Domain-based Message Authentication, Reporting and Conformance (DMARC)
draft-kucherawy-dmarc-base-06
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7489.
|
|
|---|---|---|---|
| Authors | Murray Kucherawy , Elizabeth Zwicky | ||
| Last updated | 2014-11-10 | ||
| RFC stream | Independent Submission | ||
| Formats | |||
| IETF conflict review | conflict-review-kucherawy-dmarc-base, conflict-review-kucherawy-dmarc-base, conflict-review-kucherawy-dmarc-base, conflict-review-kucherawy-dmarc-base, conflict-review-kucherawy-dmarc-base, conflict-review-kucherawy-dmarc-base | ||
| Additional resources | |||
| Stream | ISE state | In ISE Review | |
| Consensus boilerplate | Unknown | ||
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 7489 (Informational) | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-kucherawy-dmarc-base-06
lt;xs:enumeration value="none"/>
<xs:enumeration value="quarantine"/>
<xs:enumeration value="reject"/>
</xs:restriction>
</xs:simpleType>
<!-- The DMARC policy that applied to the messages in
this report. -->
<xs:complexType name="PolicyPublishedType">
<xs:all>
<!-- The domain at which the DMARC record was found. -->
<xs:element name="domain" type="xs:string"/>
<!-- The DKIM alignment mode. -->
<xs:element name="adkim" type="AlignmentType"
minOccurs="0"/>
<!-- The SPF alignment mode. -->
<xs:element name="aspf" type="AlignmentType"
minOccurs="0"/>
<!-- The policy to apply to messages from the domain. -->
<xs:element name="p" type="DispositionType"/>
<!-- The policy to apply to messages from subdomains. -->
<xs:element name="sp" type="DispositionType"/>
<!-- The percent of messages to which policy applies. -->
<xs:element name="pct" type="xs:integer"/>
<!-- Failure reporting options in effect. -->
<xs:element name="fo" type="xs:string"/>
</xs:all>
</xs:complexType>
<!-- The DMARC-aligned authentication result. -->
<xs:simpleType name="DMARCResultType">
<xs:restriction base="xs:string">
<xs:enumeration value="pass"/>
<xs:enumeration value="fail"/>
</xs:restriction>
</xs:simpleType>
<!-- Reasons that may affect DMARC disposition or execution
thereof. -->
<xs:simpleType name="PolicyOverrideType">
<xs:restriction base="xs:string">
<xs:enumeration value="forwarded"/>
<xs:enumeration value="sampled_out"/>
<xs:enumeration value="trusted_forwarder"/>
<xs:enumeration value="mailing_list"/>
<xs:enumeration value="local_policy"/>
<xs:enumeration value="other"/>
Kucherawy & Zwicky Expires May 14, 2015 [Page 65]
Internet-Draft DMARC November 2014
</xs:restriction>
</xs:simpleType>
<!-- How do we allow report generators to include new
classes of override reasons if they want to be more
specific than "other"? -->
<xs:complexType name="PolicyOverrideReason">
<xs:all>
<xs:element name="type" type="PolicyOverrideType"/>
<xs:element name="comment" type="xs:string"
minOccurs="0"/>
</xs:all>
</xs:complexType>
<!-- Taking into account everything else in the record,
the results of applying DMARC. -->
<xs:complexType name="PolicyEvaluatedType">
<xs:sequence>
<xs:element name="disposition" type="DispositionType"/>
<xs:element name="dkim" type="DMARCResultType"/>
<xs:element name="spf" type="DMARCResultType"/>
<xs:element name="reason" type="PolicyOverrideReason"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- Credit to Roger L. Costello for IPv4 regex
http://mailman.ic.ac.uk/pipermail/xml-dev/1999-December/
018018.html -->
<!-- Credit to java2s.com for IPv6 regex
http://www.java2s.com/Code/XML/XML-Schema/
IPv6addressesareeasiertodescribeusingasimpleregex.htm -->
<xs:simpleType name="IPAddress">
<xs:restriction base="xs:string">
<xs:pattern value="((1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5]).){3}
(1?[0-9]?[0-9]|2[0-4][0-9]|25[0-5])|
([A-Fa-f0-9]{1,4}:){7}[A-Fa-f0-9]{1,4}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="RowType">
<xs:all>
<!-- The connecting IP. -->
<xs:element name="source_ip" type="IPAddress"/>
<!-- The number of matching messages -->
<xs:element name="count" type="xs:integer"/>
<!-- The DMARC disposition applying to matching
messages. -->
Kucherawy & Zwicky Expires May 14, 2015 [Page 66]
Internet-Draft DMARC November 2014
<xs:element name="policy_evaluated"
type="PolicyEvaluatedType"
minOccurs="1"/>
</xs:all>
</xs:complexType>
<xs:complexType name="IdentifierType">
<xs:all>
<!-- The envelope recipient domain. -->
<xs:element name="envelope_to" type="xs:string"
minOccurs="0"/>
<!-- The envelope from domain. -->
<xs:element name="envelope_from" type="xs:string"
minOccurs="1"/>
<!-- The payload From domain. -->
<xs:element name="header_from" type="xs:string"
minOccurs="1"/>
</xs:all>
</xs:complexType>
<!-- DKIM verification result, according to RFC 5451
Section 2.4.1. -->
<xs:simpleType name="DKIMResultType">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="pass"/>
<xs:enumeration value="fail"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="neutral"/>
<xs:enumeration value="temperror"/>
<xs:enumeration value="permerror"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="DKIMAuthResultType">
<xs:all>
<!-- The d= parameter in the signature -->
<xs:element name="domain" type="xs:string"
minOccurs="1"/>
<!-- The s= parameter in the signature -->
<xs:element name="selector" type="xs:string"
minOccurs="0"/>
<!-- The DKIM verification result -->
<xs:element name="result" type="DKIMResultType"
minOccurs="1"/>
<!-- Any extra information (e.g., from
Authentication-Results -->
<xs:element name="human_result" type="xs:string"
Kucherawy & Zwicky Expires May 14, 2015 [Page 67]
Internet-Draft DMARC November 2014
minOccurs="0"/>
</xs:all>
</xs:complexType>
<!-- SPF domain scope -->
<xs:simpleType name="SPFDomainScope">
<xs:restriction base="xs:string">
<xs:enumeration value="helo"/>
<xs:enumeration value="mfrom"/>
</xs:restriction>
</xs:simpleType>
<!-- SPF result -->
<xs:simpleType name="SPFResultType">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="neutral"/>
<xs:enumeration value="pass"/>
<xs:enumeration value="fail"/>
<xs:enumeration value="softfail"/>
<!-- "TempError" commonly implemented as "unknown" -->
<xs:enumeration value="temperror"/>
<!-- "PermError" commonly implemented as "error" -->
<xs:enumeration value="permerror"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="SPFAuthResultType">
<xs:all>
<!-- The checked domain. -->
<xs:element name="domain" type="xs:string" minOccurs="1"/>
<!-- The scope of the checked domain. -->
<xs:element name="scope" type="SPFDomainScope" minOccurs="1"/>
<!-- The SPF verification result -->
<xs:element name="result" type="SPFResultType"
minOccurs="1"/>
</xs:all>
</xs:complexType>
<!-- This element contains DKIM and SPF results, uninterpreted
with respect to DMARC. -->
<xs:complexType name="AuthResultType">
<xs:sequence>
<!-- There may be no DKIM signatures, or multiple DKIM
signatures. -->
<xs:element name="dkim" type="DKIMAuthResultType"
minOccurs="0" maxOccurs="unbounded"/>
<!-- There will always be at least one SPF result. -->
Kucherawy & Zwicky Expires May 14, 2015 [Page 68]
Internet-Draft DMARC November 2014
<xs:element name="spf" type="SPFAuthResultType" minOccurs="1"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- This element contains all the authentication results that
were evaluated by the receiving system for the given set of
messages. -->
<xs:complexType name="RecordType">
<xs:sequence>
<xs:element name="row" type="RowType"/>
<xs:element name="identifiers" type="IdentifierType"/>
<xs:element name="auth_results" type="AuthResultType"/>
</xs:sequence>
</xs:complexType>
<!-- Parent -->
<xs:element name="feedback">
<xs:complexType>
<xs:sequence>
<xs:element name="version"
type="xs:decimal"/>
<xs:element name="report_metadata"
type="ReportMetadataType"/>
<xs:element name="policy_published"
type="PolicyPublishedType"/>
<xs:element name="record" type="RecordType"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Descriptions of the PolicyOverrideTypes:
forwarded: Message was relayed via a known forwarder, or local
heuristics identified the message as likely having been forwarded.
There is no expectation that authentication would pass.
local_policy: The Mail Receiver's local policy exempted the message
from being subjected to the Domain Owner's requested policy
action.
mailing_list: Local heuristics determined that the message arrived
via a mailing list, and thus authentication of the original
message was not expected to succeed.
Kucherawy & Zwicky Expires May 14, 2015 [Page 69]
Internet-Draft DMARC November 2014
other: Some policy exception not covered by the other entries in
this list occurred. Additional detail can be found in the
PolicyOverrideReason's "comment" field.
sampled_out: Message was exempted from application of policy by the
"pct" setting in the DMARC policy record.
trusted_forwarder: Message authentication failure was anticipated by
other evidence linking the message to a locally-maintained list of
known and trusted forwarders.
The "version" for reports generated per this specification MUST be
the value 1.0.
Appendix D. Public Discussion
Public discussion of the DMARC proposal documents is taking place on
the dmarc-discuss@dmarc.org mailing list. Subscription is available
at http://www.dmarc.org/mailman/listinfo/dmarc-discuss.
[RFC Editor: Please remove this section prior to publication.]
Appendix E. Acknowledgements
DMARC and the version of this document submitted to the IETF were the
result of lengthy efforts by an informal industry consortium:
DMARC.org [1]. Participating companies included: Agari, American
Greetings, AOL, Bank of America, Cloudmark, Comcast, Facebook,
Fidelity Investments, Google, JPMorgan Chase & Company, LinkedIn,
Microsoft, Netease, Paypal, ReturnPath, Trusted Domain Project, and
Yahoo!. Although the number of contributors and supporters are too
numerous to mention, notable individual contributions were made by J.
Trent Adams, Michael Adkins, Monica Chew, Dave Crocker, Tim Draegen,
Steve Jones, Franck Martin, Brett McDowell, and Paul Midgen. The
contributors would also like to recognize the invaluable input and
guidance that was provided early on by J.D. Falk.
Additional contributions within the IETF context were made by Les
Barstow, Jim Fenton, J. Gomez, Mike Jones, Scott Kitterman, Eliot
Lear, John Levine, S. Moonesamy, Henry Timmes, and Stephen J.
Turnbull.
Kucherawy & Zwicky Expires May 14, 2015 [Page 70]
Internet-Draft DMARC November 2014
Authors' Addresses
Murray S. Kucherawy (editor)
Email: superuser@gmail.com
Elizabeth Zwicky (editor)
Yahoo!
Email: zwicky@yahoo-inc.com
Kucherawy & Zwicky Expires May 14, 2015 [Page 71]