Define what it means to have implemented DMARC

[seth@…]

In particular:

• What does it mean to implement DMARC as a domain owner? Here, we should specifically define "Enforcement" -- the point at which only authenticated mail can be sent from the domain.

• What does it mean to implement DMARC as a receiver? Here, that DMARC and ARC are validated and reports are sent?

• What does it mean to implement DMARC as an intermediary? That DMARC and ARC are validated?

[todd.herr@…]

Not sure where to put it, but here's some proposed text:

What Does It Mean To Have Implemented DMARC?

Domain owners, intermediaries, and mail receivers can all claim to implement DMARC, but what that means will depend on their role in the transmission of mail. To remove any ambiguity from the claims, this document specifies the following minimum criteria that must be met for each agent to rightly claim to be "implementing DMARC".

Domain Owner: To implement DMARC, a domain owner MUST configure its domain to request that unauthenticated mail be rejected or at least treated with suspicion. This means that it MUST publish a policy record that:

• Has a p tag with a value of 'quarantine' or 'reject'
• Has a rua tag with at least one valid URI
• If applicable, has an sp tag with a value of 'quarantine' or 'reject'

While 'none' is a syntactically valid value for both the p and sp tags, the practical value of either the p tag or sp tag being 'none' means that the domain owner is still gathering information about mail flows for the domain or sub-domains, and is not yet ready to commit to requesting that unauthenticated mail receive different handling than authenticated mail.

Intermediary: To implement DMARC, an intermediary MUST do the following before passing the message to the next hop or rejecting it as appropriate:

• Perform DMARC validation checks on inbound mail
• Perform validation on any ARC header sets present in the message when it arrives
• Record the results of its authentication checks in a signed and sealed ARC header set

Mail Receiver: To implement DMARC, a mail receiver MUST do the following:

• Perform DMARC validation checks on inbound mail
• Perform validation checks on any ARC header sets present in the message when it arrives
• Send aggregate reports to domain owners at least every 24 hours when a minimum of 100 messages with that domain in the visible From header have been seen during the reporting period

[todd.herr@…]

Added proposed text from comment 3 as section 4.4, part of the Overview section

[todd.herr@…]

pushed to github and merged to main branch

[todd.herr@…]

Reopening because it makes more sense to put this in Section 8, Minimum Implementations, which was already there.

[todd.herr@…]

Moved stuff to section 8 as proposed replacement text.

Pushed to github and merged to main branch.