Opened 2 years ago

Last modified 16 months ago

#66 infoneeded enhancement

Define what it means to have implemented DMARC

Reported by: seth@… Owned by: todd.herr@…
Priority: major Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: - Keywords: clarify
Cc:

Description

In particular:

  • What does it mean to implement DMARC as a domain owner? Here, we should specifically define "Enforcement" -- the point at which only authenticated mail can be sent from the domain.
  • What does it mean to implement DMARC as a receiver? Here, that DMARC and ARC are validated and reports are sent?
  • What does it mean to implement DMARC as an intermediary? That DMARC and ARC are validated?

Change History (11)

comment:1 Changed 2 years ago by seth@…

  • Component changed from rfc7601bis to dmarc-bis
  • Owner draft-ietf-dmarc-rfc7601bis@… deleted
  • Status changed from new to assigned

comment:2 Changed 17 months ago by todd.herr@…

  • Owner set to todd.herr@…
  • Status changed from assigned to accepted

comment:3 Changed 17 months ago by todd.herr@…

Not sure where to put it, but here's some proposed text:

What Does It Mean To Have Implemented DMARC?

Domain owners, intermediaries, and mail receivers can all claim to implement DMARC, but what that means will depend on their role in the transmission of mail. To remove any ambiguity from the claims, this document specifies the following minimum criteria that must be met for each agent to rightly claim to be "implementing DMARC".

Domain Owner: To implement DMARC, a domain owner MUST configure its domain to request that unauthenticated mail be rejected or at least treated with suspicion. This means that it MUST publish a policy record that:

  • Has a p tag with a value of 'quarantine' or 'reject'
  • Has a rua tag with at least one valid URI
  • If applicable, has an sp tag with a value of 'quarantine' or 'reject'

While 'none' is a syntactically valid value for both the p and sp tags, the practical value of either the p tag or sp tag being 'none' means that the domain owner is still gathering information about mail flows for the domain or sub-domains, and is not yet ready to commit to requesting that unauthenticated mail receive different handling than authenticated mail.

Intermediary: To implement DMARC, an intermediary MUST do the following before passing the message to the next hop or rejecting it as appropriate:

  • Perform DMARC validation checks on inbound mail
  • Perform validation on any ARC header sets present in the message when it arrives
  • Record the results of its authentication checks in a signed and sealed ARC header set

Mail Receiver: To implement DMARC, a mail receiver MUST do the following:

  • Perform DMARC validation checks on inbound mail
  • Perform validation checks on any ARC header sets present in the message when it arrives
  • Send aggregate reports to domain owners at least every 24 hours when a minimum of 100 messages with that domain in the visible From header have been seen during the reporting period

comment:4 Changed 16 months ago by todd.herr@…

  • Status changed from accepted to started

comment:5 Changed 16 months ago by todd.herr@…

Added proposed text from comment 3 as section 4.4, part of the Overview section

Last edited 16 months ago by todd.herr@… (previous) (diff)

comment:6 Changed 16 months ago by todd.herr@…

  • Resolution set to fixed
  • Status changed from started to closed

pushed to github and merged to main branch

comment:7 Changed 16 months ago by todd.herr@…

  • Resolution fixed deleted
  • Status changed from closed to new

comment:8 Changed 16 months ago by todd.herr@…

Reopening because it makes more sense to put this in Section 8, Minimum Implementations, which was already there.

comment:9 Changed 16 months ago by todd.herr@…

Moved stuff to section 8 as proposed replacement text.

Pushed to github and merged to main branch.

comment:10 Changed 16 months ago by todd.herr@…

  • Status changed from new to accepted

comment:11 Changed 16 months ago by todd.herr@…

  • Status changed from accepted to infoneeded
Note: See TracTickets for help on using tickets.