example, to ensure
minimal disruption of mail flow, transient errors could result in
delivery of the message ("fail open"), or they could result in the
message being temporarily rejected (i.e., an SMTP 4yx reply), which
invites the sending MTA to try again after the condition has possibly
cleared, allowing a definite DMARC conclusion to be reached ("fail
closed").</t>
<t>Note: PSD policy is not used for Organizational Domains that have
published a DMARC policy. Specifically, this is not a mechanism to
provide feedback addresses (rua/ruf) when an Organizational Domain has
declined to do so.</t>
</section>
<section anchor="organizational-domain-discovery"><name>Organizational Domain Discovery</name>
<t>For Organizational Domain discovery, it may be necessary to perform
multiple DNS Tree Walks in order to determine if any two domains are in
alignment. This means that a DNS Tree Walk to discover an Organizational
Domain might start at any of the following locations:</t>
<ul>
<li>The domain in the RFC5322.From header of the message.</li>
<li>The RFC5321.MailFrom domain if there is an SPF pass result for the
message.</li>
<li>Any DKIM d= domain if there is a DKIM pass result for the message for that
domain.</li>
</ul>
<t>Note: There is no need to perform Tree Walk searches for Organizational Domains
under any of the following conditions:</t>
<ul>
<li>The RFC5322.From domain and the RFC5321.MailFrom domain (if SPF
authenticated), and/or the DKIM d= domain (if present and authenticated)
are all the same and that domain has a DMARC record. In this case, this
common domain is treated as the Organizational Domain.</li>
<li>No applicable DMARC policy is discovered for the RFC5322.From domain during
the first tree walk. In this case, the DMARC mechanism does not apply to
the message in question.</li>
<li>The record for the RFC5322.From domain indicates strict alignment. In this
case, a simple string compare between the RFC5322.From domain and the
RFC5321.MailFrom domain (if SPF authenticated), and/or the DKIM d= domain
(if present and authenticated) is all that is required.</li>
</ul>
<t>To discover the Organizational Domain for a domain, perform the DNS Tree Walk
described in <xref target="dns-tree-walk"></xref> as needed for any of the domains in question.</t>
<t>Select the Organizational Domain from the domains for which valid
DMARC records were retrieved from the longest to the shortest:</t>
<ol>
<li><t>If a valid DMARC record contains the psd= tag set to 'n' (psd=n), this is the
Organizational Domain and the selection process is complete.</t>
</li>
<li><t>If a valid DMARC record, other than the one for the domain where the tree
walk started, contains the psd= tag set to 'y' (psd=y), the Organizational
Domain is the domain one label below this one in the DNS hierarchy, and the
selection process is complete.</t>
</li>
<li><t>Otherwise select the record
for the domain with the fewest number of labels. This is the Organizational
Domain and the selection process is complete.</t>
</li>
</ol>
<t>If this process does not determine the Organizational Domain, then the initial target
domain is the Organizational Domain.</t>
<t>For example, given the starting domain "a.mail.example.com", a search
for the Organizational Domain would require a series of DNS queries for DMARC
records starting with "_dmarc.a.mail.example.com" and finishing with "_dmarc.com".
If there are DMARC records for "_dmarc.mail.example.com" and
"_dmarc.example.com", but not for "_dmarc.a.mail.example.com" or
"_dmarc.com", then the Organizational Domain for this domain would be
"example.com".</t>
<t>As another example, given the starting domain "a.mail.example.com", if a
search for the Organizational Domain only yields a DMARC record at "_dmarc.com"
and that record contains the tag psd=y, then the Organizational Domain for
this domain would be "example.com".</t>
</section>
</section>
<section anchor="policy"><name>Policy</name>
<t>A Domain Owner or PSO advertises DMARC participation of one or more of its
domains by adding a DNS TXT record (described in <xref target="dmarc-policy-record"></xref>) to
those domains. In doing so, Domain Owners and PSOs indicate their handling
preference regarding failed authentication for email messages making use
of their domain in the RFC5322.From header field as well as their desire
for feedback about those messages. Mail Receivers in turn can take into
account the Domain Owner's stated preference when making handling
decisions about email messages that fail DMARC authentication checks.</t>
<t>A Domain Owner or PSO may choose not to participate in DMARC evaluation by
Mail Receivers simply by not publishing an appropriate DNS TXT record for
its domain(s). A Domain Owner can also choose to not have some underlying
authentication technologies apply to DMARC evaluation of its domain(s). In
this case, the Domain Owner simply declines to advertise participation in
those schemes. For example, if the results of path authorization checks
ought not be considered as part of the overall DMARC result for a given
Author Domain, then the Domain Owner does not publish an SPF policy record
that can produce an SPF pass result.</t>
<t>A Mail Receiver implementing the DMARC mechanism SHOULD make a best-effort
attempt to adhere to the Domain Owner's or PSO's published DMARC Domain
Owner Assessment Policy when a message fails the DMARC test. Since email
streams can be complicated (due to forwarding, existing RFC5322.From
domain-spoofing services, etc.), Mail Receivers MAY deviate from a published
Domain Owner Assessment Policy during message processing and SHOULD
make available the fact of and reason for the deviation to the Domain
Owner via feedback reporting, specifically using the "PolicyOverride"
feature of the aggregate report defined in <xref target="DMARC-Aggregate-Reporting"></xref></t>
<section anchor="dmarc-policy-record"><name>DMARC Policy Record</name>
<t>Domain Owner and PSO DMARC preferences are stored as DNS TXT records in
subdomains named "_dmarc". For example, the Domain Owner of
"example.com" would post DMARC preferences in a TXT record at
"_dmarc.example.com". Similarly, a Mail Receiver wishing to query
for DMARC preferences regarding mail with an RFC5322.From domain of
"example.com" would issue a TXT query to the DNS for the subdomain of
"_dmarc.example.com". The DNS-located DMARC preference data will
hereafter be called the "DMARC record".</t>
<t>DMARC's use of the Domain Name Service is driven by DMARC's use of
domain names and the nature of the query it performs. The query
requirement matches with the DNS, for obtaining simple parametric
information. It uses an established method of storing the
information, associated with the target domain name, namely an
isolated TXT record that is restricted to the DMARC context. Use of
the DNS as the query service has the benefit of reusing an extremely
well-established operations, administration, and management
infrastructure, rather than creating a new one.</t>
<t>Per <xref target="RFC1035"></xref>, a TXT record can comprise several "character-string"
objects. Where this is the case, the module performing DMARC
evaluation MUST concatenate these strings by joining together the
objects in order and parsing the result as a single string.</t>
</section>
<section anchor="dmarc-uris"><name>DMARC URIs</name>
<t><xref target="RFC3986"></xref> defines a generic syntax for identifying a resource. The DMARC
mechanism uses this as the format by which a Domain Owner or PSO specifies
the destination for the two report types that are supported.</t>
<t>The place such URIs are specified (see <xref target="general-record-format"></xref>) allows
a list of these to be provided. The list of URIs is separated by commas
(ASCII 0x2c). A report SHOULD be sent to each listed URI provided in
the DMARC record.</t>
<t>A formal definition is provided in <xref target="formal-definition"></xref>.</t>
</section>
<section anchor="general-record-format"><name>General Record Format</name>
<t>DMARC records follow the extensible "tag-value" syntax for DNS-based
key records defined in DKIM <xref target="RFC6376"></xref>.</t>
<t><xref target="iana-considerations"></xref> creates a registry for known DMARC tags and
registers the initial set defined in this document. Only tags defined
in that registry are to be processed; unknown tags MUST be ignored.</t>
<t>The following tags are valid DMARC tags:</t>
<dl>
<dt>adkim:</dt>
<dd><t>(plain-text; OPTIONAL; default is "r".) Indicates whether
strict or relaxed DKIM Identifier Alignment mode is required by
the Domain Owner. See <xref target="dkim-identifiers"></xref> for details. Valid values
are as follows:</t>
<dl>
<dt>r:</dt>
<dd>relaxed mode</dd>
<dt>s:</dt>
<dd>strict mode</dd>
</dl></dd>
<dt>aspf:</dt>
<dd><t>(plain-text; OPTIONAL; default is "r".) Indicates whether
strict or relaxed SPF Identifier Alignment mode is required by the
Domain Owner. See <xref target="spf-identifiers"></xref> for details. Valid values are as
follows:</t>
<dl>
<dt>r:</dt>
<dd>relaxed mode</dd>
<dt>s:</dt>
<dd>strict mode</dd>
</dl></dd>
<dt>fo:</dt>
<dd><t>Failure reporting options (plain-text; OPTIONAL; default is "0")
Provides requested options for generation of failure reports.
Report generators MAY choose to adhere to the requested options.
This tag's content MUST be ignored if a "ruf" tag (below) is not
also specified. Failure reporting options are shown below. The value
of this tag is either "0", "1", or a colon-separated list of the
options represented by alphabetic characters. The valid values and
their meanings are:</t>
<dl>
<dt>0:</dt>
<dd>Generate a DMARC failure report if all underlying authentication
mechanisms fail to produce an aligned "pass" result.</dd>
<dt>1:</dt>
<dd>Generate a DMARC failure report if any underlying authentication
mechanism produced something other than an aligned "pass" result.</dd>
<dt>d:</dt>
<dd>Generate a DKIM failure report if the message had a signature
that failed evaluation, regardless of its alignment. DKIM-specific
reporting is described in <xref target="RFC6651"></xref>.</dd>
<dt>s:</dt>
<dd>Generate an SPF failure report if the message failed SPF
evaluation, regardless of its alignment. SPF-specific
reporting is described in <xref target="RFC6652"></xref>.</dd>
</dl></dd>
<dt>np:</dt>
<dd><t>Domain Owner Assessment Policy for non-existent subdomains
(plain-text; OPTIONAL). Indicates the message handling preference
that the Domain Owner or PSO has for mail using non-existent subdomains
of the domain queried. It applies only to non-existent subdomains of
the domain queried and not to either existing subdomains or
the domain itself. Its syntax is identical to that of the "p"
tag defined below. If the "np" tag is absent, the policy
specified by the "sp" tag (if the "sp" tag is present) or the
policy specified by the "p" tag, if the "sp" tag is not present,
MUST be applied for non-existent subdomains. Note that "np" will
be ignored for DMARC records published on subdomains of Organizational
Domains and PSDs due to the effect of the DMARC policy discovery
mechanism described in <xref target="dmarc-policy-discovery"></xref>.</t>
</dd>
<dt>p:</dt>
<dd><t>Domain Owner Assessment Policy (plain-text; RECOMMENDED for policy
records). Indicates the message handling preference the Domain Owner or
PSO has for mail using its domain but not passing DMARC verification.
Policy applies to the domain queried and to subdomains, unless
subdomain policy is explicitly described using the "sp" or "np" tags.
If this tag is not present in an otherwise syntactically valid DMARC
record, then the record is treated as if it included "p=none" (see
<xref target="dmarc-policy-discovery"></xref>). This tag is not applicable for third-party
reporting records (see <xref target="DMARC-Aggregate-Reporting"></xref> and <xref target="DMARC-Failure-Reporting"></xref>)
Possible values are as follows:</t>
<dl>
<dt>none:</dt>
<dd>The Domain Owner offers no expression of preference.</dd>
<dt>quarantine:</dt>
<dd>The Domain Owner considers such mail to be suspicious. It is possible
the mail is valid, although the failure creates a significant concern.</dd>
<dt>reject:</dt>
<dd>The Domain Owner considers all such failures to be a clear indication
that the use of the domain name is not valid. See <xref target="rejecting-messages"></xref>
for some discussion of SMTP rejection methods and their implications.</dd>
</dl></dd>
<dt>psd:</dt>
<dd><t>A flag indicating whether the domain is a PSD. (plain-text; OPTIONAL;
default is 'u'). Possible values are:</t>
<dl>
<dt>y:</dt>
<dd>PSOs MUSTinclude this tag with a value of 'y' to indicate that the domain
is a PSD. If a record containing this tag with a value of 'y' is found during
policy discovery, this information will be used to determine the Organizational
Domain and policy domain applicable to the message in question.</dd>
<dt>n:</dt>
<dd>The DMARC policy record is published for a PSD, but it is the Organizational
Domain for itself and its subdomain. There is no need to put psd=n in a DMARC
record, except in the very unusual case of a parent PSD publishing a DMARC
record without the requisite psd=y tag.</dd>
<dt>u:</dt>
<dd>The default, indicating that the DMARC policy record is published for a domain
that is not a PSD. Use the mechanism described in <xref target="organizational-domain-discovery"></xref>
for determining the Organizational Domain. There is no need to explicitly publish
psd=u in a DMARC record.</dd>
</dl></dd>
<dt>rua:</dt>
<dd><t>Addresses to which aggregate feedback is to be sent (comma-separated plain-text
list of DMARC URIs; OPTIONAL). <xref target="DMARC-Aggregate-Reporting"></xref> discusses considerations
that apply when the domain name of a URI differs from that of the domain advertising
the policy. See <xref target="external-report-addresses"></xref> for additional considerations. Any
valid URI can be specified. A Mail Receiver MUST implement support for a "mailto:"
URI, i.e., the ability to send a DMARC report via electronic mail. If the tag is not
provided, Mail Receivers MUST NOT generate aggregate feedback reports for the domain.
URIs not supported by Mail Receivers MUST be ignored. The aggregate feedback report
format is described in <xref target="DMARC-Aggregate-Reporting"></xref></t>
</dd>
<dt>ruf:</dt>
<dd><t>Addresses to which message-specific failure information is to be reported
(comma-separated plain-text list of DMARC URIs; OPTIONAL). If present, the Domain
Owner or PSO is requesting Mail Receivers to send detailed failure reports about
messages that fail the DMARC evaluation in specific ways (see the "fo" tag above).
The format of the message to be generated MUST follow the format specified for the
"rf" tag. <xref target="DMARC-Aggregate-Reporting"></xref> discusses considerations that apply when
the domain name of a URI differs from that of the domain advertising the policy.
A Mail Receiver MUST implement support for a "mailto:" URI, i.e., the ability to
send a DMARC report via electronic mail. If the tag is not provided, Mail Receivers
MUST NOT generate failure reports for the domain. See <xref target="external-report-addresses"></xref>
for additional considerations.</t>
</dd>
<dt>sp:</dt>
<dd><t>Domain Owner Assessment Policy for all subdomains (plain-text;
OPTIONAL). Indicates the message handling preference the Domain Owner
or PSO has for mail using an existing subdomain of the domain queried
but not passing DMARC verification. It applies only to subdomains of
the domain queried and not to the domain itself. Its syntax is
identical to that of the "p" tag defined above. If both the "sp"
tag is absent and the "np" tag is either absent or not applicable,
the policy specified by the "p" tag MUST be applied for subdomains.
Note that "sp" will be ignored for DMARC records published on
subdomains of Organizational Domains due to the effect of the
DMARC policy discovery mechanism described in <xref target="dmarc-policy-discovery"></xref>.</t>
</dd>
<dt>t:</dt>
<dd><t>DMARC policy test mode (plain-text; OPTIONAL; default is 'n'). For
the RFC5322.From domain to which the DMARC record applies, the "t"
tag serves as a signal to the actor performing DMARC verification checks
as to whether or not the domain owner wishes the assessment policy
declared in the "p=", "sp=", and/or "np=" tags to actually be applied. This
parameter does not affect the generation of DMARC reports. Possible values
are as follows:</t>
<dl>
<dt>y:</dt>
<dd>A request that the actor performing the DMARC verification check not
apply the policy, but instead apply any special handling rules it might have
in place, such as rewriting the RFC5322.From header. The domain owner is
currently testing its specified DMARC assessment policy.</dd>
<dt>n:</dt>
<dd>The default, a request to apply the policy as specified to any
message that produces a DMARC "fail" result.</dd>
</dl></dd>
<dt>v:</dt>
<dd><t>Version (plain-text; REQUIRED). Identifies the record retrieved
as a DMARC record. It MUST have the value of "DMARC1". The value
of this tag MUST match precisely; if it does not or it is absent,
the entire retrieved record MUST be ignored. It MUST be the first
tag in the list.</t>
</dd>
</dl>
<t>A DMARC policy record MUST comply with the formal specification found
in <xref target="formal-definition"></xref> in that the "v" tag MUST be present and MUST
appear first. Unknown tags MUST be ignored. Syntax errors
in the remainder of the record SHOULD be discarded in favor of
default values (if any) or ignored outright.</t>
<t>Note that given the rules of the previous paragraph, addition of a
new tag into the registered list of tags does not itself require a
new version of DMARC to be generated (with a corresponding change to
the "v" tag's value), but a change to any existing tags does require
a new version of DMARC.</t>
</section>
<section anchor="formal-definition"><name>Formal Definition</name>
<t>The formal definition of the DMARC format, using <xref target="RFC5234"></xref> and <xref target="RFC7405"></xref>,
is as follows:</t>
<artwork> dmarc-uri = URI
; "URI" is imported from [RFC3986]; commas (ASCII
; 0x2C) and exclamation points (ASCII 0x21)
; MUST be encoded
dmarc-sep = *WSP ";" *WSP
equals = *WSP "=" *WSP
dmarc-record = dmarc-version *(dmarc-sep dmarc-tag) [dmarc-sep]
dmarc-tag = 1*ALPHA equals 1*dmarc-value
; any printing characters but semicolon
dmarc-value = %x20-3A | %x3C-7E
dmarc-version = "v" equals %s"DMARC1" ; case sensitive
; specialized syntax of DMARC values
dmarc-request = "none" / "quarantine" / "reject"
dmarc-yorn = "y" / "n"
dmarc-psd = "y" / "n" / "u"
dmarc-rors = "r" / "s"