-
Notifications
You must be signed in to change notification settings - Fork 3
/
draft-ietf-dmarc-failure-reporting-07.txt
840 lines (573 loc) · 32 KB
/
draft-ietf-dmarc-failure-reporting-07.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
DMARC S. Jones (ed)
Internet-Draft DMARC.org
Obsoletes: 7489 (if approved) A. Vesely (ed)
Updates: 6591 (if approved) Tana
Intended status: Standards Track 24 February 2023
Expires: 28 August 2023
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Failure Reporting
draft-ietf-dmarc-failure-reporting-07
Abstract
Domain-based Message Authentication, Reporting, and Conformance
(DMARC) is a scalable mechanism by which a domain owner can request
feedback about email messages using their domain in the From: address
field. This document describes "failure reports," or "failed message
reports," which provide details about individual messages that failed
to authenticate according to the DMARC mechanism.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 28 August 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 1]
Internet-Draft DMARCfail February 2023
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Failure Reports . . . . . . . . . . . . . . . . . . . . . . . 3
3. Reporting Format Update . . . . . . . . . . . . . . . . . . . 4
4. Verifying External Destinations . . . . . . . . . . . . . . . 5
4.1. Transport . . . . . . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
5.1. Feedback Report Header Fields Registry Update . . . . . . 5
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
6.1. Data Exposure Considerations . . . . . . . . . . . . . . 6
6.2. Report Recipients . . . . . . . . . . . . . . . . . . . . 6
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. Normative References . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 8
A.1. Entire Domain, Monitoring Only, Per-Message Reports . . . 8
A.2. Per-Message Failure Reports Directed to Third Party . . . 9
Appendix B. Example Failure Report . . . . . . . . . . . . . . . 10
Appendix C. Change Log {change-log} . . . . . . . . . . . . . . 13
C.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 14
C.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 14
C.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 14
C.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 15
C.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 15
C.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 15
C.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction
RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING:
The source for this draft is maintained in GitHub at:
https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-failure-reporting
(https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-failure-reporting)
Domain-based Message Authentication, Reporting, and Conformance
(DMARC) [I-D.ietf-dmarc-dmarcbis] is a scalable mechanism by which a
mail-originating organization can express domain-level policies and
preferences for message validation, disposition, and reporting, that
a mail-receiving organization can use to improve mail handling. This
document focuses on one type of reporting that can be requested under
DMARC.
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 2]
Internet-Draft DMARCfail February 2023
Failure reports provide detailed information about the failure of a
single message or a group of similar messages failing for the same
reason. They are meant to aid in cases where a domain owner is
unable to detect why failures reported in aggregate form did occur.
It is important to note these reports can contain either the header
or the entire content of a failed message, which in turn may contain
personally identifiable information, which should be considered when
deciding whether to generate such reports.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Failure Reports
Failure reports can supply more detailed information about messages
that failed to authenticate, enabling the Domain Owner to determine
exactly what might be causing those specific failures.
Failure reports are normally generated and sent almost immediately
after the Mail Receiver detects a DMARC failure. Rather than waiting
for an aggregate report, these reports are useful for quickly
notifying the Domain Owners when there is an authentication failure.
Whether the failure is due to an infrastructure problem or the
message is inauthentic, failure reports also provide more information
about the failed message than is available in an aggregate report.
These reports should include as much of the message header and body
as possible, consistent with the reporting party's privacy policies,
to enable the Domain Owner to diagnose the authentication failure.
When a Domain Owner requests failure reports for the purpose of
forensic analysis, and the Mail Receiver is willing to provide such
reports, the Mail Receiver generates and sends a message using the
format described in [RFC6591]; this document updates that reporting
format, as described in Section 3.
The destination(s) and nature of the reports are defined by the "ruf"
and "fo" tags as defined in Section 5.3 of [I-D.ietf-dmarc-dmarcbis].
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 3]
Internet-Draft DMARCfail February 2023
Where multiple URIs are selected to receive failure reports, the
report generator MUST make an attempt to deliver to each of them.
External destinations MUST be verified, see Section 4. Report
generators MUST NOT consider ruf= tags in records having a "psd=y"
tag, unless there are specific agreements between the interested
parties.
An obvious consideration is the denial-of-service attack that can be
perpetrated by an attacker who sends numerous messages purporting to
be from the intended victim Domain Owner but that fail both SPF and
DKIM; this would cause participating Mail Receivers to send failure
reports to the Domain Owner or its delegate in potentially huge
volumes. Accordingly, participating Mail Receivers are encouraged to
aggregate these reports as much as is practical, using the Incidents
field of the Abuse Reporting Format [RFC5965]. Indeed, the aim is
not to count each and every failure, but rather to report different
failure paths. Various pruning techniques are possible, including
the following:
* store reports for a period of time before sending them, allowing
detection, collection, and reporting of like incidents;
* apply rate limiting, such as a maximum number of reports per
minute that will be generated (and the remainder discarded);
3. Reporting Format Update
Operators implementing this specification also implement an augmented
version of [RFC6591] as follows:
1. A DMARC failure report includes the following ARF header fields,
with the indicated normative requirement levels:
* Identity-Alignment (REQUIRED; defined below)
* Delivery-Result (OPTIONAL)
* DKIM-Domain, DKIM-Identity, DKIM-Selector (REQUIRED for DKIM
failures of an aligned identifier)
* DKIM-Canonicalized-Header, DKIM-Canonicalized-Body (OPTIONAL
if reporting a DKIM failure)
* SPF-DNS (REQUIRED for SPF failure of an aligned identifier)
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 4]
Internet-Draft DMARCfail February 2023
2. The "Identity-Alignment" field is defined to contain a comma-
separated list of authentication mechanism names that failed to
authenticate an aligned identity, or the keyword "none" if none
did. ABNF:
id-align = "Identity-Alignment:" [CFWS]
( "none" /
dmarc-method *( [CFWS] "," [CFWS] dmarc-method ) )
[CFWS]
dmarc-method = ( "dkim" / "spf" )
; each may appear at most once in an id-align
3. Authentication Failure Type "dmarc" is defined, which is to be
used when a failure report is generated because some or all of
the authentication mechanisms failed to produce aligned
identifiers. Note that a failure report generator MAY also
independently produce an ARF message for any or all of the
underlying authentication methods.
4. Verifying External Destinations
If the target domain of a mailto address of a ruf= tag is not the
same as the DMARC record domain where the tag was found, the report
generator MUST verify that the target domain acknowledges sending
those reports; the procedure is described in Section 3 of
[I-D.ietf-dmarc-aggregate-reporting].
4.1. Transport
Email streams carrying DMARC failure reports SHOULD provide be DMARC
aligned.
Reporters MAY rate limit the number of failure reports sent to any
recipient to avoid overloading recipient systems. Unaligned reports
may in turn produce subsequent failure reports that could cause mail
loops.
5. IANA Considerations
5.1. Feedback Report Header Fields Registry Update
IANA is requested to change the "Identity-Alignment" entry in the
"Feedback Report Header Fields" registry to refer to this document.
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 5]
Internet-Draft DMARCfail February 2023
6. Privacy Considerations
This section discusses issues specific to private data that may be
included in the DMARC reporting functions.
6.1. Data Exposure Considerations
Failed-message reporting provides message-specific details pertaining
to authentication failures. Individual reports can contain message
content as well as trace header fields. Domain Owners are able to
analyze individual reports and attempt to determine root causes of
authentication mechanism failures, gain insight into
misconfigurations or other problems with email and network
infrastructure, or inspect messages for insight into abusive
practices.
These reports may expose sender and recipient identifiers (e.g.,
RFC5322.From addresses), and although the [RFC6591] format used for
failed-message reporting supports redaction, failed-message reporting
is capable of exposing the entire message to the report recipient.
Domain Owners requesting reports will receive information about mail
claiming to be from them, which includes mail that was not, in fact,
from them. Information about the final destination of mail where it
might otherwise be obscured by intermediate systems will therefore be
exposed.
When message-forwarding arrangements exist, Domain Owners requesting
reports will also receive information about mail forwarded to domains
that were not originally part of their messages' recipient lists.
This means that destination domains previously unknown to the Domain
Owner may now become visible.
6.2. Report Recipients
A DMARC record can specify that reports should be sent to an
intermediary operating on behalf of the Domain Owner. This is done
when the Domain Owner contracts with an entity to monitor mail
streams for abuse and performance issues. Receipt by third parties
of such data may or may not be permitted by the Mail Receiver's
privacy policy, terms of use, or other similar governing document.
Domain Owners and Mail Receivers should both review and understand if
their own internal policies constrain the use and transmission of
DMARC reporting.
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 6]
Internet-Draft DMARCfail February 2023
Some potential exists for report recipients to perform traffic
analysis, making it possible to obtain metadata about the Receiver's
traffic. In addition to verifying compliance with policies,
Receivers need to consider that before sending reports to a third
party.
7. Security Considerations
Considerations discussed in Section 11 of [I-D.ietf-dmarc-dmarcbis]
apply.
In addition, note that Organizational Domains are only an
approximation to actual domain ownership. Therefore, reports may be
sent to someone unrelated to the actual sender or domain owner. That
makes considerations in Section 6.1 all the more relevant.
8. Normative References
[I-D.ietf-dmarc-aggregate-reporting]
Brotman, A., "DMARC Aggregate Reporting", Work in
Progress, Internet-Draft, draft-ietf-dmarc-aggregate-
reporting-07, 22 December 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-
aggregate-reporting-07>.
[I-D.ietf-dmarc-dmarcbis]
Herr, T. and J. R. Levine, "Domain-based Message
Authentication, Reporting, and Conformance (DMARC)", Work
in Progress, Internet-Draft, draft-ietf-dmarc-dmarcbis-26,
3 February 2023, <https://datatracker.ietf.org/doc/html/
draft-ietf-dmarc-dmarcbis-26>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5965] Shafranovich, Y., Levine, J., and M. Kucherawy, "An
Extensible Format for Email Feedback Reports", RFC 5965,
DOI 10.17487/RFC5965, August 2010,
<https://www.rfc-editor.org/info/rfc5965>.
[RFC6591] Fontana, H., "Authentication Failure Reporting Using the
Abuse Reporting Format", RFC 6591, DOI 10.17487/RFC6591,
April 2012, <https://www.rfc-editor.org/info/rfc6591>.
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 7]
Internet-Draft DMARCfail February 2023
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
Appendix A. Examples
This section presents some examples related to the use of DMARC
reporting functions.
A.1. Entire Domain, Monitoring Only, Per-Message Reports
The owners of the domain "example.com" have deployed SPF and DKIM on
their messaging infrastructure. Reports like the one shown in
Appendix B of [I-D.ietf-dmarc-aggregate-reporting] allow them to
discover some messaging systems that had not yet implemented DKIM
correctly. However, they are still seeing periodic authentication
failures. In order to diagnose these intermittent problems, they
wish to request per-message failure reports when authentication
failures occur.
Many Receivers will not honor such a request, but the Domain Owner
feels that any reports it does receive will be helpful enough to
justify publishing this request.
The Domain Owner accomplishes this by adding the following tag to its
policy record:
ruf=mailto:[email protected]
It means that failure reports should be sent via email to the address
The updated DMARC policy record might look like this when retrieved
using a common command-line tool (the output shown would appear on a
single line but is wrapped here for publication):
% dig +short TXT _dmarc.example.com.
"v=DMARC1; p=none; rua=mailto:[email protected];
ruf=mailto:[email protected]"
To publish such a record, the DNS administrator for the Domain Owner
might create an entry like the following in the appropriate zone file
(following the conventional zone file format):
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 8]
Internet-Draft DMARCfail February 2023
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=none; "
"rua=mailto:[email protected]; "
"ruf=mailto:[email protected]" )
A.2. Per-Message Failure Reports Directed to Third Party
The Domain Owner from the previous example is maintaining the same
policy but now wishes to have a third party receive and process the
per-message failure reports. Again, not all Receivers will honor
this request, but those that do may implement additional checks to
validate that the third party wishes to receive the failure reports
for this domain.
The Domain Owner needs to alter its ruf= tag from Appendix A.1 as
follows:
"ruf=mailto:[email protected]
It means that per-message failure reports should be sent via email to
the address "[email protected]".
The DMARC policy record might look like this when retrieved using a
common command-line tool (the output shown would appear on a single
line but is wrapped here for publication):
% dig +short TXT _dmarc.example.com.
"v=DMARC1; p=none; rua=mailto:[email protected];
ruf=mailto:[email protected]"
To publish such a record, the DNS administrator for the Domain Owner
might create an entry like the following in the appropriate zone file
(following the conventional zone file format):
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=none; "
"rua=mailto:[email protected]; "
"ruf=mailto:[email protected]" )
Because the address used in the "ruf" tag is outside the
Organizational Domain in which this record is published, conforming
Receivers will implement additional checks as described in Section 4
of this document. In order to pass these additional checks, the
third party will need to publish an additional DNS record to mean as
follows:
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 9]
Internet-Draft DMARCfail February 2023
Given the DMARC record published by the Domain Owner at
"_dmarc.example.com", the DNS administrator for the third party
agrees to receive the corresponding records by publishing a DMARC TXT
resource record at
"example.com._report._dmarc.thirdparty.example.net".
The resulting DNS record can be minimal, and might look like this
when retrieved using a common command-line tool (the output shown
would appear on a single line but is wrapped here for publication):
% dig +short TXT example.com._report._dmarc.thirdparty.example.net
"v=DMARC1;"
To publish such a record, the DNS administrator for example.net might
create an entry like the following in the appropriate zone file
(following the conventional zone file format):
zone file for thirdparty.example.net
; Accept DMARC failure reports on behalf of example.com
example.com._report._dmarc IN TXT "v=DMARC1;"
The third party can also publih a ruf= tag in order to override the
specific address published by example.com with a different address in
the same third party domain. Intermediaries and other third parties
should refer to Section 4 for the full details of this mechanism.
Appendix B. Example Failure Report
This is the full content of a failure message, including the message
header.
Received: from gen.example (gen.example [192.0.2.1])
(TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384)
by mail.consumer.example with ESMTPS
id 00000000005DC0DD.0000442E; Tue, 19 Jul 2022 07:57:50 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=gen.example; s=mail; t=1658210268;
bh=rCrh1aFDE8d/Fltt8wbcu48bLOu4OM23QXqphUZPAIM=;
h=From:To:Date:Subject:From;
b=IND9JkuwF9/5841kzxMbPeej0VYimVzNKozR2R89M8eYO2zOlCBblx507Gz0YK7mE
/h6pslWm0ODBVFzLlwY9CXv4Vu62QsN0RBIXHPjEXOkoM2VCD5zCd+5i5dtCFX7Mxh
LThb2ZJ3efklbSB9RQRwxcmRvCPV7z6lt/Ds9sucVE1RDODYHjx+iWnAUQrlos6ZQb
u/YOUGjf60LPpyljfPu3EpFwo80mSHyQlP/4S5KEykgPQMgCqLPPKvJwu1aAIDj+jG
q2ylO3fmc/ERDeDWACtR67YNabEKBWtjqCRLNxKttazViJTZ5drcLfpX0853KoougX
Rltp7zdoLdy4A==
From: DMARC Filter <[email protected]>
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 10]
Internet-Draft DMARCfail February 2023
Date: Tue, 19 Jul 2022 00:57:48 -0500 (CDT)
Subject: FW: This is the original subject
Mime-Version: 1.0
Content-Type: multipart/report; report-type=feedback-report;
boundary="=_mime_boundary_"
Message-Id: <[email protected]>
This is a MIME-formatted message. If you see this text it means that
your E-mail software does not support MIME-formatted messages.
--=_mime_boundary_
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
This is an authentication failure report for an email message
received from IP 192.0.2.2 on Tue, 19 Jul 2022 00:57:48 -0500.
--=_mime_boundary_
Content-Type: message/feedback-report
Content-Transfer-Encoding: 7bit
Feedback-Type: auth-failure
Version: 1
User-Agent: DMARC-Filter/1.2.3
Auth-Failure: dmarc
Authentication-Results: gen.example;
dmarc=fail header.from=consumer.example
Identity-Alignment: dkim
DKIM-Domain: consumer.example
DKIM-Identity: @consumer.example
DKIM-Selector: epsilon
Original-Envelope-Id: 65E1A3F0A0
Original-Mail-From: [email protected]
Source-IP: 192.0.2.2
Source-Port: 12345
Reported-Domain: consumer.example
--=_mime_boundary_
Content-Type: message/rfc822; charset=utf-8
Content-Transfer-Encoding: 7bit
Authentication-Results: gen.example;
dkim=permerror header.d=forwarder.example header.b="EjCbN/c3";
dkim=temperror header.d=forwarder.example header.b="mQ8GEWPc";
dkim=permerror header.d=consumer.example header.b="hETrymCb";
dkim=neutral header.d=consumer.example header.b="C2nsAp3A";
Received: from mail.forwarder.example
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 11]
Internet-Draft DMARCfail February 2023
(mail.forwarder.example [IPv6:2001:db8::23ac])
by mail.gen.example (Postfix) with ESMTP id 5E8B0C159826
for <[email protected]>; Sun, 14 Aug 2022 07:58:29 -0700 (PDT)
Received: from mail.forwarder.example (localhost [127.0.0.1])
by mail.forwarder.example (Postfix) with ESMTP id 4Ln7Qw4fnvz6Bq
for <[email protected]>; Tue, 19 Jul 2022 07:57:44 +0200
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
d=forwarder.example; s=ed25519-59hs; t=1658210264;
x=1663210264; bh=KYH/g7ForvDbnyyDLYSjauMYMW6sEIqu75/9w3OIONg=;
h=Message-ID:Date:List-Id:List-Archive:List-Post:List-Help:
List-Subscribe:List-Unsubscribe:List-Owner:MIME-Version:Subject:To:
References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:
autocrypt:cc:content-transfer-encoding:content-type:date:from:
in-reply-to:message-id:mime-version:openpgp:references:subject:to;
b=EjCbN/c3bTU4QkZH/zwTbYxBDp0k8kpmWSXh5h1M7T8J4vtRo+hvafJazT3ZRgq+7
+4dzEQwUhl+NOJYXXNUAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=forwarder.example; s=rsa-wgJg; t=1658210264; x=1663210264;
bh=KYH/g7ForvDbnyyDLYSjauMYMW6sEIqu75/9w3OIONg=;
h=Message-ID:Date:List-Id:List-Archive:List-Post:List-Help:
List-Subscribe:List-Unsubscribe:List-Owner:MIME-Version:Subject:To:
References:From:In-Reply-To:Content-Type:Content-Transfer-Encoding:
autocrypt:cc:content-transfer-encoding:content-type:date:from:
in-reply-to:message-id:mime-version:openpgp:references:subject:to;
b=mQ8GEWPcVpBpeqQ88pcbXpGHBT0J/Rwi8Zd2WZTXWWneQGRCOJLRcbBJpjqnrwtqd
76IqawH86tihz4Z/12J1GBCdNx1gfazsoI3yaqfooRDYg0mSyZHrYhQBmodnPcqZj4
/25L5278sc/UNrYO9az2n7R/skbVZ0bvSo2eEiGU8fcpO8+a5SKNYskhaviAI4eGIB
iRMdEP7gP8dESdnZguNbY5HI32UMDpPPNqajzd/BgcqbveYpRrWCDOhcY47POV7GHM
i/KLHiZXtJsL3/Pr/4TL+HTjdX8EDSsy1K5/JCvJCFsJHnSvkEaJQGLn/2m03eW9r8
9w1bQ90aY+VCQ==
X-Original-To: [email protected]
Received: from mail.consumer.example (mail.consumer.example [192.0.2.4])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange ECDHE (P-256) server-signature ECDSA (P-384)
server-digest SHA384)
(Client did not present a certificate)
by mail.forwarder.example (Postfix) with ESMTPS id 4Ln7Qs55xmz4nP
for <[email protected]>; Tue, 19 Jul 2022 07:57:41 +0200 (CEST)
Authentication-Results: mail.forwarder.example;
arc=none smtp.remote-ip=192.0.2.4
Authentication-Results: mail.forwarder.example;
dkim=pass (512-bit key; secure) header.d=consumer.example
[email protected] header.a=ed25519-sha256
header.s=epsilon header.b=hETrymCb;
dkim=pass (1152-bit key; secure) header.d=consumer.example
[email protected] header.a=rsa-sha256
header.s=delta header.b=C2nsAp3A
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 12]
Internet-Draft DMARCfail February 2023
d=consumer.example; s=epsilon; t=1658210255;
bh=KYH/g7ForvDbnyyDLYSjauMYMW6sEIqu75/9w3OIONg=;
h=Date:Subject:To:References:From:In-Reply-To;
b=hETrymCbz6T1Dyo5dCG9dk8rPykKLdhJCPFeJ9TiiP/kaoN2afpUYtj+SrI+I83lp
p1F/FfYSGy7zz3Q3OdxBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=consumer.example; s=delta; t=1658210255;
bh=KYH/g7ForvDbnyyDLYSjauMYMW6sEIqu75/9w3OIONg=;
h=Date:To:References:From:In-Reply-To;
b=C2nsAp3AMNX33Nq7nN/StPo921xE3XGF8Ju3iAKdYB3EKhsril0N5IjWGlglJECst
jLNKSo7KWZZ2lkH/dVZ9Rs1GHT2uaKy1sc/xmNIC5rHdhrxammiwpTSo4PsT8disfc
3DVF6Q62n0EsdLFqcw1KY8A9inFqYKY2tqoo+y4zMtItqCYx3xjsj3I0IFLuX
Author: Message Author <[email protected]>
Received: from [192.0.2.8] (host-8-2-0-192.isp.example [192.0.2.8])
(AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3,128bits,
ECDHE_RSA_AES_128_GCM_SHA256)
by mail.consumer.example with ESMTPSA
id 00000000005DC076.00004417; Tue, 19 Jul 2022 07:57:35 +0200
Message-ID: <[email protected]>
Date: Tue, 19 Jul 2022 07:57:33 +0200
List-Id: <users.forwarder.example>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
List-Owner: <mailto:[email protected]>
Precedence: list
MIME-Version: 1.0
Subject: This is the original subject
Content-Language: en-US
Authentication-Results: consumer.example; auth=pass (details omitted)
From: Message Author <[email protected]>
In-Reply-To: <[email protected]>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
[ Message body was here ]
--=_mime_boundary_--
If the body of the message is not included, the last MIME entity
would have "Content-Type: text/rfc822-headers" instead of message/
rfc822.
Appendix C. Change Log {change-log}
[RFC Editor: Please remove this section prior to publication.]
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 13]
Internet-Draft DMARCfail February 2023
C.1. 00 to 01
* Replace references to RFC7489 with references to I-D.ietf-dmarc-
dmarcbis.
* Replace the 2nd paragraph in the Introduction with the text
proposed by Ned for Ticket #55, which enjoys some consensus:
https://mailarchive.ietf.org/arch/msg/dmarc/
HptVyJ9SgrfxWRbeGwORagPrhCw
(https://mailarchive.ietf.org/arch/msg/dmarc/
HptVyJ9SgrfxWRbeGwORagPrhCw)
* Strike a spurious sentence about criticality of feedback, which
was meant for feedback in general, not failure reports. In fact,
failure reports are not critical to establishing and maintaining
accurate authentication deployments. Still attributable to Ticket
#55.
* Remove the content of section "Verifying External Destinations"
and refer to I-D.ietf-dmarc-aggregate-reporting.
* Remove the content of section "Security Considerations" and refer
to I-D.ietf-dmarc-dmarcbis.
* Slightly tweak the wording of the example in Appendix A.1 so that
it makes sense standing alone.
* Remove the sentence containing "must include any URI(s)", as the
issue arose <eref
target="https://mailarchive.ietf.org/arch/msg/dmarc/
mFk0qiTCy8tzghRvcxus01W_Blw"/>.
* Add paragraph in Security Considerations, noting that note that
Organizational Domains are only an approximation...
* Add a Transport section, mentioning DMARC conformance and failure
report mail loops (Ticket #28).
C.2. 01 to 02
* Add a sentence to make clear that counting failures is not the
aim.
C.3. 02 to 03
* Updated references.
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 14]
Internet-Draft DMARCfail February 2023
C.4. 03 to 04
* Add an example report.
* Remove the old Acknowledgements section.
* Add a IANA Consideration section
C.5. 04 to 05
* Convert to markdown
* Remove irrelevant material.
C.6. 05 to 06
* A Vesely was incorrectly removed from list of document editors.
Corrected.
* Added Terminology section with recoomended boilerplate re:
RFC2119.
C.7. 06 to 07
* Reduce Terminology section
* minor nits
Authors' Addresses
Steven M Jones
DMARC.org
Email: [email protected]
Alessandro Vesely
Tana
Email: [email protected]
Jones (ed) & Vesely (ed) Expires 28 August 2023 [Page 15]