Applications Area Working Group T. Akagiri
Internet-Draft
Intended status: Informational G. Yasutaka
Expires: September 15, 2016 Rakuten, Inc.
M. Kase
NIFTY Corporation
K. Okada
K. Maeda
Lepidum Co. Ltd.
March 14, 2016
DMARC verification without record definitions
draft-akagiri-dmarc-virtual-verification-00.txt
Abstract
DMARC is a powerful architecture to defend mail end users from
malicious mail activities, but its deployment is still under process.
To encourage the installations of DMARC, we propose an incremental
deployment procedure in this document.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 15, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Akagiri, et al. Expires September 15, 2016 [Page 1]
�
Internet-Draft DMARC virtual verification March 2016
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology and Definitions . . . . . . . . . . . . . . . . . 2
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 3
3.2. DMARC verification without DMARC records. . . . . . . . . 3
4. The Virtual DMARC Record . . . . . . . . . . . . . . . . . . 4
5. Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6. Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. Security consideration . . . . . . . . . . . . . . . . . . . 5
8. Privacy consideration . . . . . . . . . . . . . . . . . . . . 5
9. Discussions . . . . . . . . . . . . . . . . . . . . . . . . . 6
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
11.1. Normative References . . . . . . . . . . . . . . . . . . 6
11.2. Informative References . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
Although DMARC is an effective technology to protect email users from
malicious activities such as phishings or malwares, at this moment
its deployment seems to require more time. A survey[ReturnPath]
indicates that less than 30% of global top companies have published
DMARC records by the end of 2015. To validate incoming emails
properly on the mail receiving domains, it is desirable for more
domains to declare DMARC records.
In this draft, we propose a default DMARC verification for the
domains that do not declare DMARC records. With this verification,
receivers are able to validate the emails from the domains not
publishing DMARC records. This approach allows MTAs on the mail
receiving domains to validate mail senders utilizing virtual DMARC
records filled with default values, and notify mail end receivers of
the validity of mail senders in the compatible manner with DMARC.
2. Terminology and Definitions
o virtual DMARC record: DMARC records virtually created to verify
domains that do not publish DMARC records
Akagiri, et al. Expires September 15, 2016 [Page 2]
�
Internet-Draft DMARC virtual verification March 2016
o regular verification: DMARC RFC7489 verification
o virtual verification: verification leveraging virtual DMARC
records
3. Overview
3.1. Problem Statement
As described in Section 1, currently the adoption rate of DMARC
remains low in the mail sender sides. This means that operators of
receiver MTAs are not encouraged to introduce DMARC verifiers to
their MTAs. DMARC needs operations both on sender sides and receiver
sides, that is, mail senders have to publish DMARC TXT records on
their DNS servers, and MTAs on the receiver domains have to enable
the DMARC verification. Thus the deployment of DMARC is a "Chicken-
and-Egg" question between senders and receivers.
We propose a receiver-driven incremental deployment procedure in this
document.
3.2. DMARC verification without DMARC records.
Figure 1 is the state diagram of the DMARC virtual verification.
+----------+ +-----------+
| SPF Pass | | DKIM Pass |
+----+-----+ +-----+-----+
| |
v v
+----+--------------------+-----+
| DMARC Record exists? |
+-----+-------------------+-----+
Yes v v No
+------+-----+ +-----+------+
| regular | | virtual |
+-----+verification| /|verification|
| +------+-----+ / +-----+------+
v | / |
+----+-----+ v / v
| results | +--+---+ / +---+--+
|other than| | pass +<--+ | none |
| pass | +------+ +------+
+----------+
Figure 1: State Diagram
Akagiri, et al. Expires September 15, 2016 [Page 3]
�
Internet-Draft DMARC virtual verification March 2016
The Mail receiver SHOULD verify the Mail sender with a virtual DMARC
record when the receiver could not find the DMARC record published by
the Mail sender. The regular DMARC verifier just sets the
Authentication-Results to "none" when the receiving MTA could not
find the DMARC policy records for the sender. In contrast, when the
verification of SPF or DKIM have passed, the virtual verification
validates the sender against the virtual DMARC record, that is filled
with the _default_ values. The content of the virtual DMARC record
is explained in detail in Section 4.
The virtual DMARC verification processes received emails in the same
way the regular DMARC verifier does with those default values. As to
the Authentication-Results field of verified email, "pass" is set to
verified email and "none" to unverified one.
When a DKIM verification passes, the virtual DMARC verification for
the same email always passes. DMARC verification compares the
RFC5322.from and domains described in the d tags of DKIM-Signature
field of the received email. To pass the DKIM verification those two
fields must be identical. Therefore, when the DKIM verification
passes, the virtual verification of DMARC also passes.
4. The Virtual DMARC Record
When the mail sender does not publish their DMARC record, the virtual
DMARC verification validates the sender against an imaginary DMARC
record that are filled with pre-determined values. This record is
referred to as "virtual DMARC record" in this document.
The values in the virtual DMARC record are listed below(Table 1).
+----------+----------------------------+
| Tag Name | Virtual DMARC Record Value |
+----------+----------------------------+
| p | none |
| | |
| adkim | s(strict) |
| | |
| aspf | s(strict) |
+----------+----------------------------+
Table 1: Values for Virtual DMARC records
These values are determined so that the reasonable verification can
be performed when the sender is not interested in publish their own
DMARC record.
o policy(p): none
Akagiri, et al. Expires September 15, 2016 [Page 4]
�
Internet-Draft DMARC virtual verification March 2016
* The received emails have to be delivered to mail destinations
unless the mail sender domains publish DMARC records and set
the policy in the records to "quarantine" or "reject". So the
default policy(p) is set to "none".
o adkim, aspf: s(strict)
* The default alignment modes for DKIM and SPF are "s(strict)".
When a hosting provider("example.com"), for instance, enables
DKIM and publish a DKIM resource record for a
customer("aaa.example.com"). In this situation, if the DKIM
alignment mode(adkim) in the virtual record is "r(relaxed)",
another customer("bbb.example.com") can pretend to be
"aaa.example.com". This is not the will of the
"aaa.example.com". To prevent this situation, the alignment
modes (adkim and aspf) are "s(strict)" in the virtual DMARC
record, as opposed to the default value for the regular DMARC
record.
5. Use cases
TBD
6. Roadmap
By promoting DMARC, our final goal is to reject emails from domains
that do not publish DMARC records. To achieve this goal, we propose
a three step deployment.
o Step1: As proposed in this draft, the policy(p) for the virtual
DMARC record is set to "none".
o Step2: The policy(p) is set to "quarantine". A new
Authentication-Result "SoftFail" may be needed to indicate that
the failure is due to the virtual verification.
o Step3: The policy(p) is set to "reject".
7. Security consideration
TBD
8. Privacy consideration
TBD
Akagiri, et al. Expires September 15, 2016 [Page 5]
�
Internet-Draft DMARC virtual verification March 2016
9. Discussions
o Currently the virtual verification set the Authentication-Result
to "pass" when the verification passes. Is it better to define
"SoftPass" so that it indicates the "pass" is based on the virtual
verification?
o Values "ruf" and "rua" for the virtual record.
10. Acknowledgements
TBD
11. References
11.1. Normative References
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008,
<http://www.rfc-editor.org/info/rfc5321>.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322,
DOI 10.17487/RFC5322, October 2008,
<http://www.rfc-editor.org/info/rfc5322>.
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598,
DOI 10.17487/RFC5598, July 2009,
<http://www.rfc-editor.org/info/rfc5598>.
[RFC6376] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
"DomainKeys Identified Mail (DKIM) Signatures", STD 76,
RFC 6376, DOI 10.17487/RFC6376, September 2011,
<http://www.rfc-editor.org/info/rfc6376>.
[RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for
Authorizing Use of Domains in Email, Version 1", RFC 7208,
DOI 10.17487/RFC7208, April 2014,
<http://www.rfc-editor.org/info/rfc7208>.
[RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
Message Authentication, Reporting, and Conformance
(DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
<http://www.rfc-editor.org/info/rfc7489>.
[RFC7601] Kucherawy, M., "Message Header Field for Indicating
Message Authentication Status", RFC 7601,
DOI 10.17487/RFC7601, August 2015,
<http://www.rfc-editor.org/info/rfc7601>.
Akagiri, et al. Expires September 15, 2016 [Page 6]
�
Internet-Draft DMARC virtual verification March 2016
11.2. Informative References
[ReturnPath]
Return Path, ., "DMARC Intelligence Report", February
2016.
Authors' Addresses
Takehito Akagiri
Email: takehito@akagiri.com
Genki Yasutaka
Rakuten, Inc.
Email: genki.yasutaka@rakuten.com
Masaki Kase
NIFTY Corporation
Email: kase.masaki@nifty.co.jp
Kouji Okada
Lepidum Co. Ltd.
Email: okd@lepidum.co.jp
Kaoru Maeda
Lepidum Co. Ltd.
Email: maeda@lepidum.co.jp
Akagiri, et al. Expires September 15, 2016 [Page 7]