


DMARC.org                                              M. Kucherawy, Ed.
                                                               Cloudmark
                                                        October 21, 2011


 Domain-based Message Authentication, Reporting and Conformance (DMARC)

Abstract

   The email ecosystem currently lacks a cohesive mechanism through
   which email senders and receivers can leverage multiple
   authentication protocols in an attempt to establish reliable domain
   identifiers.  This lack of cohesion prevents receivers from providing
   domain-specific feedback to senders regarding the accuracy of
   authentication deployments.  Inaccurate authentication deployments
   preclude receivers from safely taking deterministic action against
   email that fails authentication checks.  Finally, email senders do
   not have the ability to publish policies specifying actions that
   should be taken against email that fails multiple authentication
   checks.

   This memo presents a proposal for a scalable mechanism by which an
   organization can express, using the Domain Name System, domain-level
   policies and preferences for message validation, disposition, and
   reporting with predictable and accurate results.

   The intent is not to introduce mechanisms that provide elevated
   delivery privilege.  The mechanisms described here only present a
   continuum of increasingly strict handling of suspect messages, from
   no action, through silent reporting, up to message rejection.





















Kucherawy                                                       [Page 1]

                                  DMARC                     October 2011


Table of Contents

   1.  License  . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     2.1.  Scalability  . . . . . . . . . . . . . . . . . . . . . . .  6
     2.2.  Anti-Phishing  . . . . . . . . . . . . . . . . . . . . . .  6
     2.3.  Towards An Authenticated Future  . . . . . . . . . . . . .  6
     2.4.  Experiment Team  . . . . . . . . . . . . . . . . . . . . .  6
   3.  Requirements . . . . . . . . . . . . . . . . . . . . . . . . .  7
     3.1.  High-Level Requirements  . . . . . . . . . . . . . . . . .  7
     3.2.  Security Dependencies  . . . . . . . . . . . . . . . . . .  7
     3.3.  Detailed Requirements  . . . . . . . . . . . . . . . . . .  8
     3.4.  Out Of Scope . . . . . . . . . . . . . . . . . . . . . . . 10
   4.  Terminology and Definitions  . . . . . . . . . . . . . . . . . 11
     4.1.  Summary  . . . . . . . . . . . . . . . . . . . . . . . . . 13
     4.2.  Identity Alignment . . . . . . . . . . . . . . . . . . . . 13
       4.2.1.  DKIM-authenticated Identities  . . . . . . . . . . . . 14
       4.2.2.  SPF-authenticated Identities . . . . . . . . . . . . . 14
   5.  Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
   6.  DMARC Policy Record  . . . . . . . . . . . . . . . . . . . . . 15
     6.1.  General Record Format  . . . . . . . . . . . . . . . . . . 16
     6.2.  Formal Definition  . . . . . . . . . . . . . . . . . . . . 18
   7.  Policy Enforcement Considerations  . . . . . . . . . . . . . . 20
   8.  DMARC Feedback . . . . . . . . . . . . . . . . . . . . . . . . 20
     8.1.  Aggregate Reports  . . . . . . . . . . . . . . . . . . . . 20
     8.2.  Failure Reports  . . . . . . . . . . . . . . . . . . . . . 21
   9.  Policy Discovery . . . . . . . . . . . . . . . . . . . . . . . 21
   10. Domain Owner Actions . . . . . . . . . . . . . . . . . . . . . 22
   11. Mail Receiver Actions  . . . . . . . . . . . . . . . . . . . . 23
     11.1. Extract Author Domain  . . . . . . . . . . . . . . . . . . 23
     11.2. Determine Domain Existence . . . . . . . . . . . . . . . . 23
     11.3. Determine Handling Policy  . . . . . . . . . . . . . . . . 24
     11.4. Message Sampling . . . . . . . . . . . . . . . . . . . . . 24
     11.5. Store Results of DMARC Processing  . . . . . . . . . . . . 25
   12. Feedback Mechanism . . . . . . . . . . . . . . . . . . . . . . 25
     12.1. Discovery  . . . . . . . . . . . . . . . . . . . . . . . . 25
     12.2. Transport  . . . . . . . . . . . . . . . . . . . . . . . . 26
       12.2.1. Email  . . . . . . . . . . . . . . . . . . . . . . . . 26
       12.2.2. HTTP . . . . . . . . . . . . . . . . . . . . . . . . . 27
       12.2.3. Other Methods  . . . . . . . . . . . . . . . . . . . . 27
       12.2.4. Error Reports  . . . . . . . . . . . . . . . . . . . . 27
   13. Minimum Implementations  . . . . . . . . . . . . . . . . . . . 28
   14. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 29
     14.1. Authentication-Results Method Registry Update  . . . . . . 29
     14.2. Authentication-Results Result Registry Update  . . . . . . 29
     14.3. DMARC Tag Registry . . . . . . . . . . . . . . . . . . . . 31
     14.4. DMARC Report Format Registry . . . . . . . . . . . . . . . 31
   15. Security Considerations  . . . . . . . . . . . . . . . . . . . 32



Kucherawy                                                       [Page 2]

                                  DMARC                     October 2011


     15.1. Use of RFC5322.From  . . . . . . . . . . . . . . . . . . . 32
     15.2. Attacks on Reporting URIs  . . . . . . . . . . . . . . . . 33
     15.3. Issues Specific to SPF . . . . . . . . . . . . . . . . . . 33
     15.4. DNS Load . . . . . . . . . . . . . . . . . . . . . . . . . 34
     15.5. External Reporting Addresses . . . . . . . . . . . . . . . 34
     15.6. Rejecting Messages . . . . . . . . . . . . . . . . . . . . 35
     15.7. Capacity Planning  . . . . . . . . . . . . . . . . . . . . 35
     15.8. Privacy Considerations . . . . . . . . . . . . . . . . . . 36
       15.8.1. Data Exposure Considerations . . . . . . . . . . . . . 36
       15.8.2. Report Recipients  . . . . . . . . . . . . . . . . . . 37
       15.8.3. Report Generators  . . . . . . . . . . . . . . . . . . 37
       15.8.4. Secure Protocols . . . . . . . . . . . . . . . . . . . 37
   16. References . . . . . . . . . . . . . . . . . . . . . . . . . . 37
     16.1. Normative References . . . . . . . . . . . . . . . . . . . 37
     16.2. Informative References . . . . . . . . . . . . . . . . . . 38
   Appendix A.  Examples  . . . . . . . . . . . . . . . . . . . . . . 39
     A.1.  Identity Alignment examples  . . . . . . . . . . . . . . . 39
       A.1.1.  SPF  . . . . . . . . . . . . . . . . . . . . . . . . . 39
       A.1.2.  DKIM . . . . . . . . . . . . . . . . . . . . . . . . . 40
     A.2.  Domain Owner example . . . . . . . . . . . . . . . . . . . 41
       A.2.1.  Entire Domain, Monitoring Only . . . . . . . . . . . . 41
       A.2.2.  Entire Domain, Monitoring Only, Per-Message Reports  . 42
       A.2.3.  Sub-Domain, Sampling, and Multiple Aggregate
               Report URIs  . . . . . . . . . . . . . . . . . . . . . 43
       A.2.4.  Third Party Sender and Identity Alignment  . . . . . . 44
       A.2.5.  Sub-Domain Policy, Reporting Interval  . . . . . . . . 45
     A.3.  Mail Receiver example  . . . . . . . . . . . . . . . . . . 47
     A.4.  Utilization of Aggregate Feedback example  . . . . . . . . 47
     A.5.  mailto Transport example . . . . . . . . . . . . . . . . . 47
     A.6.  https Transport example  . . . . . . . . . . . . . . . . . 47
   Appendix B.  Organizational Domain Discovery Issues  . . . . . . . 47
   Appendix C.  Issues With ADSP In Operation . . . . . . . . . . . . 48
   Appendix D.  DMARC Discovery Requirements  . . . . . . . . . . . . 48
   Appendix E.  DMARC XML Schema  . . . . . . . . . . . . . . . . . . 49
   Appendix F.  Public Suffix Lists . . . . . . . . . . . . . . . . . 54
   Appendix G.  Public Discussion . . . . . . . . . . . . . . . . . . 54
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 54














Kucherawy                                                       [Page 3]

                                  DMARC                     October 2011


1.  License

   As of the date shown at the top right of this page, the Contributors
   have made this Specification available under the Open Web Foundation
   Contributor License Agreement Version 1.0, which is available at:
   http://www.dmarc.org/cla.html

   You can review the signed copies of the Open Web Foundation
   Contributor License Agreement Version 1.0 for this Specification at:
   http://www.dmarc.org/CLAs/

   The current list of Contributors can be found at:
   http://www.dmarc.org/contributors.html

   Your use of this Specification may be subject to other third party
   rights.  THIS SPECIFICATION IS PROVIDED "AS IS".  The contributors
   expressly disclaim any warranties (express, implied, or otherwise),
   including implied warranties of merchantability, non-infringement,
   fitness for a particular purpose, or title, related to the
   Specification.  The entire risk as to implementing or otherwise using
   the Specification is assumed by the Specification implementer and
   user.  IN NO EVENT WILL ANY PARTY BE LIABLE TO ANY OTHER PARTY FOR
   LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR
   CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF
   ANY KIND WITH RESPECT TO THIS SPECIFICATION OR ITS GOVERNING
   AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING
   NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER PARTY HAS
   BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


2.  Introduction

   For years, various receivers have tried to combat phishing against
   senders who are known to authenticate their outbound email by using
   [DKIM] and [SPF] results to detect and block unauthorized email.
   Conversely, senders have leveraged SPF-authorized and DKIM-signed
   messages to achieve domain-level email authentication.  However,
   there were no broadly accepted mechanisms to assert policy
   communicating desired message disposition for those domains, or to
   request reporting of same.

   The fundamental idea behind these approaches is that if a sender
   authenticates all legitimate outbound mail using the authentication
   protocols SPF and DKIM, then receivers can quarantine or reject
   unauthenticated mail purporting to be from that sender.  Over time,
   one-on-one relationships were established between select senders and
   receivers with privately communicated means to assert policy and
   receive message traffic and authentication disposition reporting.



Kucherawy                                                       [Page 4]

                                  DMARC                     October 2011


   Although these ad hoc practices were generally successful, they
   required significant manual coordination between parties.

   This memo defines Domain-based Message Authentication, Reporting and
   Compliance (DMARC), a mechanism by which email operators can leverage
   existing authentication and policy advertisement technologies to
   request both message-stream feedback and enforcement of policies
   against unauthenticated email.

   DMARC encourages senders and receivers to collaborate by monitoring
   message authentication and disposition.  This builds confidence one
   domain at a time towards the goal of deploying the strongest possible
   message handling policies.

   For the purpose of discussion, this document defines the word
   "authentication" to be inclusive of techniques used to verify message
   integrity and/or sending-entity authorization.  Exceptions to this
   convention are expressly noted.

   The DMARC method involves evaluation of messages during an SMTP
   session on entry to a specific receiving Administrative Management
   Domain (ADMD; see [EMAIL-ARCH]).  DMARC is thus applied by message
   transport software and not by user agents or their respective
   protocols such as POP or IMAP.

   DMARC operates as a policy layer atop implementations of DKIM and
   SPF.  These mechanisms were chosen as the building blocks of DMARC
   because of their wide deployment to date, and the availability of
   mature tools enabling participation by both senders and receivers.

   The approach taken by DMARC differs from previous approaches to
   policy advertisement (e.g., [SPF] and [ADSP]) in that:

   o  Authentication technologies are:

      1.  decoupled from any technology-specific policy mechanisms; and

      2.  used solely to establish reliable per-message domain-level
          identifiers.

   o  Multiple authentication technologies are utilized to:

      1.  reduce the impact of transient authentication errors; and

      2.  create authenticated message streams that are resilient to
          site-specific configuration errors and deployment gaps





Kucherawy                                                       [Page 5]

                                  DMARC                     October 2011


   o  Receiver-generated feedback is employed to establish confidence in
      authentication practices, enabling widespread adoption of strong
      message disposition policy.

   o  The domain name extracted from a message's RFC5322.From field is
      the primary identifier in the DMARC mechanism.  It is this
      identifier that is used in conjunction with the results of the
      underlying authentication technologies when evaluating their
      results under DMARC.

2.1.  Scalability

   DMARC is designed to support the extreme scalability requirements
   that characterize the email identification problem.  DMARC seeks to
   preserve the positive aspects of the current email infrastructure,
   such as the ability for anyone to communicate with anyone else
   without introduction.

   The DMARC mechanism specifically does not introduce third-party
   policy publishers or feedback consumers.  Third parties are not
   prevented from using these mechanisms in private contexts.

2.2.  Anti-Phishing

   This document is significantly informed by ongoing efforts to enact
   large-scale, Internet-wide, anti-phishing measures.  Whereas DMARC
   can only be used to combat specific forms of exact-domain phishing,
   the DMARC mechanism is viewed more importantly as a substantial step
   forward in terms of creating reliable and defensible message streams.

2.3.  Towards An Authenticated Future

   The DMARC mechanism is designed to enable highly accurate Internet-
   scale deployments of email authentication technologies.  Anti-
   phishing measures are a compelling instance of what widely-deployed
   authenticated messaging streams can enable.  As email authentication
   deployments continue to mature, additional authentication-enabled
   services are expected to be developed.

2.4.  Experiment Team

   [NOTE TO RFC EDITOR: Remove this section prior to publication.]

   The contributors to DMARC share the view that layering security on
   top of Internet Mail requires a partnership between those who send
   mail (who sign messages with DKIM, authenticate mail servers with
   SPF, and consume feedback to acheive highly-accurate deployments) and
   those who receive mail (who test the authenticity assertions from



Kucherawy                                                       [Page 6]

                                  DMARC                     October 2011


   senders and report authentication results back to senders for quality
   assurance and threat intelligence).  The team that produced this
   specification acknowledges that this new security layer is optional
   for the Internet community in general, though of increasing urgency
   to our peers due to the persistent threat from phishing and malware
   distribution.

   If this first public informational draft addresses your use cases for
   improved messaging security, please contact the authors expressing
   your interest to work with us on implementation testing and rolling
   implementation experience back into future versions of DMARC.  It is
   the intention of the contributors to submit DMARC into a new IETF
   Working Group on a formal standards track, but only after gaining
   significant implementation experience.  Please join us in making
   Internet messaging more secure.


3.  Requirements

3.1.  High-Level Requirements

   At a high level, DMARC is designed to satisfy the following
   requirements:

   o  Minimize false positives.

   o  Provide robust authentication reporting.

   o  Assert sender policy at receivers.

   o  Reduce successful phishing delivery.

   o  Work at Internet scale.

   o  Minimize complexity.

   o  Produce an RFC draft that can eventually be submitted to the IETF
      for publication as a proposed Internet Standard.

3.2.  Security Dependencies

   Security issues DMARC observes:

   o  The security of DMARC and its underlying technologies (SPF, DKIM)
      depend on the security of the DNS.

   o  DMARC depends upon DKIM, and thus security of the private keys
      used for signing messages must be assured.



Kucherawy                                                       [Page 7]

                                  DMARC                     October 2011


   o  DMARC depends upon SPF, and thus accuracy of the parameters in the
      author domain's SPF record must be maintained.

   o  In addition to the above, authors must ensure that their outbound
      mail servers are not sending unauthorized mail (e.g., are not
      infected by spam bots or malware).

   o  DMARC relies on the concept of message quarantining as a valid
      message disposition, and thus relies on the various components of
      the recipient's mailbox service provider and the user interface to
      make that facility available.

3.3.  Detailed Requirements

   DMARC's specification requirements, in detail:

   1.   The RFC5322.From domain is the identity used for all message
        validation operations, as it is the single identity in the
        message likely to be visible to the user.

   2.   Senders can specify a "strict" or "relaxed" mode in terms of
        enforcing identity checks (see Section 4.2).  In "strict" mode,
        all identities from authentication systems upon which DMARC is
        predicated must match the RFC5322.From domain.  In "relaxed"
        mode, the organizational domains (see Section 4) must match.
        The "relaxed" mode shall be the default.

   3.   A sender's policy must be discoverable via DNS queries.

   4.   It must be possible to specify reject or quarantine policies
        when none of the underlying authentication systems succeed.

   5.   It must be possible to specify a "no action" policy in order to
        collect authentication statistics without impacting delivery.

   6.   Senders can specify a policy that is in effect for subdomains of
        its organizational domain that is different for the policy of
        the organizational domain itself.

   7.   Message disposition requests via DMARC override those requested
        by any other mechanism.

   8.   Senders should be able to specify a percentage of their messages
        to which their policies should be applied, with the rest
        unaffected, in order to experiment and to understand and
        minimize deployment risk.





Kucherawy                                                       [Page 8]

                                  DMARC                     October 2011


   9.   Receivers should endeavour to reject or quarantine email if the
        RFC5322.From purports to be from a domain that appears to be
        either non-existent or incapable of receiving mail.

   10.  Reporting configuration in DMARC should override any such
        options specified by DKIM or SPF or extensions to them.

   11.  The sender must be able to to specify independent reporting
        addresses for failed message reporting and aggregate data feeds.

   12.  The aggregate report must contain enough information for the
        report consumer to re-calculate DMARC disposition based on the
        published policy, message dispositon, and SPF, DKIM, and
        identity alignment results.

   13.  The aggregate report must still contain data for each sender
        subdomain separately from mail from the sender's organizational
        domain, even if no subdomain policy is applied.  The report must
        indicate any policy applied to subdomains.

   14.  It must be possible to specify a minimum reporting interval.
        Reporting sites should make a best effort to accommodate that
        request.

   15.  The sender can specify a time-to-live for policy records.

   16.  The sender can indicate which domains under its control never
        send email, either by omitting them from the DNS entirely or by
        declaring specific use of DKIM and SPF that no email will ever
        fulfill.

   17.  The sending and receiving domains should be included in the
        aggregate report.

   18.  The policy request and the one applied (if different) should be
        included in the aggregate report.

   19.  The number of successful authentications should be included in
        the aggregate report.

   20.  The report should be generated based on all messages even if
        filtering agents such as anti-virus or anti-spam engines
        ultimately block delivery.

   21.  For real-time reporting of failed messages, including a [URI] to
        identify phishing sites and diagnostics on DKIM and SPF failures
        will be recommended.




Kucherawy                                                       [Page 9]

                                  DMARC                     October 2011


   22.  Static conformance requirements shall be documented to enable
        testing programs to help ensure consitency of results.  (This
        will be done in a separate Best Current Practices document.)

   23.  Aggregate reports should select DMARC message disposition
        regardless of any intermediaries that affect message disposition
        or delivery.

   24.  The mechanism overall should be flexible enough to swap in or
        out any authentication technology.

   Tags throughout the specification part of this document indicate
   conformance to the above requirements.  For example "{R1}" indicates
   a component of the protocol that addresses requirement #1 in the list
   above.

3.4.  Out Of Scope

   Items specifically not in scope for this work include:

   o  DMARC shall not be required to protect against any attacks against
      components listed in Security Dependencies (i.e.  DNS attacks,
      bugs in DKIM verification, malware on the end-user machine or in
      the sender's system).  Compromised components at or near the
      sender can cause false positives in terms of DKIM and SPF results;
      while compromised components at the receiver can cause false
      positives to be rendered to the user or interefere with the
      sender-requested actions.

   o  DMARC will not make a distinction between absence of DKIM
      signature and failed DKIM signature.

   o  DMARC (at least, the base version) will not provide the ability to
      publish a policy for message disposition results other than "all
      authentication tests failed".

   o  DMARC will not allow for use of header fields other than the
      RFC5322.From to perform identity alignment checks.

   o  DMARC has no "short-circuit" provision, such as specifying that a
      pass from one authentication test allows one to skip the other(s).
      All are required for reporting.

   o  This first version of DMARC supports only a single reporting
      format.

   o  DMARC makes no attempt to accommodate discovery of policy outside
      of the DNS.  Such policy communications may be accomplished out-



Kucherawy                                                      [Page 10]

                                  DMARC                     October 2011


      of-band, but not within the mechanisms described here.

   o  DMARC provides no advice about handling of malformed messages that
      might seek to exploit message processing weaknesses.  There are
      other specifications and operational documents that cover these
      issues.

   o  DMARC reports only on the last-hop IP address, and does not
      provide for reporting of the originating IP.

   o  DMARC does not address attacks that provide false information in
      the "display name" portion of the RFC5322.From field.


4.  Terminology and Definitions

   This section defines terms used in the rest of the document.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [KEYWORDS].

   For the purpose of establishing context, readers are encouraged to be
   familiar with the contents of [EMAIL-ARCH].  In particular, that
   document defines various roles in the messaging infrastructure that
   can appear the same or separate in various contexts.  For example, a
   Domain Owner could, via the messaging security mechanisms on which
   DMARC is based, delegate the ability to send mail as the Domain Owner
   to some third party.  This memo does not address the distinctions
   among such roles; the reader is encouraged to become familiar with
   that material before continuing.

   The following terms are also used:

   Authenticated Identities:  Authentication technologies allow MTAs to
      associate email with domain-level identifiers.  Domain-level
      identifiers that are established using authentication technologies
      are referred to as "Authenticated Identities".  The following
      Authenticated Identities are considered in this document:

      *  [DKIM] provides a domain-level identifier in the content of the
         "d=" tag of a validated signature.

      *  [SPF] can authenticate the domain found in an [SMTP] MAIL
         command.






Kucherawy                                                      [Page 11]

                                  DMARC                     October 2011


   Cousin Domain:  A DNS domain that, when rendered by a Mail User Agent
      (MUA), looks similar to, or can lead users to believe the domain
      is associated with, another name.  For instance, "vendor5.example"
      would be a Cousin Domain of "vendors.example".  This is a common
      tool in a homograph attack.

   Domain Owner:  The entity or organization that "owns" a DNS domain.
      The term "owns" here indicates that the entity or organization
      being referenced holds the registration of that DNS domain.
      Domain Owners range from complex, globally-distributed
      organizations, to individuals responsible for maintaining vanity
      domains, to service providers working on behalf of non-technical
      clients.

   Mail Receiver:  The entity or organization that receives and
      processes email.  Mail Receivers operate collections of Internet-
      facing Mail Transport Agents (MTAs).

   Organizational Domain:  For the purposes of this document, an
      Organizational Domain is a top-level DNS domain plus one component
      (e.g., "example.com", where "com" is a top-level domain).  This is
      also sometimes referred to as "second-level domain".  The
      Organization Domain for a given domain is determined by applying
      the following algorithm:

      1.  Acquire a "public suffix" list, i.e., a list of DNS domain
          names reserved for registrations.  Some country TLDs make
          specific registration requirements, e.g. the United Kingdom
          places company registrations under ".co.uk"; other TLDs such
          as ".com" appear in the IANA registry of top-level DNS
          domains.  A public suffix list is the union of all of these.
          Appendix F contains some discussion about obtaining a public
          suffix list.

      2.  Break the subject DNS domain name into a set of "n" ordered
          labels.  Number these labels from right-to-left; e.g. for
          "example.com", "com" would be label 1 and "example" would be
          label 2.

      3.  Search the public suffix list for the name that matches the
          largest number of labels found in the subject DNS domain.  Let
          that number be "x".

      4.  Construct a new DNS domain name using the name that matched
          from the public suffix list and prefixing to it the "x+1"th
          label from the subject domain.  This new name is the
          Organizational Domain.




Kucherawy                                                      [Page 12]

                                  DMARC                     October 2011


      Thus, since "com" is an IANA-registered TLD, a subject domain of
      "a.b.c.d.example.com" would have an Organizational Domain of
      "example.com".

      The process of determining a suffix is currently a heuristic one.
      No list is guaranteed to be accurate or current.

4.1.  Summary

   In essence, DMARC's filtering component is based on whether or not an
   arriving message has an identity authenticated either by SPF or DKIM.
   A message for which neither of these is true will be considered
   suspicious by a Mail Receiver participating in DMARC.

   Regardless of the outcome of this evaluation, the other component of
   a DMARC operation involves collecting information about received
   messages, in the aggregate, for periodic reporting back to the Domain
   Owner.  The parameters and format for such reports are discussed in
   later sections of this document.

   A DMARC-aware Mail Receiver might also generate per-message reports
   for the Domain Owner identifying the details of failing messages.
   These details are useful for forensic use in debugging deployments or
   analyzing attacks.  The capability for such a service is enabled by
   DMARC but defined in other referenced material.

   It is important to note that the authentication mechanisms employed
   by DMARC authenticate only a DNS domain, and do not authenticate the
   local-part of any email address identity found in the message.

4.2.  Identity Alignment

   The delivery and content of a single piece of email can involve
   numerous identities.  Only three are guaranteed to be present, namely
   RFC5321.MailFrom, an RFC5321.RcptTo, and an RFC5322.MailFrom.
   However, numerous others could also be present.  Some of these are
   meant to identify the message's author, some an intermediary, some a
   recipient; various identities may be the same or similar, and some
   can be completely different.

   Email authentication technologies authenticate various (and
   disparate) aspects of an individual message.  For example, [DKIM]
   authenticates the domain that affixed a signature to the message,
   while [SPF] authenticates the domain that appears in the
   RFC5321.MailFrom portion of [SMTP].  Either of these may or may not
   be the same as or similar to other identities in the message.  The
   DMARC mechanism introduces the concept of Identity Alignment to
   address the disparity of Authenticated Identities supplied by



Kucherawy                                                      [Page 13]

                                  DMARC                     October 2011


   underlying authentication technologies.

   DMARC uses the RFC5322.From domain to tie together Authenticated
   Identities {R1}.  The selection of the RFC5322.From domain as the
   central identity of the DMARC mechanism is due to the ubiquity of
   this identity and the (understandable) behavior by most MUAs to treat
   that field as representative of the originator of the message and
   render some or all of its content to end users.

   To be considered "in alignment" for the purposes of the DMARC
   mechanism, implementors MUST observe the considerations described in
   the following sections.

4.2.1.  DKIM-authenticated Identities

   DMARC provides the option of applying DKIM in a strict mode or a
   relaxed mode {R2}.

   In relaxed mode, the Organizational Domain of the [DKIM]-
   authenticated signing domain (taken from the value of the "d=" tag in
   the signature) MUST be equal to, or a parent domain of, the
   RFC5322.From domain.  In strict mode, only an exact match is
   considered to produce identity alignment.

   To illustrate, in relaxed mode, if a validated DKIM signature
   successfully verifies with a "d=" domain of "example.com", and the
   RFC5322.From domain is "alerts@news.example.com", the DKIM "d="
   domain and the RFC5322.From domain are considered to be "in
   alignment".  In strict mode, this test would fail.  However, a DKIM
   signature bearing a value of "d=com" would never allow an "in
   alignment" determination as it appears on any public suffix list.

   Identity alignment is required to prevent abuse by phishers that send
   DKIM-signed email using an arbitrary "d=" domain (such as a Cousin
   Domain) to pass authentication checks.

4.2.2.  SPF-authenticated Identities

   DMARC provides the option of applying SPF in a strict mode or a
   relaxed mode {R2}.

   In relaxed mode, the [SPF]-authenticated RFC5321.MailFrom (commonly
   called the "envelope sender") domain and RFC5322.From domain must
   share the same Organizational Domain, but do not need to match
   exactly.  The SPF-authenticated RFC5321.MailFrom may be a parent
   domain or child domain of the RFC5322.From domain.  In strict mode,
   only an exact DNS domain match is considered to produce identity
   alignment.



Kucherawy                                                      [Page 14]

                                  DMARC                     October 2011


   For example, if a message passes an SPF check with an
   RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address
   portion of the RFC5322.From field contains "payments@example.com",
   the Authenticated RFC5321.MailFrom domain identity and the
   RFC5322.From domain are considered to be "in alignment" in relaxed
   mode, but not in strict mode.

   For purposes of identity alignment, in relaxed mode, Organizational
   Domains of RFC5321.MailFrom domains that are a parent domain of the
   RFC5322.From domain are acceptable as many large organizations
   perform more efficient bounce processing by mapping the
   RFC5321.MailFrom domain to specific mailstreams.


5.  Policy

   DMARC policies are published by Domain Owners and applied by Mail
   Receivers.

   A Domain Owner advertises DMARC participation by adding a DNS TXT
   record (described in Section 6) {R3, R15, R16} to one or more sending
   domains under its direct or indirect control (e.g. operated by a
   delegate by agreement with the Domain Owner).  In doing so, it makes
   specific requests of Mail Receivers regarding the disposition of and
   feedback on messages purporting to be from its domains.

   A Mail Receiver MUST consider an arriving message to fail the DMARC
   test if none of the underlying message authentication mechanisms
   pass.  It is an implementation choice as to whether or not temporary
   failures reported by those mechanisms constitute a hard failure in
   this context.

   A Mail Receiver implementing the DMARC mechanism MUST make a best-
   effort to adhere to the Domain Owner's published DMARC policy when a
   message fails the DMARC test.  Recognizing that email streams can be
   complicated (due to forwarding, existing RFC5322.From domain-spoofing
   services, etc.), Mail Receivers MAY deviate from a Domain Owner's
   published policy during message processing and SHOULD make available
   the fact and reason of the deviation to the Domain Owner via
   aggregate feedback reporting.


6.  DMARC Policy Record

   A Domain Owner expresses DMARC preferences by placing in the DNS a
   TXT record whose name is "_dmarc".  For instance, the Domain Owner of
   "example.com" would post DMARC preferences in a TXT record at
   "_dmarc.example.com".  Similarly, a Mail Receiver wishing to query



Kucherawy                                                      [Page 15]

                                  DMARC                     October 2011


   for a DMARC preference statement regarding mail with an RFC5322.From
   domain of "example.com" would issue a TXT query to the DNS for the
   same name.  This will hereafter be called the "DMARC record".

   DMARC records are stored in the DNS for three key engineering
   reasons:

   Wildcarding:  DNS natively supports wildcarding, enabling child
      domains to inherit parent domain policy easily.

   Overrides:  DMARC records published at child domains explicitly
      override extant parent policy.

   Efficiency:  DNS caching is a common practice, reducing operational
      overhead of a new DNS-based mechanism.

   Per [DNS], a TXT record can comprise several "character-string"
   objects.  Where this is the case, the module performing DMARC
   evaluation MUST concatenate these strings by joining together the
   objects in order using space characters and parsing the result as a
   single string.

6.1.  General Record Format

   DMARC records follow the extensible "tag-value" syntax for DNS-based
   key records defined in [DKIM]. {R24}

   Section 14 creates a registry for known DMARC tags and registers the
   initial set defined in this memo.  Only tags defined in this memo or
   in later extensions, and thus added to that registry, are to be
   processed; unknown tags MUST be ignored.  To avoid version
   compatibility issues, tags added to the DMARC specification SHOULD
   NOT change the semantics of existing records when processed by
   implementations conforming to prior specifications.

   The following tags are introduced as the initial valid DMARC tags:

   adkim:  (String; OPTIONAL, default is "r".)  Indicates whether or not
      strict DKIM identity alignment is required by the Domain Owner.
      If and only if the value of the string is "s", strict mode is in
      use.  See Section 4.2.1 for details.

   aspf:  (String; OPTIONAL, default is "r".)  Indicates whether or not
      strict SPF identity alignment is required by the Domain Owner.  If
      and only if the value of the string is "s", strict mode is in use.
      See Section 4.2.2 for details.





Kucherawy                                                      [Page 16]

                                  DMARC                     October 2011


   p: Requested Mail Receiver policy (plain-text; REQUIRED).  Indicates
      the policy to be enacted by the Receiver at the request of the
      Domain Owner.  It applies only to the domain queried and not to
      its subdomains.  Possible values are as follows:

      none:  {R5} The Domain Owner requests no specific action be taken
         regarding delivery of messages.

      quarantine:  {R4} The Domain Owner wishes to have email that fails
         the DMARC mechanism check to be treated by Mail Receivers as
         suspicious.  Depending on the capabilities of the Mail
         Receiver, this can mean "place into spam folder", "scrutinize
         with additional intensity", and/or "flag as suspicious".

      reject:  {R4} The Domain Owner wishes for Mail Receivers to reject
         email that fails the DMARC mechanism check.  Rejection SHOULD
         occur during the SMTP transaction.  See Section 15.6 for some
         discussion of SMTP rejection methods and their implications.

   pct:  (Integer between 0 and 100, inclusive; OPTIONAL; default is
      100). {R8} Percentage of messages from the DNS domain's mail
      stream to which the DMARC mechanism is to be applied.  However,
      this MUST NOT be applied to the DMARC-generated reports, all of
      which must be sent and received unhindered.  The purpose of the
      "pct" tag is to allow Domain Owners to slowly roll out enforcement
      of the DMARC mechanism.  The prospect of "all or nothing" is
      recognized as preventing many organizations from experimenting
      with strong authentication-based mechanisms.

   rf:  Format to be used for message-specific forensic information
      reports (comma-separated list of values; OPTIONAL; default
      "afrf").  The value of this tag is a list of one or more report
      formats as requested by the Domain Owner to be used when a message
      fails both [SPF] and [DKIM] tests to report details of the
      individual failure.  The values MUST be present in the registry of
      reporting formats defined in Section 14; a Mail Receiver observing
      a different value SHOULD ignore it, or MAY ignore the entire DMARC
      record.  Initial default values are "afrf" (defined in [AFRF]) and
      "iodef" (defined in [IODEF]).

   ri:  Interval requested between aggregate reports (32-bit unsigned
      integer; OPTIONAL; default 86400). {R14} Indicates a request to
      Receivers to generate aggregate reports separated by no more than
      the requested number of seconds.  DMARC implementations MUST be
      able to provide daily reports and SHOULD by able to provide hourly
      reports when requested.  However, anything other than a daily
      report is understood to be accommodated on a best-effort basis.




Kucherawy                                                      [Page 17]

                                  DMARC                     October 2011


   rua:  Addresses to which aggregate feedback is to be sent (comma-
      separated list of URIs; OPTIONAL). {R11} A comma that is part of
      such a URI MUST be encoded per Section 2.1 of [URI] so as to
      distinguish it from the list delimiter.  Domain Owners MAY request
      feedback sent to locations outside of the subject domain name, and
      Mail Receivers MAY enact or ignore such requests as per local
      policy.  See Section 15.5 for additional consideration.  Any valid
      URI can be specified.  A Mail Receiver MUST implement support for
      a "mailto:" URI, i.e. the ability to send a DMARC report via
      electronic mail.  If not provided, Mail Receivers MUST NOT
      generate aggregate feedback reports.  URIs not supported by Mail
      Receivers MUST be ignored.

   ruf:  Addresses to which message-specific forensic information is to
      be reported (comma-separated list of URIs; OPTIONAL). {R11} If
      present, the Domain Owner is requesting Mail Receivers to send
      detailed forensic reports about messages that fail either [SPF] or
      [DKIM] evaluation.  The format of the message to be generated MUST
      follow that specified in the "rf" tag.

   sp:  {R6} Requested Mail Receiver policy for subdomains (plain-text;
      OPTIONAL).  Indicates the policy to be enacted by the Receiver at
      the request of the Domain Owner.  It applies only to subdomains of
      the domain queried and not to the domain itself.  Its syntax is
      identical to that of the "p" tag defined above.  If absent, the
      policy specified by the "p" tag MUST be applied for subdomains.

   v: (String; REQUIRED, default is "DMARC1".)  Identifies the record
      retrievd as a DMARC record.  The value of this tag MUST match
      precisely; if it does not or it is absent, the entire retrieved
      record MUST be ignored.

6.2.  Formal Definition

   The formal definition of the DMARC format using [ABNF] is as follows:
















Kucherawy                                                      [Page 18]

                                  DMARC                     October 2011


     dmarc-record = dmarc-version dmarc-sep
                    dmarc-request
                    [dmarc-sep dmarc-srequest]
                    [dmarc-sep dmarc-auri]
                    [dmarc-sep dmarc-furi]
                    [dmarc-sep dmarc-adkim]
                    [dmarc-sep dmarc-aspf]
                    [dmarc-sep dmarc-ainterval]
                    [dmarc-sep dmarc-rfmt]
                    [dmarc-sep dmarc-percent]
                    ; these components may appear in any order

     dmarc-sep = *WSP %3b *WSP

     dmarc-version = %x76 *WSP "=" %x44.4d.41.52.43

     dmarc-request = %3b *WSP %x70 *WSP "=" *WSP ( "none" / "discard" /
                                          "quarantine" / "reject" )

     dmarc-srequest = *WSP %x73.70 *WSP "=" *WSP ( "none" / "discard" /
                                              "quarantine" / "reject" )

     dmarc-auri = *WSP %x3b *WSP %x72.75.61 *WSP "=" *WSP
                   URI *(*WSP "," *WSP URI)
                   ; "URI" is imported from [URI]

     dmarc-ainterval = *WSP %x3b *WSP %x72.69 *WSP "=" *WSP

     dmarc-furi = *WSP %x3b *WSP %x72.75.66 *WSP "=" *WSP
                   URI *(*WSP "," *WSP URI)
                   ; "URI" is imported from [URI]

     dmarc-rfmt = *WSP %x3b *WSP %x72.66 *WSP "=" *WSP
                  ( "afrf" / "iodef" )

     dmarc-percent = *WSP %x3b *WSP %x70.63.74 *WSP "=" *WSP
                     1*3DIGIT

     dmarc-adkim = *WSP %x3b *WSP %x61.64.6b.69.6d  *WSP "=" *WSP
                   ( "r" / "s" )

     dmarc-aspf = *WSP %x3b *WSP %x61.73.70.66  *WSP "=" *WSP
                  ( "r" / "s" )








Kucherawy                                                      [Page 19]

                                  DMARC                     October 2011


7.  Policy Enforcement Considerations

   Mail Receivers MAY choose to reject or quarantine email even if email
   passes the DMARC mechanism check.  The DMARC mechanism does not
   inform Mail Receivers whether an email stream is "good".  Mail
   Receivers are encouraged to maintain anti-abuse technologies to
   combat the possibility of DMARC-enabled criminal campaigns.

   Mail Receivers MAY choose to accept email that fails the DMARC
   mechanism check even if the Domain Owner has published a "reject"
   policy.  Mail Receivers SHOULD make a best effort not to increase the
   likelihood of phishing if it chooses not to reject, against policy.

   Mail Receivers are not obligated to report reject or quarantine
   policy actions in aggregate feedback reports that are the result of
   local policy.  If this information is exposed, abusers can gain
   insight into the effectiveness and delivery rates of spam campaigns.

   Mail Receivers MUST disregard any mail directive discovered as part
   of an authentication mechanism (e.g., ADSP, SPF) where a DMARC policy
   is also discovered. {R7} Mail Receivers SHOULD also implement
   reporting instructions of DMARC in place of any extensions to SPF or
   DKIM that might enable such reporting. {R10}


8.  DMARC Feedback

   The DMARC mechanism requires highly accurate authentication
   deployments to allow Mail Receivers to safely and scalably enforce
   Domain Owner policies.  Providing Domain Owners with visibility into
   how Mail Receivers implement and enforce the DMARC mechanism is
   critical to accurate authentication deployments.

8.1.  Aggregate Reports

   Visibility comes in the form of daily (or more frequent) Mail
   Receiver-originated feedback reports that contain aggregate data on
   message streams relevant to the Domain Owner.  This information
   includes data about messages that passed DMARC authentication as well
   as those that did not.

   The format for these reports is defined in Appendix E.

   The report SHOULD include the following data:

   o  Enough information for the report consumer to re-calculate DMARC
      disposition based on the published policy, message dispositon, and
      SPF, DKIM, and identity alignment results. {R12}



Kucherawy                                                      [Page 20]

                                  DMARC                     October 2011


   o  Data for each sender subdomain separately from mail from the
      sender's organizational domain, even if no subdomain policy is
      applied. {R13}

   o  Sending and receiving domains {R17}

   o  The policy requested by the Domain Owner and the policy actually
      applied (if different) {R18}

   o  The number of successful authentications {R19}

   o  The counts of messages based on all messages received even if
      their delivery is ultimately blocked by other filtering agents
      {R20}

8.2.  Failure Reports

   Also important is forensic information about the cause of
   authentication failures.  This information can be used to identify
   problems with the infrastructure under control of a Domain Owner as
   well as to investigate the sources and methods of fraudulent
   messages.

   The format for these reports is defined in [AFRF].

   These reports SHOULD include the "call-to-action" URI(s) from inside
   messages that failed to authenticate. {R21}


9.  Policy Discovery

   As stated above, the DMARC mechanism utilizes DNS TXT records to
   advertise policy.  Policy discovery is accomplished similar to the
   way SPF records are discovered.  Important differences are discussed
   below.

   To balance the conflicting requirements of supporting wildcarding,
   subdomain policy overrides, and limiting DNS query load, the
   following DNS lookup scheme is employed:

   1.  Mail Receivers MUST query the DNS for a DMARC TXT record at the
       DNS domain matching the one found in the RFC5322.From domain in
       the message.

   2.  If no DMARC policy is found there, the Mail Receiver MUST query
       the DNS for a DMARC TXT record at the DNS domain matching the
       Organizational Domain in place of the RFC5322.From domain in the
       message.  This record can contain policy to be asserted for



Kucherawy                                                      [Page 21]

                                  DMARC                     October 2011


       subdomains of the Organizational Domain.

   If the procedure above results in a DNS reply that contains no DMARC
   policy record (i.e., any indication that there is no such record as
   opposed to a transient DNS error), Mail Receivers SHOULD NOT apply
   the DMARC mechanism to the message.

   If the query results in any DNS reply indicate the RFC5322.From
   domain does not exist in the DNS, Mail Receivers SHOULD direct the
   receiving SMTP server to reject the message {R9}.  The choice of
   mechanism for such rejection and the implications of those choices
   are discussed in Section 11 and Section 15.6.


10.  Domain Owner Actions

   To implement the DMARC mechanism, Domain Owners perform the actions
   enumerated in this section.  For a trial operation, a Domain Owner
   might at first deploy DMARC to cover only a subdomain.

   1.  Deploy authentication technologies such as [DKIM] (see also
       [DKIM-OVERVIEW] and [DKIM-DEPLOYMENT]) and [SPF].

   2.  Align identities; i.e., audit internal systems so that mail
       received by Mail Receivers will observe that Authenticated
       Identities within such messages will be in alignment.

   3.  Prepare to receive feedback.  Create dedicated email addresses to
       receive and process feedback from the Mail Receivers.  Naturally,
       this reporting address SHOULD be serviced by an MTA equipped to
       perform both DKIM and SPF checks.

   4.  Publish a DMARC policy of "none" with a feedback reporting
       address to receive aggregate feedback data from Mail Receivers.

   5.  Ongoing review and maintenance.  Use the provided feedback data
       to remediate unauthenticated email streams and correct identity
       alignment issues.  This is a good opportunity to discover email
       that, for example, passes SPF checks but is missing DKIM
       signatures, since such email will inevitably fail authentication
       when forwarded.

   6.  Increase policy strength.  When confidence of authentication
       accuracy is gained, publish a DMARC policy of "quarantine" with a
       reasonably small value for "pct".  Debug false positives (due to
       missed unsigned mailstreams) while gradually increasing the value
       of "pct" to 100.




Kucherawy                                                      [Page 22]

                                  DMARC                     October 2011


   7.  Fully secure mail streams.  When "pct" reaches 100 with no
       observed ill effects, publish a DMARC policy of "reject" with a
       reasonably small value for "pct".  Repeat debugging and
       corrective process as necessary.


11.  Mail Receiver Actions

   This section describes receiver actions in the DMARC environment.

11.1.  Extract Author Domain

   The domain in the RFC5322.From field is extracted as the domain to be
   evaluated by DMARC.

   A message bearing multiple RFC5322.From identities is ambiguous under
   DMARC, and MUST be ignored with respect to all DMARC processing.
   This includes messages with multiple RFC5322.From fields (which is
   also forbidden under [MAIL]) and a message with a single RFC5322.From
   field containing multiple entities.

11.2.  Determine Domain Existence

   Before undertaking DMARC evaluation itself, a DMARC participant
   SHOULD make an attempt to determine whether or not the DNS domain
   found in the RFC5322.From field actually exists.  For the purposes of
   this test, that domain exists if either an MX, A or AAAA record can
   be found in the DNS, implying it makes available a possible
   destination for replies to messages it sends.  If none of those can
   be found, the Mail Receiver SHOULD reject the message (see
   Section 15.6).  To be specific, a record does not exist if the header
   section of the DNS reply indicates an RCODE of 0 and an ANCOUNT of 0
   (the requested name exists, but no record of the requested type is
   present), or if the DNS reply indicates an RCODE of 3 (the requested
   name does not exist at all).

   A Mail Receiver MAY also elect to compute the Organizational Domain
   and repeat the existence test against that domain (if different from
   the RFC5322.From domain).  If that domain also fails, the message
   MUST be rejected.  The process for computing the Organizational
   Domain is described in Section 4.

   An example in which these tests may be skipped would be local
   knowledge (from logs, reputation systems, allow lists, or other
   historical records maintained by the Mail Receiver) that the
   RFC5322.From field contains a domain known to exist.





Kucherawy                                                      [Page 23]

                                  DMARC                     October 2011


11.3.  Determine Handling Policy

   To arrive at a policy disposition for an individual message, Mail
   Receivers MUST perform the following actions or their semantic
   equivalents.  These steps, plus the act of retrieving DMARC policy
   from the DNS, MAY be done in parallel.

   The steps are as follows:

   1.  Extract the RFC5322.From domain from the message.

   2.  Query the DNS for a DMARC policy record.  Continue if one is
       found, or abort DMARC evaluation otherwise.  See Section 9 for
       details.

   3.  Perform DKIM signature verification checks.  The results of this
       step passed to the remainder of the algorithm MUST include the
       value of the "d=" tag from all DKIM signatures that successfully
       validated.

   4.  Perform SPF validation checks.  The results of this step passed
       to the remainder of the algorithm MUST include the domain name
       from the RFC5321.MailFrom if SPF evaluation returned a "pass"
       result.

   5.  Conduct identity alignment checks.  With authentication checks
       and policy discovery performed, the Mail Receiver checks if
       Authenticated Identities fall into alignment as decribed in
       Section 4.  If one or more of the Authenticated Identities align
       with the RFC5322.From domain, the message is considered to pass
       the DMARC mechanism check.  All other conditions (authentication
       failures, identity mismatches) are considered to be DMARC
       mechanism check failures.

   6.  Apply policy.  Emails that fail the DMARC mechanism check are
       disposed of according to the discovered DMARC policy of the
       Domain Owner.  See Section 6.1 for details.

11.4.  Message Sampling

   Attention must be paid to the possible presence of the "pct" tag in
   the DMARC policy record.  If the tag is present, the Mail Receiver
   MUST include all messages in any reports produced (both aggregate and
   per-message forms), but MUST NOT enact the requested policy ("p" tag
   or "sp" tag") on more than the stated percent of those messages.

   If email is subject to the DMARC policy of "quarantine", the Mail
   Receiver SHOULD quarantine the message.  If the email is not subject



Kucherawy                                                      [Page 24]

                                  DMARC                     October 2011


   to the "quarantine" policy (e.g., due to the "pct" tag), the Mail
   Receiver SHOULD apply local spam classification as normal.

   If email is subject to the DMARC policy of "reject", the Mail
   Receiver SHOULD reject the message (see Section 15.6).  If the email
   is not subject to the "reject" policy (due to the "pct" tag), the
   Mail Receiver SHOULD treat the email as though the "quarantine"
   policy applies.

11.5.  Store Results of DMARC Processing

   The results of Mail Receiver-based DMARC processing should be stored
   for eventual presentation back to the Domain Owner in the form of
   aggregate feedback data.  Section 6 and Section 12 discuss aggregate
   feedback.

   See Section 15.7 for a discussion of security matters regarding
   aggregation of such data.


12.  Feedback Mechanism

   The DMARC aggregate feedback report is designed to provide Domain
   Owners with precise insight into authentication results, where
   corrective action needs to be taken by Domain Owners, and the effect
   of Domain Owner DMARC policy on email streams processed by Mail
   Receivers.  The format of the original payload comprising the report
   can be found in Appendix E.

   The availability, publication, and consumption of aggregate DMARC
   feedback provides Domain Owners with the visibility into real-world
   email streams that is required to make informed decisions regarding
   the publication of DMARC policy.  Based on this visibility, Domain
   Owners can publish DMARC policies and be fully cognizant of the
   resulting effect of policy enforcement by Mail Receivers.  This
   feedback mechanism significantly reduces the cost and risk of
   enforcing policies by Mail Receivers.

12.1.  Discovery

   Discovery of a request to receive feedback data is made when a Mail
   Receiver looks up a DMARC policy record.  The presence of the "rua"
   tag specifies where to send feedback.  URI schemes found in "rua" tag
   that are not implemented by a Mail Receiver MUST be ignored.

   To provide background on the considerations given to DMARC discovery,
   see Appendix D.




Kucherawy                                                      [Page 25]

                                  DMARC                     October 2011


12.2.  Transport

   Where the URI specified in an "rua" tag does not specify otherwise, a
   Mail Receiver generating a feedback report SHOULD apply a secure
   transport mechanism.

   If transport is not possible because the services advertised by the
   published URIs are not able to accept reports, the Mail Receiver
   SHOULD send a short report (see Section 12.2.4) indicating that a
   report is available but could not be sent.  The Mail Receiver MAY
   cache that data and try again later, or MAY discard data that could
   not be sent.

12.2.1.  Email

   In the case of a "mailto" URI, the Mail Receiver SHOULD communicate
   reports using the method described in [STARTTLS].

   The message generated by the Mail Receiver must be a [MIME] formatted
   [MAIL] message.  The aggregate report itself MUST be included in one
   of the parts of the message.  Where there is a desire to include a
   human-readable portion, such MAY be included as a MIME part (such as
   a text/plain part).  The aggregate data itself MUST be present using
   the media type "application/zip", and the filename SHOULD be
   constructed using the following ABNF:

     filename = receiver "!" policy-domain "!" begin-timestamp "!"
                end-timestamp "." extension

     receiver = domain
              ; imported from [MAIL]

     policy-domain = domain

     begin-timestamp = 1*DIGIT
                     ; seconds since 00:00:00 UTC January 1, 1970
                     ; indicating start of the time range contained
                     ; in the report

     end-timestamp = 1*DIGIT
                   ; seconds since 00:00:00 UTC January 1, 1970
                   ; indicating end of the time range contained
                   ; in the report

     extension = ( "xml" )

   Email streams carrying DMARC feedback data MUST conform to the DMARC
   mechanism.  That is, the message comprising the report should be



Kucherawy                                                      [Page 26]

                                  DMARC                     October 2011


   DKIM-signed and originate from a source for which an SPF test would
   pass.  Such practice minimizes the risk of report consumers receiving
   fraudulent reports.

   The RFC5322.Subject field for individual report submissions SHOULD
   conform to the following ABNF:

     dmarc-subject = %x52.65.70.6f.72.74 1*FWS    ; "Report"
                     %x44.6f.6d.61.69.6e.3a 1*FWS ; "Domain:"
                     domain-name 1*FWS            ; from RFC6376
                     %x53.75.62.6d.69.74.74.65.72.3a ; "Submitter:"
                     1*FWS domain-name 1*FWS
                     %x52.65.70.6f.72.74.2d.49.44.3a ; "Report-ID:"
                     msg-id                       ; from RFC5322

   The first domain-name indicates the DNS domain name about which the
   report was generated.  The second domain-name indicates the DNS
   domain name representing the Mail Receiver generating the report.
   The purpose of the Report-ID: portion of the field is to enable the
   Domain Owner to identify and ignore duplicate reports that might be
   sent by a Mail Receiver.

   This transport mechanism potentially encounters a problem when
   feedback data size exceeds maximum allowable attachment sizes for
   either the generator or the consumer.  See Section 12.2.4 for further
   discussion.

12.2.2.  HTTP

   Where an "http" or "https" method is requested in a Domain Owner's
   URI list, the Mail Receiver MAY encode the data using the
   "application/zip" media type or MAY send the Appendix E data
   uncompressed or unencoded.

   The header portion of the POST or PUT request SHOULD contain a
   Subject field as described in Section 12.2.1.

12.2.3.  Other Methods

   Other registered URI schemes may be explicitly supported in later
   versions.  Implementation details for them will be provided when such
   adoptions are made.

12.2.4.  Error Reports

   When a Mail Receiver is unable to complete delivery of a report via
   any of the URIs listed by the Domain Owner, the Mail Receiver SHOULD
   generate an error message.  An attempt MUST be made to send this



Kucherawy                                                      [Page 27]

                                  DMARC                     October 2011


   report to all listed "mailto" URIs and MAY also be sent to any or all
   other listed URIs.

   The error report MUST be formatted per [MIME].  A text/plain part
   MUST be included that contains field-value pairs such as those found
   in Section 2 of [DSN].  The fields required, which may appear in any
   order, are:

   Report-Date:  A [MAIL]-formatted date expression indicating when the
      transport failure occurred.

   Report-Domain:  The domain-name about which the failed report was
      generated.

   Report-ID:  The Report-ID: that the report tried to use.

   Report-Size:  The size, in bytes, of the report that was unable to be
      sent.  This MUST represent the number of bytes that the Mail
      Receiver attempted to send.  Where more than one transport system
      was attempted, the sizes may be different; in such cases, separate
      error reports MUST be generated so that this value matches the
      actual attempt that was made.  For example, a "mailto" error
      report would be sent to the "mailto" URIs with one size, while the
      "https" reports might be POSTed to those URIs with a different
      size, as they have different transport and encoding requirements.

   Submitter:  The domain-name representing the Mail Receiver that
      generated, but was unable to submit, the report.

   Submitting-URI:  The URI(s) to which the Mail Receiver tried, but
      failed, to submit the report.

   An additional text/plain part MAY be included that gives a human-
   readable explanation of the above, and MAY also include a URI that
   can be used to seek assistance.

   [NOTE: A more rigorous syntax specification, including ABNF and
   possible registration of a new media type, will be added here when
   more operational experience is acquired.]


13.  Minimum Implementations

   A minimum implementation of DMARC has the following characteristics:

   o  Is able to send and/or receive reports at least daily;





Kucherawy                                                      [Page 28]

                                  DMARC                     October 2011


   o  Is able to send and/or receive reports using "mailto" URIs;

   o  Other than in exceptional circumstances such as resource
      exhaustion, can generate or accept a report up to ten megabytes in
      size;

   o  Fully implements the provisions of Section 11) (if acting as a
      Mail Receiver).


14.  IANA Considerations

   This section describes actions requested of IANA.

14.1.  Authentication-Results Method Registry Update

   IANA is requested to add the following to the Email Authentication
   Method Name Registry:

   Method:  dmarc

   Defined In:  [this memo]

   ptype:  header

   property:  from

   value:  contents of the [MAIL] From: header field, with comments
      removed

14.2.  Authentication-Results Result Registry Update

   IANA has added the following in the Email Authentication Result Name
   Registry:

   Code:  none

   Existing/New Code:  existing

   Defined In:  [AUTH-RESULTS]

   Auth Method:  dmarc (added)

   Meaning:  No DMARC policy record was published for the aligned
      identity, or no aligned identity could be extracted.






Kucherawy                                                      [Page 29]

                                  DMARC                     October 2011


   Code:  pass

   Existing/New Code:  existing

   Defined In:  [AUTH-RESULTS]

   Auth Method:  dmarc (added)

   Meaning:  A DMARC policy record was published for the aligned
      identity, and at least one of the authentication mechanisms
      passed.

   Code:  fail

   Existing/New Code:  existing

   Defined In:  [AUTH-RESULTS]

   Auth Method:  dmarc (added)

   Meaning:  A DMARC policy record was published for the aligned
      identity, and none of the authentication mechanisms passed.

   Code:  temperror

   Existing/New Code:  existing

   Defined In:  [AUTH-RESULTS]

   Auth Method:  dmarc (added)

   Meaning:  A temporary error occurred during DMARC evaluation.  A
      later attempt might produce a final result.

   Code:  permerror

   Existing/New Code:  existing

   Defined In:  [AUTH-RESULTS]

   Auth Method:  dmarc (added)

   Meaning:  A temporary error occurred during DMARC evaluation.  A
      later attempt is unlikely to produce a final result.







Kucherawy                                                      [Page 30]

                                  DMARC                     October 2011


14.3.  DMARC Tag Registry

   Names of DMARC tags must be registered with IANA.  New entries are
   assigned only for values that have been documented in a published RFC
   that has had IETF Review, per [IANA-CONSIDERATIONS].  Each
   registration must include the tag name, the specification that
   defines it, a brief description, and its status which must be one of
   "current", "experimental" or "historic".

   The initial set of of entries in this registry is as follows:

    +----------+-------------+---------+------------------------------+
    | Tag Name | Defined     | Status  | Description                  |
    +----------+-------------+---------+------------------------------+
    |  adkim   | [THIS MEMO] | current | Strict DKIM alignment mode   |
    +----------+-------------+---------+------------------------------+
    |   aspf   | [THIS MEMO] | current | Strict SPF alignment mode    |
    +----------+-------------+---------+------------------------------+
    |   pct    | [THIS MEMO] | current | Sampling rate                |
    +----------+-------------+---------+------------------------------+
    |    p     | [THIS MEMO] | current | Requested handling policy    |
    +----------+-------------+---------+------------------------------+
    |    rf    | [THIS MEMO] | current | Forensic reporting format(s) |
    +----------+-------------+---------+------------------------------+
    |    ri    | [THIS MEMO] | current | Reporting interval           |
    +----------+-------------+---------+------------------------------+
    |   rua    | [THIS MEMO] | current | Reporting URI(s) for         |
    |          |             |         | aggregate data               |
    +----------+-------------+---------+------------------------------+
    |   ruf    | [THIS MEMO] | current | Reporting URI(s) for         |
    |          |             |         | forensic data                |
    +----------+-------------+---------+------------------------------+
    |    sp    | [THIS MEMO] | current | Requested handling policy    |
    |          |             |         | for subdomains               |
    +----------+-------------+---------+------------------------------+
    |    v     | [THIS MEMO] | current | Specification version        |
    +----------+-------------+---------+------------------------------+

14.4.  DMARC Report Format Registry

   Names of DMARC forensic reporting formats must be registered with
   IANA.  New entries are assigned only for values that have been
   documented in a published RFC that has had IETF Review, per
   [IANA-CONSIDERATIONS].  Each registration must include the tag name,
   the specification that defines it, a brief description, and its
   status which must be one of "current", "experimental" or "historic".

   The initial set of of entries in this registry is as follows:



Kucherawy                                                      [Page 31]

                                  DMARC                     October 2011


    +--------+-------------+---------+-----------------------------+
    | Format | Defined     | Status  | Description                 |
    |  Name  |             |         |                             |
    +--------+-------------+---------+-----------------------------+
    | afrf   | [THIS MEMO] | current | Authentication Failure      |
    |        |             |         | Reporting Format (see       |
    |        |             |         | [AFRF])                     |
    +--------+-------------+---------+-----------------------------+
    | iodef  | [THIS MEMO] | current | Incident Object Description |
    |        |             |         | Exchange Format (see        |
    |        |             |         | [IODEF])                    |
    +--------+-------------+---------+-----------------------------+


15.  Security Considerations

   This section discusses security-specific issues related to the DMARC
   mechanism.

15.1.  Use of RFC5322.From

   One of the most obvious points of security scrutiny for DMARC is the
   choice to focus on an identity, namely the RFC5322.From, which is
   part of a body of data trivially forged throughout the history of
   email.

   Several points suggest it is the most correct and safest thing to do
   in this context:

   o  Of all the identities that are part of the message itself, this is
      the only one guaranteed to be present.

   o  It seems the best choice of an identity on which to focus as most
      Mail User Agents (MUAs) display some or all of the contents of
      that field in a manner strongly suggesting those data as
      reflective of the true originator of the message.

   o  The entire thrust of the email authentication effort has been to
      create mechanisms by which that field, or at least some field in
      the message, can be deemed genuine.  Thus, that field is not
      easily forged within the context of its use with DMARC.

   o  The DMARC mechanism confers no additional privilege to the message
      without successful authentication of this identity.







Kucherawy                                                      [Page 32]

                                  DMARC                     October 2011


15.2.  Attacks on Reporting URIs

   The publication of URIs in a DNS TXT record as possible targets for
   attacks is acknowledged, but not new.  Specifications such as [DNS]
   and [ROLES] either expose or cause the exposure of email addresses
   that could be flooded by an attacker, for example; MX, NS and other
   records found in the DNS advertise potential attack destinations;
   common DNS names such as "www" plainly identify the locations at
   which particular services can be found, providing destinations for
   targeted denial-of-service or penetration attacks.

   Thus, Domain Owners will need to harden these addresses against
   various attacks, including but not limited to:

   o  high-volume denial-of-service attacks;

   o  deliberate construction of malformed reports intended to identify
      or exploit parsing or processing vulnerabilities;

   o  deliberate construction of reports containing false claims for the
      Submitter or Reported-Domain fields, including the possibility of
      false data from compromised but known Mail Receivers.

15.3.  Issues Specific to SPF

   In the DMARC model, SPF results for a subdomain can authenticate mail
   from a different subdomain (or the parent organizational domain).  If
   an attacker can control the SPF record for a subdomain, mail sent
   from those IPs will pass authentication for the organizational domain
   (e.g., an attacker who controls the SPF record for "evil.example.com"
   can send mail with an RFC5322.From containing "foo@example.com" that
   passes authentication).  The Organizational Domain administrator
   should be careful not to cede control of SPF records for subdomains
   if this is an issue.

   SPF results are honored as a backup mechanism, even if DKIM
   verification fails or the signature is absent.  Some senders that
   feel strongly that all of their mail should be signed may not want
   this backup mechanism.  However, it is best for both senders and
   receivers if unsigned mailstreams are discovered through the
   aggregated authentication feedback report, rather than by rejecting
   unsigned mail that receivers know to be valid via SPF.

   Though DMARC does not inherently change the semantics of an SPF
   policy record, historically lax enforcement of such policies has led
   many to publish extremely broad records containing many large network
   ranges and include statements.  Domain Owners are strongly encouraged
   to review their SPF records carefully before publishing a DMARC



Kucherawy                                                      [Page 33]

                                  DMARC                     October 2011


   record.

15.4.  DNS Load

   DMARC policies are only as accurate as the DNS records as viewed by
   Mail Receivers.  There is an inherent conflict between freshness and
   reducing DNS lookup overhead.  Should Domain Owners publish a DNS
   record with a very short TTL, Mail Receivers can be provoked through
   the injection of large volumes of messages to overwhelm the Domain
   Owner's DNS.  Although this is not a concern specific to DMARC, the
   implications of a very short TTL should be considered when publishing
   DMARC policies.

   Conversely, long TTLs mean those data will be cached for long periods
   of time.  This can mean a critical change to DMARC parameters
   advertised by a Domain Owner go unnoticed for long periods, waiting
   for DNS caches to expire.  Avoiding this problem means shorter TTLs,
   with the potential problems enumerated above.  Naturally, a balance
   needs to be sought.  Fortunately, none of this is expected to be a
   concern in a stable system.  It is merely a consideration during
   initial deployment.

15.5.  External Reporting Addresses

   To reduce burdens on Domain Owners, the "rua" tag is allowed to
   contain references to report consumers outside of the subject DNS
   domain.  Thus, the feedback reporting mechanism can be abused by
   malicious Domain Owners to cause large volumes of reports to be sent
   to unsuspecting report consumers.  To abuse this mechanism, a
   malicious Domain Owner must create a DMARC record with an "rua" field
   that contains a reference to a victim report consumer and then send
   email to report-generating Mail Receivers.  The victim would then
   receive unwanted reports from each DMARC-aware Mail Receiver.

   Although a possible nuisance, due to the long intervals between Mail-
   Receiver-generated aggregate reports, the possibility of introducing
   an exploitable Denial of Service mechanism is small.  Furthermore, an
   artifact of such an attack would yield feedback reports that describe
   exactly where an attacker introduced email into each Mail Receiver.
   Such an artifact would link an attack directly to a Domain Owner and
   to the network resources utilized to perform the attack.

   To further reduce the possibility of abuse, Mail Receivers will want
   to place controls on report generation to mitigate report generation
   spikes due to spurious Domain Owner requests for reports.






Kucherawy                                                      [Page 34]

                                  DMARC                     October 2011


15.6.  Rejecting Messages

   This proposal calls for rejection of a message during the SMTP
   session under certain circumstances.  This is typically done in one
   of two ways:

   o  Full rejection, wherein the SMTP server issues a 5xy reply code as
      an indication to the SMTP client that the transaction failed; the
      SMTP client is then responsible for generating notification that
      delivery failed (see Section 4.2.5 of [SMTP]).

   o  A "silent discard", wherein the SMTP server returns a 2xx reply
      code implying to the client that delivery (or, at least, relay)
      was successfully completed, but then simply discarding the message
      with no further action.

   Each of these has a cost.  For instance, a silent discard may prevent
   "backscatter" (the annoying generation of delivery failure reports,
   which go back to the RFC5321.MailFrom address, about messages that
   were fraudulently generated), but effectively means the SMTP server
   has to be programmed to give a false result, which can confound
   external debugging efforts.

   Similarly, the text portion of the SMTP reply may be important to
   consider.  For example, when rejecting a message, revealing the
   reason for the rejection might give an attacker enough information to
   bypass those efforts on a later attempt, though it might also assist
   a legitimate client to determine the source of some local issue that
   caused the rejection.

15.7.  Capacity Planning

   DMARC participants will need to do some capacity planning around
   their implementations.  Some of the factors to be considered include:

   Storage:  Clearly as more messages are received claiming to be from a
      particular domain, and from increasingly disparate sources, a Mail
      Receiver must store more information in order to be able to
      generate accurate reports to return to the Domain Owner.  This
      will also increase with the number of Domain Owners for which the
      Mail Receiver agrees to provide service.  Similarly, Domain Owners
      will need to plan based on how long they wish to store the data
      found in received reports.  When Domain Owners enter exceptional
      situations and are unable to accept reports, Mail Receivers will
      be burdened with extra storage requirements, and may need to
      include in their agreements with Domain Owners stipulations for
      how long undelivered data will be cached.




Kucherawy                                                      [Page 35]

                                  DMARC                     October 2011


   Frequency:  Naturally, sending reports more frequently increases
      processing costs at both the Mail Receiver and the Domain Owner,
      but decreases storage requirements as the data are consumed at
      both ends when reports are produced and consumed.  At the same
      time, less frequent report generation means any summaries
      available to Domain Owners become stale.  An appropriate balance
      will need to be sought.

   DNS:  DMARC imposes up to two additional DNS queries per arriving
      message, namely the TXT queries to try to locate a policy
      statement.  For Mail Receivers, these are queries sent; for Domain
      Owners, these are queries that must be handled.  Both sides will
      need to plan for the additional DNS load.

15.8.  Privacy Considerations

   This section discusses security issues specific to private data that
   may be included in the interactions that are part of DMARC.

15.8.1.  Data Exposure Considerations

   Aggregate reporting helps Domain Owners understand their mailstreams'
   authentication performance at a given Mail Receiver.  When the Domain
   Owner collects and analyzes reports from multiple Mail Receivers, it
   can get a very good overall understanding of how its mail performs
   across the Internet.  The aggregate reports are limited in scope to
   the results of DMARC, the underlying authentication mechanisms, and
   identities involved in validation, to provide a statistical picture
   of email authentication performance at a given Mail Receiver.

   Failed message reporting provides the "smoking gun" for an
   authentication failure: the message itself.  A Domain Owner can elect
   to have any message it sends that fails authentication returned by
   the Mail Receiver, along with additional information about the
   envelope and authentication results.  Because the report can contain
   the signed message contents as well as trace header fields, the
   Domain Owner is able to analyze the report and see why individual
   authentication mechanisms failed, gaining insight into
   misconfigurations or other problems with their email and network
   infrastructure, or to determine the nature of fraudulent emails.

   Both report types may expose sender and recipient identities (e.g.,
   RFC5322.From fields), and though the [AFRF] format used for failed
   message reporting supports redaction, it is capable of exposing the
   entire message to the report recipient.






Kucherawy                                                      [Page 36]

                                  DMARC                     October 2011


15.8.2.  Report Recipients

   A DMARC record can specify that reports are sent to an intermediary
   operating on behalf of the Domain Owner.  This is done when the
   Domain Owner contracts such an entity to monitor its mailstream for
   abuse and performance issues.  Receipt by third parties of such data
   may or may not be permitted by the Mail Receiver's privacy policy,
   terms of use, or other similar governing document.  It is up to both
   parties to review and understand whether their policies constrain the
   use of DMARC reporting.

15.8.3.  Report Generators

   The entity (e.g., mailbox provider, Internet service provider)
   receiving emails is typically responsible for generating DMARC
   reports.  Such entities are typically charged with protecting
   accidental disclosure of their users' data.  In this case, disclosure
   is being requested by the entity generating the email in the first
   place, i.e., the Domain Owner, so this may not fit squarely within
   existing privacy policy provisions.  For some providers, aggregate
   and failed message reporting are viewed as a function similar to
   complaint reporting about spamming or phishing, and treated similarly
   under the privacy policy.  Report generators (i.e., Mail Receivers)
   are encouraged to review their reporting limitations under such
   policies before enabling DMARC reporting.

15.8.4.  Secure Protocols

   This document encourages use of secure transport mechanisms to
   prevent loss of any private data to third parties that may be able to
   monitor such transmissions.  Open transport mechanisms should
   certainly be avoided.


16.  References

16.1.  Normative References

   [ABNF]     Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 5234, January 2008.

   [AFRF]     Fontana, H., "Authentication Failure Reporting using the
              Abuse Report Format",
              I-D draft-ietf-marf-authfailure-report, September 2011.

   [DKIM]     Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys
              Identified Mail (DKIM) Signatures", RFC 6376,
              September 2011.



Kucherawy                                                      [Page 37]

                                  DMARC                     October 2011


   [DNS]      Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [KEYWORDS]
              Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [MAIL]     Resnick, P., Ed., "Internet Message Format", RFC 5322,
              October 2008.

   [MIME]     Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part One: Format of Internet Message
              Bodies", RFC 2045, November 1996.

   [SMTP]     Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
              October 2008.

   [SPF]      Wong, M. and W. Schlitt, "Sender Policy Framework (SPF)
              for Authorizing Use of Domains in E-Mail, Version 1",
              RFC 4408, April 2006.

   [STARTTLS]
              Hoffman, P., "SMTP Service Extension for Secure SMTP over
              Transport Layer Security", RFC 3207, February 2002.

   [URI]      Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", RFC 3986,
              January 2005.

16.2.  Informative References

   [ADSP]     Allman, E., Fenton, J., Delany, M., and J. Levine,
              "DomainKeys Identified Mail (DKIM) Author Domain Signing
              Practices (ADSP)", RFC 5617, August 2009.

   [AUTH-RESULTS]
              Kucherawy, M., "Message Header Field for Indicating
              Message Authentication Status", RFC 5451, April 2009.

   [DKIM-DEPLOYMENT]
              Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys
              Identified Mail (DKIM) Development, Deployment, and
              Operations", RFC 5863, May 2010.

   [DKIM-OVERVIEW]
              Hansen, T., Crocker, D., and P. Hallam-Baker, "DomainKeys
              Identified Mail (DKIM) Service Overview", RFC 5598,
              July 2009.



Kucherawy                                                      [Page 38]

                                  DMARC                     October 2011


   [DSN]      Moore, K. and G. Vaudreuil, "An Extensible Message Format
              for Delivery Status Notifications", RFC 3464,
              January 2003.

   [EMAIL-ARCH]
              Crocker, D., "Internet Mail Architecture", RFC 5598,
              July 2009.

   [IANA-CONSIDERATIONS]
              Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              May 2008.

   [IODEF]    Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
              Object Description Exchange Format", RFC 5070,
              December 2007.

   [ROLES]    Crocker, D., "Mailbox Names for Common Services, Roles and
              Functions", RFC 2142, May 1997.


Appendix A.  Examples

   This section illustrates both the Domain Owner side and the Mail
   Receiver side of a DMARC exchange.

A.1.  Identity Alignment examples

   The following are some examples of Identity Alignment.  Only message
   headers are shown since message bodies are not considered when
   conducting DMARC evaluations.

A.1.1.  SPF

   In alignment:

        MAIL FROM: <sender@example.com>

        From: sender@example.com
        Date: Fri, Feb 15 2002 16:54:30 -0800
        To: receiver@example.org
        Subject: here's a sample

   Example 1: SPF In Alignment

   In this case, the RFC5321.MailFrom parameter and the RFC5322.From
   field have identical DNS domains.  Thus, the identities are in
   alignment.



Kucherawy                                                      [Page 39]

                                  DMARC                     October 2011


   In alignment (parent):

        MAIL FROM: <sender@example.com>

        From: sender@child.example.com
        Date: Fri, Feb 15 2002 16:54:30 -0800
        To: receiver@example.org
        Subject: here's a sample

   Example 2: SPF In Alignment (parent)

   In this case, the RFC5321.MailFrom parameter includes a DNS domain
   that is a parent of the RFC5322.From domain.  Thus, the identities
   are in alignment if "relaxed" SPF mode is requested by the Domain
   Owner, and not in alignment if "strict" SPF mode is requested.

   Not in alignment:

        MAIL FROM: <sender@example.net>

        From: sender@child.example.com
        Date: Fri, Feb 15 2002 16:54:30 -0800
        To: receiver@example.org
        Subject: here's a sample

   Example 3: SPF Not In Alignment

   In this case, the RFC5321.MailFrom parameter includes a DNS domain
   that is neither the same as nor a parent of the RFC5322.From domain.
   Thus, the identities are not in alignment.

A.1.2.  DKIM

   The examples below assume the DKIM signatures pass verification.
   Alignment cannot exist with a DKIM signature that does not verify.

   In alignment:

        DKIM-Signature: v=1; ...; d=example.com; ...
        From: sender@example.com
        Date: Fri, Feb 15 2002 16:54:30 -0800
        To: receiver@example.org
        Subject: here's a sample

   Example 1: DKIM In Alignment

   In this case, the DKIM "d=" parameter and the RFC5322.From field have
   identical DNS domains.  Thus, the identities are in alignment.



Kucherawy                                                      [Page 40]

                                  DMARC                     October 2011


   In alignment (parent):

        DKIM-Signature: v=1; ...; d=example.com; ...
        From: sender@child.example.com
        Date: Fri, Feb 15 2002 16:54:30 -0800
        To: receiver@example.org
        Subject: here's a sample

   Example 2: DKIM In Alignment (parent)

   In this case, the DKIM signature's "d=" parameter includes a DNS
   domain that is a parent of the RFC5322.From domain.  Thus, the
   identities are in alignment.

   Not in alignment:

        DKIM-Signature: v=1; ...; d=example.net; ...
        From: sender@child.example.com
        Date: Fri, Feb 15 2002 16:54:30 -0800
        To: receiver@example.org
        Subject: here's a sample

   Example 3: DKIM Not In Alignment

   In this case, the DKIM signature's "d=" parameter includes a DNS
   domain that is neither the same as nor a parent of the RFC5322.From
   domain.  Thus, the identities are not in alignment.

A.2.  Domain Owner example

   A Domain Owner that wants to use DMARC should have already deployed
   and tested SPF and DKIM.  The next step will be to publish a DNS
   record that advertises a DMARC policy for its organizational domain.

A.2.1.  Entire Domain, Monitoring Only

   The owner of the domain "example.com" has deployed SPF and DKIM on
   its messaging infrastructure.  It wishes to begin using DMARC with a
   policy that will solicit aggregate feedback from receivers without
   affecting how the messages are processed, in order to:

   o  Confirm that its legitimate messages are authenticating correctly

   o  Verify that all authorized message sources have implemented
      authentication measures

   o  Determine how many messages from other sources would be affected
      by a blocking policy



Kucherawy                                                      [Page 41]

                                  DMARC                     October 2011


   The Domain Owner accomplishes this by constructing a policy record
   indicating that:

   o  The version of DMARC being used is "DMARC1" ("v=DMARC1")

   o  Receivers should not alter how they treat these messages because
      of this DMARC policy record ("p=none")

   o  Aggregate feedback reports should be sent via email to the address
      "dmarc-feedback@example.com"
      ("rua=mailto:dmarc-feedback@example.com")

   o  All messages from this organizational domain are subject to this
      policy (no "pct" tag present, so the default of 100% applies)

   The DMARC policy record might look like this when retrieved using a
   common command-line tool:

     % dig +short TXT _dmarc.example.com.
     "v=DMARC1\; p=none\; rua=mailto:dmarc-feedback@example.com"

   To publish such a record, the DNS administrator for the Domain Owner
   might create an entry like the following in the appropriate zone file
   (following the conventional zone file format):

     ; DMARC record for the domain example.com

     _dmarc  IN TXT ( "v=DMARC1; p=none; "
                      "rua=mailto:dmarc-feedback@example.com" )

A.2.2.  Entire Domain, Monitoring Only, Per-Message Reports

   The Domain Owner from the previous example has used the aggregate
   reporting to discover some messaging systems that had not yet
   implemented DKIM correctly, but they are still seeing periodic
   authentication failures.  In order to diagnose these intermittent
   problems they wish to request per-message forensic reports when
   authentication failures occur.

   Not all Receivers will honor such a request, but the Domain Owner
   feels that any reports it does receive will be helpful enough to
   justify publishing this record.  The default per-message report
   format ([AFRF]) meets the Domain Owner's needs in this scenario.

   The Domain Owner accomplishes this by adding the following to its
   policy record from Appendix A.2):





Kucherawy                                                      [Page 42]

                                  DMARC                     October 2011


   o  Per-message forensic reports should be sent via email to the
      address "auth-reports@example.com"
      ("ruf=mailto:auth-reports@example.com")

   The DMARC policy record might look like this when retrieved using a
   common command-line tool (the output shown would appear on a single
   line, but is wrapped here for publication):

     % dig +short TXT _dmarc.example.com.
     "v=DMARC1\; p=none\; rua=mailto:dmarc-feedback@example.com\;
      ruf=mailto:auth-reports@example.com"

   To publish such a record, the DNS administrator for the Domain Owner
   might create an entry like the following in the appropriate zone file
   (following the conventional zone file format):

    ; DMARC record for the domain example.com

    _dmarc  IN TXT ( "v=DMARC1; p=none; "
                     "rua=mailto:dmarc-feedback@example.com; "
                     "ruf=mailto:auth-reports@example.com" )

A.2.3.  Sub-Domain, Sampling, and Multiple Aggregate Report URIs

   The Domain Owner has implemented SPF and DKIM in a sub-domain used
   for pre-production testing of messaging services.  It now wishes to
   request that participating receivers act to reject messages from this
   sub-domain that fail to authenticate.

   As a first step it will ask that a portion (1/4 in this example) of
   failing messages be quarantined, enabling examination of messages
   sent to mailboxes hosted by participating receivers.  Aggregate
   feedback reports will be sent to a mailbox within the Organizational
   Domain, and to a mailbox at a third party selected and authorized to
   receive same by the Domain Owner.

   The Domain Owner will accomplish this by constructing a policy record
   indicating that:

   o  The version of DMARC being used is "DMARC1" ("v=DMARC1")

   o  It is applied only to this sub-domain (record is published at
      "_dmarc.test.example.com" and not "_dmarc.example.com")

   o  Receivers should quarantine messages from this organizational
      domain that fail to authenticate ("p=quarantine")





Kucherawy                                                      [Page 43]

                                  DMARC                     October 2011


   o  Aggregate feedback reports should be sent via email to the
      addresses "dmarc-feedback@example.com" and
      "example-tld-test@thirdparty.example.net" ("rua=mailto:dmarc-
      feedback@example.com,mailto:example-tld-test@
      thirdparty.example.net")

   o  25% of messages from this Organizational Domain are subject to
      action based on this policy ("pct=25")

   The DMARC policy record might look like this when retrieved using a
   common command-line tool (the output shown would appear on a single
   line, but is wrapped here for publication):

     % dig +short TXT _dmarc.test.example.com
     "v=DMARC1\; p=quarantine\; rua=mailto:dmarc-feedback@example.com,
      mailto:example-tld-test@thirdparty.example.net\; pct=25"

   To publish such a record, the DNS administrator for the Domain Owner
   might create an entry like the following in the appropriate zone
   file:

     ; DMARC record for the domain example.com

     _dmarc IN  TXT  ( "v=DMARC1; p=quarantine; "
                       "rua=mailto:dmarc-feedback@example.com,"
                       "mailto:example-tld-test@thirdparty.example; "
                       "pct=25" )

A.2.4.  Third Party Sender and Identity Alignment

   The Domain Owner only uses the top-level domain for email, and uses a
   third-party sender for some marketing message traffic.  It has
   implemented SPF and DKIM across its in-house infrastructure and
   required the third-party to do the same.  A monitoring period has
   shown that the Domain Owner and the third-party sender are both
   executing well with respect to email authentication measures.

   The third-party has access to the appropriate DKIM private or signing
   keys for the selectors it will use.  However the third-party uses
   sub-domains like "id1234.bounces.example.com" in the RFC5321.Mailfrom
   address for campaign tracking and troubleshooting purposes.  The sub-
   domain "bounces.example.com" has been delegated to the third-party so
   that it can publish appropriate MX records in the DNS.

   Therefore the Domain Owner wishes to publish a policy that requests
   rejection of messages which fail to authenticate, strict identity
   alignment for DKIM authentication, but relaxed identity alignment for
   SPF checks.  Aggregate reports will only be sent to the Domain Owner



Kucherawy                                                      [Page 44]

                                  DMARC                     October 2011


   in this example.

   The Domain Owner will accomplish this by constructing a policy record
   indicating that:

   o  The version of DMARC being used is "DMARC1" ("v=DMARC1")

   o  Receivers should reject messages that fail to authenticate
      ("p=reject")

   o  Strict identity alignment should be applied to DKIM checks
      ("adkim=s")

   o  Relaxed identity alignment should be applied to SPF checks
      ("aspf=r")

   o  Aggregate feedback reports should be sent via email to the address
      "dmarc-feedback@example.com"
      ("rua=mailto:dmarc-feedback@example.com")

   The DMARC policy record might look like this when retrieved using a
   common command-line tool (the output shown would appear on a single
   line, but is wrapped here for publication):

     % dig +short TXT _dmarc.example.com
     "v=DMARC1\; p=reject\; adkim=s\; aspf=r\;
      rua=mailto:dmarc-feedback@example.com"

   To publish such a record, the DNS administrator for the Domain Owner
   might create an entry like the following in the appropriate zone
   file:

     ; DMARC record for the domain example.com
     _dmarc  IN  TXT  ( "v=DMARC1; p=reject; adkim=s; aspf=r; "
                        "rua=mailto:dmarc-feedback@example.com" )

A.2.5.  Sub-Domain Policy, Reporting Interval

   In this example the Domain Owner only uses addresses in the
   Organizational Domain itself ("user@example.com" versus
   "user@sub.example.com").  A business decision has been made that
   messages incorrectly being rejected as false positives during, for
   example, a transient outage are unacceptable.  Therefore, the desired
   policy is that:

   o  Messages from the Organizational Domain that fail authentication
      should be quarantined




Kucherawy                                                      [Page 45]

                                  DMARC                     October 2011


   o  Messages from any sub-domain should be rejected

   Furthermore the Domain Owner would like to request that aggregate
   data be sent at four hour intervals to themselves and a third-party
   service for analysis and action.  It recognizes that not all
   Receivers will honor this request, but feels that faster intraday
   analysis of failures and threats make this worthwhile.

   The Domain Owner will accomplish this by constructing a policy record
   indicating that:

   o  The version of DMARC being used is "DMARC1" ("v=DMARC1")

   o  Receivers should quarantine messages from this domain that fail to
      authenticate ("p=quarantine")

   o  Receivers should reject messages from any sub-domains that fail to
      authenticate ("sp=reject")

   o  Aggregate reports should be generated every four hours
      ("ri=14400")

   o  Aggregate reports should be sent via email to the addresses
      "dmarc-feedback@example.com" and
      "customer-analysis@thirdparty.example.net" ("rua=mailto:dmarc-
      feedback@example.com,mailto:customer-analysis@
      thirdparty.example.net")

   The DMARC policy record might look like this when retrieved using a
   common command-line tool (the output shown would appear on a single
   line, but is wrapped here for publication):

     % dig +short TXT _dmarc.example.com
     "v=DMARC1\; p=quarantine\; sp=reject\; ri=14400\;
      rua=mailto:dmarc-feedback@example.com,
      mailto:customer-data@thirdparty.example.net"

   To publish such a record, the DNS administrator for the Domain Owner
   might create an entry like the following in the appropriate zone
   file:

     ; DMARC record for the domain example.com
     _dmarc  IN  TXT  ( "v=DMARC1; p=quarantine; sp=reject; "
                        "rua=mailto:dmarc-feedback@example.com,"
                        "mailto:customer-data@thirdparty.example.net" )






Kucherawy                                                      [Page 46]

                                  DMARC                     October 2011


A.3.  Mail Receiver example

   [TBD: Example of what a participating receiver does with a piece of
   email]

A.4.  Utilization of Aggregate Feedback example

   [TBD: Example of what Domain Owners should do with feedback]

A.5.  mailto Transport example

   [TBD: Example of communicating feedback via mailto URI]

A.6.  https Transport example

   [TBD: Example of communicating feedback via https URI]


Appendix B.  Organizational Domain Discovery Issues

   Although protocols like ADSP are useful for "protecting" a specific
   domain name, they are not helpful at protecting subdomains.  If one
   wished to protect "example.com" by requiring via ADSP that all mail
   bearing an RFC5322.From domain of "example.com" be signed, this would
   "protect" that domain; however, one could then craft an email whose
   RFC5322.From domain is "security.example.com", and ADSP would not
   provide any protection.  One could use a DNS wildcard, but this can
   undesirably interfere with other DNS activity; one could add ADSP
   records as fraudulent domains are discovered, but this solution does
   not scale.

   The DNS does not provide a method by which the "domain of record", or
   the domain that was actually registered with a domain registrar, can
   be determined given an arbitrary domain name.  Suggestions have been
   made that attempt to glean such information from SOA or NS resource
   records, but these too are not fully reliable as the partitioning of
   the DNS is not always done at administrative boundaries.

   When seeking domain-specific policy based on an arbitrary domain
   name, one could "climb the tree", dropping labels off the left end of
   the name until the root is reached or a policy is discovered, but
   then one could craft a name that has a large number of nonsense
   labels; this would cause a Mail Receiver to attempt a large number of
   queries in search of a policy record.  Sending many such messages
   constitutes an amplified denial-of-service attack.

   The Organizational Domain mechanism is a necessary component to the
   goals of DMARC.  The method described in Section 4 is not perfect,



Kucherawy                                                      [Page 47]

                                  DMARC                     October 2011


   but serves this purpose reasonably well without adding undue burden
   or semantics to the DNS.


Appendix C.  Issues With ADSP In Operation

   Contributors to DMARC have compiled a list of issues associated with
   ADSP, gained from operational experience, that have influenced the
   direction of DMARC:

   1.  ADSP has no support for subdomains, i.e., the ADSP record for
       example.com does not explicitly or implicitly apply to
       subdomain.example.com.  If wildcarding is not applied, then
       spammers can trivially bypass ADSP by sending from a subdomain
       with no ADSP record.

   2.  Non-existent subdomains are explicitly out of scope in ADSP.
       There is nothing in ADSP that states receivers should simply
       reject mail from NXDOMAINs regardless of ADSP policy (which of
       course allows spammers to trivially bypass ADSP by sending email
       from non-existent subdomains).

   3.  ADSP has no operational advice on when to look up the ADSP
       record.

   4.  ADSP has no support for using SPF as an auxiliary mechanism to
       DKIM.

   5.  ADSP has no support for a slow roll-out, i.e., no way to
       configure a percentage of email on which the receiver should
       apply the policy.  This is important for large-volume senders.

   6.  ADSP has no explicit support for an intermediate phase where the
       receiver quarantines (e.g., sends to the recipient's "spam"
       folder) rather than rejects the email.

   7.  The binding between the "From" header domain and DKIM is too
       tight for ADSP; they must match exactly.


Appendix D.  DMARC Discovery Requirements

   Contributors to DMARC have also compiled a list of requirements that
   have informed the design of how DMARC policy is determined:

   1.  Simple to implement, especially for the feedback generator.





Kucherawy                                                      [Page 48]

                                  DMARC                     October 2011


   2.  Minimize DNS queries in the discovery phase.

   3.  Resilient to abuse of the report consumer.  The ability of
       abusers to publish feedback addresses on wildcarded domains to
       create a lot of meaningless work for the generator is to be
       avoided.  In recognition that DMARC can be used to perform "joe-
       job" attacks, the feedback destination URI should be within the
       same organizational domain.  If it is not, the feedback generator
       need to make a best-effort attempt not to joe-job the apparent
       feedback consumer.

   4.  Support for multiple intermediaries.  (An intermediary is an
       agent that collects aggregate feedback reports and manipulates
       that data for presentation to the interested party.)  All
       intermediaries should be able to get the data easily.

   5.  Transport layer security as an option.

   6.  Feedback generator verification.  Posting a URI in DNS to which
       anyone can upload large amounts of data is always dangerous.  The
       feedback consumer has to have a way to prevent denial of service
       attacks by dropping or blocking unwanted data.


Appendix E.  DMARC XML Schema

   The following is the proposed initial schema for producing XML
   formatted aggregate reports as described in this memo:

   <?xml version="1.0"?>
   <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">

   <!-- The time range in UTC covered by messages in this report,
        specified in seconds since epoch. -->
   <xs:complexType name="DateRangeType">
     <xs:all>
       <xs:element name="begin" type="xs:integer"/>
       <xs:element name="end" type="xs:integer"/>
     </xs:all>
   </xs:complexType>

   <!-- Report generator metadata -->
   <xs:complexType name="ReportMetadataType">
     <xs:sequence>
       <xs:element name="org_name" type="xs:string"/>
       <xs:element name="email" type="xs:string"/>
       <xs:element name="extra_contact_info" type="xs:string"
                  minOccurs="0"/>



Kucherawy                                                      [Page 49]

                                  DMARC                     October 2011


       <xs:element name="report_id" type="xs:string"/>
       <xs:element name="date_range" type="DateRangeType"/>
       <xs:element name="error" type="xs:string" minOccurs="0"
         maxOccurs="unbounded"/>
     </xs:sequence>
   </xs:complexType>

   <!-- Alignment mode (relaxed or strict) for DKIM and
        SPF. -->
   <xs:simpleType name="AlignmentType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="r"/>
       <xs:enumeration value="s"/>
     </xs:restriction>
   </xs:simpleType>

   <!-- The policy actions specified by p and sp in the
        DMARC record. -->
   <xs:simpleType name="DispositionType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="none"/>
       <xs:enumeration value="quarantine"/>
       <xs:enumeration value="reject"/>
     </xs:restriction>
   </xs:simpleType>

   <!-- The DMARC policy that applied to the messages in
       this report. -->
   <xs:complexType name="PolicyPublishedType">
     <xs:all>
       <!-- The domain at which the DMARC record was found. -->
       <xs:element name="domain" type="xs:string"/>
       <!-- The DKIM alignment mode. -->
       <xs:element name="adkim" type="AlignmentType"/>
       <!-- The SPF alignment mode. -->
       <xs:element name="aspf" type="AlignmentType"/>
       <!-- The policy to apply to messages from the domain. -->
       <xs:element name="p" type="DispositionType"/>
       <!-- The policy to apply to messages from subdomains. -->
       <xs:element name="sp" type="DispositionType"/>
       <!-- The percent of messages to which policy applies. -->
       <xs:element name="pct" type="xs:integer"/>
     </xs:all>
   </xs:complexType>

   <!-- The DMARC-aligned authentication result. -->
   <xs:simpleType name="DMARCResultType">
     <xs:restriction base="xs:string">



Kucherawy                                                      [Page 50]

                                  DMARC                     October 2011


       <xs:enumeration value="pass"/>
       <xs:enumeration value="fail"/>
     </xs:restriction>
   </xs:simpleType>

   <!-- Reasons that may affect DMARC disposition or execution
        thereof. -->
   <xs:simpleType name="PolicyOverrideType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="forwarded"/>
       <xs:enumeration value="sampled_out"/>
       <xs:enumeration value="trusted_forwarder"/>
       <xs:enumeration value="other"/>
     </xs:restriction>
   </xs:simpleType>

   <xs:complexType name="PolicyOverrideReason">
     <xs:all>
       <xs:element name="type" type="PolicyOverrideType"/>
       <xs:element name="comment" type="xs:string"
                  minOccurs="0"/>
     </xs:all>
   </xs:complexType>

   <!-- Taking into account everything else in the record,
        the results of applying DMARC. -->
   <xs:complexType name="PolicyEvaluatedType">
     <xs:sequence>
       <xs:element name="disposition" type="DispositionType"/>
       <xs:element name="dkim" type="DMARCResultType"/>
       <xs:element name="spf" type="DMARCResultType"/>
       <xs:element name="reason" type="PolicyOverrideReason"
                     minOccurs="0" maxOccurs="unbounded"/>
     </xs:sequence>
   </xs:complexType>

   <!-- Credit to Roger L. Costello for IPv4 regex
       http://mailman.ic.ac.uk/pipermail/xml-dev/1999-December/
            018018.html -->
   <!-- Credit to java2s.com for IPv6 regex
       http://www.java2s.com/Code/XML/XML-Schema/
            IPv6addressesareeasiertodescribeusingasimpleregex.htm -->
   <xs:simpleType name="IPAddress">
     <xs:restriction base="xs:string">
       <xs:pattern value="((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]).){3}
                   (1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])|
                   ([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}"/>
     </xs:restriction>



Kucherawy                                                      [Page 51]

                                  DMARC                     October 2011


   </xs:simpleType>

   <xs:complexType name="RowType">
     <xs:all>
       <!-- The connecting IP. -->
       <xs:element name="source_ip" type="IPAddress"/>
       <!-- The number of matching messages -->
       <xs:element name="count" type="xs:integer"/>
       <!-- The DMARC disposition applying to matching
            messages. -->
       <xs:element name="policy_evaluated"
                   type="PolicyEvaluatedType"/>
     </xs:all>
   </xs:complexType>

   <xs:complexType name="IdentityType">
     <xs:all>
       <!-- The envelope recipient domain. -->
       <xs:element name="envelope_to" type="xs:string"
                  minOccurs="0"/>
       <!-- The payload From domain. -->
       <xs:element name="header_from" type="xs:string"
                  minOccurs="1"/>
     </xs:all>
   </xs:complexType>

   <!-- DKIM verification result, according to RFC 5451
        Section 2.4.1. -->
   <xs:simpleType name="DKIMResultType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="none"/>
       <xs:enumeration value="pass"/>
       <xs:enumeration value="fail"/>
       <xs:enumeration value="policy"/>
       <xs:enumeration value="neutral"/>
       <xs:enumeration value="temperror"/>
       <xs:enumeration value="permerror"/>
     </xs:restriction>
   </xs:simpleType>

   <xs:complexType name="DKIMAuthResultType">
     <xs:all>
       <!-- The d= parameter in the signature -->
       <xs:element name="domain" type="xs:string"
                   minOccurs="1"/>
       <!-- The DKIM verification result -->
       <xs:element name="result" type="DKIMResultType"
                   minOccurs="1"/>



Kucherawy                                                      [Page 52]

                                  DMARC                     October 2011


       <!-- Any extra information (e.g., from
            Authentication-Results -->
       <xs:element name="human_result" type="xs:string"
                   minOccurs="0"/>
     </xs:all>
   </xs:complexType>

   <!-- SPF result -->
   <xs:simpleType name="SPFResultType">
     <xs:restriction base="xs:string">
       <xs:enumeration value="none"/>
       <xs:enumeration value="neutral"/>
       <xs:enumeration value="pass"/>
       <xs:enumeration value="fail"/>
       <xs:enumeration value="softfail"/>
       <!-- "TempError" commonly implemented as "unknown" -->
       <xs:enumeration value="temperror"/>
       <!-- "PermError" commonly implemented as "error" -->
       <xs:enumeration value="permerror"/>
     </xs:restriction>
   </xs:simpleType>

   <xs:complexType name="SPFAuthResultType">
     <xs:all>
       <!-- The envelope From domain. -->
       <xs:element name="domain" type="xs:string" minOccurs="1"/>
       <!-- The DKIM verification result -->
       <xs:element name="result" type="SPFResultType"
                   minOccurs="1"/>
     </xs:all>
   </xs:complexType>

   <!-- This element contains DKIM and SPF results, uninterpreted
        with respect to DMARC. -->
   <xs:complexType name="AuthResultType">
     <xs:sequence>
       <!-- There may be no DKIM signatures, or multiple DKIM
            signatures. -->
       <xs:element name="dkim" type="DKIMAuthResultType"
         minOccurs="0" maxOccurs="unbounded"/>
       <!-- There will always be at least one SPF result. -->
       <xs:element name="spf" type="SPFAuthResultType" minOccurs="1"
         maxOccurs="unbounded"/>
     </xs:sequence>
   </xs:complexType>

   <!-- This element contains all the authentication results used
        to evaluate the DMARC disposition for the given set of



Kucherawy                                                      [Page 53]

                                  DMARC                     October 2011


        messages. -->
   <xs:complexType name="RecordType">
     <xs:sequence>
       <xs:element name="row" type="RowType"/>
       <xs:element name="identities" type="IdentityType"/>
       <xs:element name="auth_results" type="AuthResultType"/>
     </xs:sequence>
   </xs:complexType>

   <!-- Parent -->
   <xs:element name="feedback">
     <xs:complexType>
       <xs:sequence>
         <xs:element name="report_metadata"
                    type="ReportMetadataType"/>
         <xs:element name="policy_published"
                    type="PolicyPublishedType"/>
         <xs:element name="record" type="RecordType"
                     maxOccurs="unbounded"/>
       </xs:sequence>
     </xs:complexType>
   </xs:element>
   </xs:schema>


Appendix F.  Public Suffix Lists

   A public suffix list for the purposes of determining the
   Organizational Domain can be obtained from various sources.  The most
   common one is maintained by the Mozilla Foundation and made public at
   http://publicsuffix.org.  License terms governing the use of that
   list are available at that URI.


Appendix G.  Public Discussion

   Public discussion of the DMARC proposal documents is taking place on
   the dmarc-discuss@googlegroups.com mailing list.  Subscription is
   available at http://www.dmarc.org/mailman/listinfo/dmarc-discuss.












Kucherawy                                                      [Page 54]

                                  DMARC                     October 2011


Author's Address

   Murray S. Kucherawy (editor)
   Cloudmark
   128 King St., 2nd Floor
   San Francisco, CA  94107
   USA

   Phone: +1 415 946 3800
   Email: msk@cloudmark.com









































Kucherawy                                                      [Page 55]

