DMARC F. Martin, Ed.
Internet-Draft LinkedIn
Intended status: Informational E. Lear, Ed.
Expires: May 15, 2016 Cisco Systems GmbH
T. Draegen, Ed.
dmarcian, inc.
E. Zwicky, Ed.
Yahoo
K. Andersen, Ed.
LinkedIn
November 12, 2015

Interoperability Issues Between DMARC and Indirect Email Flows
draft-ietf-dmarc-interoperability-11

Abstract

DMARC introduces a mechanism for expressing domain-level policies and preferences for email message validation, disposition, and reporting. The DMARC mechanism can encounter interoperability issues when messages do not flow directly from the author's administrative domain to the final recipients. Collectively these email flows are referred to as indirect email flows. This document describes interoperability issues between DMARC and indirect email flows. Possible methods for addressing interoperability issues are presented.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on May 15, 2016.

Copyright Notice

Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

DMARC [RFC7489] introduces a mechanism for expressing domain-level policies and preferences for message validation, disposition, and reporting. The DMARC mechanism can encounter several different types of interoperability issues due to third-party message sourcing, message transformation or rerouting.

At the time of the writing of this document, the DMARC base specification is published as Informational RFC7489 [RFC7489] and has seen significant deployment within the email community.

Cases in which email does not flow directly from the author's administrative domain to the recipient's domain(s) are collectively referred to in this document as indirect email flows. Due to existing and increasing adoption of DMARC, the impact of DMARC-based email rejection policies on indirect email flows can be significant for a select subset of general email traffic.

Several known causes of interoperability issues are presented, followed by a description of components within the Internet Mail Architecture [RFC5598] where interoperability issues can arise.

Finally, known and possible methods for addressing interoperability issues are presented. There are often multiple ways to address any given interoperability issue. While this document strives to be comprehensive in its review, it should not be treated as complete. Also, some practices which are in use at the time of this document may or may not be "best practices" as future standards evolve.

1.1. Document Conventions

Notation regarding structured fields is taken from [RFC5598].

Organizational Domain and Authenticated Identifiers are specified in DMARC [RFC7489].

2. Causes of Interoperability Issues

Interoperability issues between DMARC and indirect email flows arise when conformance to the DMARC specification leads a receiving implementation to apply DMARC based policy restrictions to messages that are both compliant with the architecture as specified in [RFC5598] and viewed as legitimate by the intended recipient.

Note that domains which assert a "p=none" policy and email which passes standard DMARC validation do not have any interoperability issues.

Email messages that do not conform to other email specifications but are considered legitimate by the intended recipients are not discussed in this document. The rest of this section describes several conceptual causes of interoperability issues.

2.1. Identifier Alignment

DMARC relies on DKIM [RFC6376] and SPF [RFC7208] to perform message source validation. The DMARC [RFC7489] mechanism refers to source domains that are validated by DKIM or SPF as Authenticated Identifiers. DMARC requires an Authenticated Identifier to be related to the domain found in the message's RFC5322.From header field [RFC5322]. This relationship is referred to as Identifier Alignment.

DMARC allows for Identifier Alignment to be achieved in two different modes: strict and relaxed. Strict mode requires an exact match of either of the Authenticated Identifiers to the message's RFC5322.From header field [RFC5322]. Relaxed mode allows for Identifier Alignment if Authenticated Identifiers and the message's RFC5322.From header field [RFC5322] share the same Organizational Domain. In general, interoperability issues between strict and relaxed modes are the same, with strict mode constraining the application of possible solutions. The mitigations described in this document generally require a relaxed mode of Identifier Alignment.

DKIM provides a cryptographic means for a domain identifier to be associated with a particular message. As a standalone technology DKIM identifiers are not required to be relevant to the content of a message. However, for a DKIM identifier to align in DMARC, the signing domain of a valid signature must be part of the same Organizational Domain as the domain in the RFC5322.From header field [RFC5322].

In addition, DKIM allows for the possibility of multiple valid signatures. The DMARC mechanism will process Authenticated Identifiers that are based on DKIM signatures until an aligned Authenticated Identifier is found (if any). However, operational experience has shown that some implementations have difficulty processing multiple signatures. The impact on DMARC processing is clear: implementations that cannot process multiple DKIM signatures may incorrectly flag messages as "failing DMARC" and erroneously apply DMARC based policy to otherwise conforming messages.

SPF can provide two Authenticated Identifiers. The DMARC relevant Authenticated Identifiers that SPF provides is the RFC7208.MAILFROM [RFC7208] based on the RFC5321.MailFrom [RFC5321] domain, or, if the RFC5321.MailFrom address is absent (as in the case of "bounce" messages), on the RFC5321.HELO/EHLO SMTP domain. The SPF validated domain in RFC7208.MAILFROM must be part of the same Organizational Domain as the domain in the RFC5322.From header field to be aligned. It is important to note that even when an SPF record exists for the domain in RFC5322.From [RFC5322], SPF will not authenticate it unless it is also the domain checked by SPF. Also note that the RFC7208.MAILFROM definition is different from the RFC5321.MailFrom [RFC5321] definition.

2.2. Message Forwarding

Message forwarding is a generic concept encapsulating a variety of behaviors. Section 3 describes forwarding behavior as it relates to the components of the Internet Mail Architecture.

All forwarding behavior involves the retransmission of email. As discussed above, in order for SPF to yield an Authenticated Identifier that is pertinent to DMARC, the domain of the RFC7208.MAILFROM must be in alignment with the RFC5322.From header field. Forwarding introduces specific issues to the availability of SPF-based Authenticated Identifiers:

In both cases, SPF cannot yield relevant Authenticated Identifiers, and DKIM must be relied upon to produce results that are relevant to DMARC.

2.3. Message Modification

Modification of email content invalidates most DKIM signatures, and many message forwarding systems modify email content. Mailing list processors are a common example of such systems, but other forwarding systems also make modifications.

Although DKIM provides a length flag so that content can be appended without invalidating the signature, in practice, particularly with MIME-encoded [RFC2045] messages, a mailing list processor will do more than simply append content (see Section 5.3 of [RFC5598] for details). Furthermore, the length flag is seldom used due to security issues (see Section 8.2 of [RFC6376] for additional security considerations), therefore, this method is only here mentioned for completeness.

DKIM describes two canonicalizations for use when preparing header and body for DKIM processing: simple and relaxed. The latter allows for trivial modifications (largely regarding whitespace and folding) that maintain the integrity of the content of the email. However, the relaxed canonicalization is more computationally intensive and may not have been preferred in the early deployment of DKIM, leaving some deployments using the less forgiving "simple" canonicalization. While the prevalence is unknown, there are some DKIM verifiers which have problems evaluating relaxed canonicalization correctly.

3. Internet Mail Architecture, DMARC, and Indirect Email Flows

This section describes components within the Internet Mail Architecture [RFC5598] where interoperability issues between DMARC and indirect email flows can be found.

3.1. Message Handling System

Section 4 of [RFC5598] describes six basic components that make up the Message Handling System (MHS):

Of these components MSA, MTA, and MDA are discussed in relation to interoperability with DMARC.

A Mediator is a hybrid of several component types that is given special consideration in this section due to the unique issues Mediators face when attempting to interoperate with DMARC.

3.1.1. Message Submission Agents

An MSA accepts messages submitted by a Message User Agent (MUA) and enforces the policies of the hosting ADministrative Management Domain (ADMD) and the requirements of Internet standards.

MSAs are split into two sub-components:

MSA interoperability issues with DMARC begin when an aMSA accepts a message where the RFC5322.From header field contains a domain that is outside of the ADMD of the MSA. The ADMD will almost certainly not be capable of sending email that yields Authenticated Identifiers aligned with the domain found in the RFC5322.From header field. Examples of this issue include "forward-to-friend" functionality commonly found on news/article websites or "send-as" functionality present on some MUAs.

When an hMSA takes responsibility for transit of a message containing a domain in the RFC5322.From header field that is outside of the hMSA's ADMD, the hMSA faces DMARC interoperability issues if the domain publishes a DMARC policy of "quarantine" or "reject". These issues are marked by the inherent difficulty of establishing alignment with the domain present in a message's RFC5322.From header field. Examples of this issue include:

3.1.2. Message Transfer Agents

MTAs relay a message until the message reaches a destination MDA.

3.1.2.1. Message Encoding

An MTA may modify the message encoding, for instance by converting 8-bit MIME sections to quoted-printable 7-bit sections. This modification is outside the scope of DKIM canonicalization and will invalidate DKIM signatures that include message content.

An MTA could also re-encode the message without changing the encoding type, receiving a MIME-encoded message and producing a semantically and syntactically equivalent MIME body that is not identical to the original. This is characteristic of systems that use some other message representation internally.

3.1.2.2. Header Standardization

An MTA may rewrite headers to bring them into compliance with existing RFCs. For example, some common MTAs will correct comprehensible but non-compliant date formats to compliant ones.

Header rewriting is outside the scope of DKIM canonicalization and will invalidate DKIM signatures. All downstream DMARC processing with be unable to utilize DKIM to yield Authenticated Identifiers due to header rewriting.

Providing solutions for issues relating to non RFC-compliant emails is outside the scope of this document.

3.1.2.3. Content Validation

An MTA may also implement security-motivated changes to the content of email messages, dropping or altering sections of messages, causing breakage of DKIM signatures

3.1.3. Message Delivery Agents

The MDA transfers a message from the MHS to a mailbox. Like the MSA, the MDA consists of two sub-components:

Both the hMDA and the rMDA can redirect a message to an alternative address. DMARC interoperability issues related to redirecting of messages are described in Section 3.2.

SIEVE [RFC5228] functionality often lives in the rMDA sub-component and can cause DMARC interoperability issues. The SIEVE 'addheader' and 'deleteheader' filtering actions can modify messages and invalidate DKIM signatures, removing DKIM-supplied Authenticated Identifiers as inputs to the DMARC mechanism. There are also SIEVE extensions that modify the body. SIEVE alterations may only become an issue when the email is reintroduced into the transport infrastructure.

3.2. Mediators

See [RFC5598] for a complete definition of Mediators.

Mediators forward messages through a re-posting process. Mediators share some functionality with basic MTA relaying, but have greater flexibility in both addressing and content modifications.

DMARC interoperability issues are common within the context of Mediators, which are often used precisely for their ability to modify messages.

The DMARC design does not cope with some Mediator functionality such as content modifications that invalidate DKIM signatures and RFC5321.MailFrom rewriting to support SPF authentication of resent mail when the new Recipient receives the message from the Mediator rather than the initial organization.

3.2.1. Alias

An Alias is a simple re-addressing facility that provides one or more new Internet Mail addresses, rather than a single, internal one. A message continues through the transfer service for delivery to one or more alternative addresses.

Aliases can be implemented by mailbox-level forwarding (e.g. through "dot-forwarding") or SIEVE-level forwarding (through the SIEVE 'redirect' action) or other methods. When an Alias preserves message content and does not make significant header changes, DKIM signatures may remain valid. However, Aliases often extend the delivery path outside of the scope covered by the originating ADMD's SPF record(s).

Examples of Aliasing include:

In most cases, the aMSA providing Alias services has no administrative relationship to the ADMD of the originator or the final recipient, so solutions to Alias-related DMARC failure should not assume such a relationship.

3.2.2. ReSenders

ReSenders "splice" a message's addressing information to connect the Author of the original message with the Recipient(s) of the new message. The new Recipient sees the message as being from the original Author, even if the Mediator adds commentary.

Without Authenticated Identifiers aligned with the Author's RFC5322.From header field domain, the new Recipient has no way to achieve a passing DMARC evaluation.

Examples of ReSenders include MUA-level forwarding by resending a message to a new recipient or by forwarding a message "inline" to a new recipient (this does not include forwarding a message "as an attachment"). An additional example comes in the form of calendaring software that allows a meeting attendee (not the meeting organizer) to modify the content of an invite generating new invitations that claim to be reissued from the meeting organizer.

3.2.3. Mailing Lists

A Mailing List receives messages as an explicit addressee and then reposts them to a list of subscribed members. The Mailing List performs a task that can be viewed as an elaboration of the ReSender actions.

Mailing Lists share the same DMARC interoperability issues as ReSenders [resenders], and very commonly modify headers or message content in ways that will cause DKIM to fail, including:

Any such modifications would invalidate a DKIM signature.

Header and content modifications are common for many mailing lists and are often central to present mailing list functionality and usage. Furthermore, MUAs have come to rely on mailing list message modifications to present messages to end users in expected ways.

3.2.3.1. Mailing List Operational Effects

Mailing Lists may also have the following DMARC interoperability issues:

3.2.4. Gateways

A Gateway performs the basic routing and transfer work of message relaying, but it also is permitted to modify content, structure, addressing, and/or other attributes as needed to send the message into a messaging environment that operates under different standards or potentially incompatible policies.

Gateways share the same DMARC interoperability issues as ReSenders [resenders].

Gateways may share also the same DMARC interoperability issues as MTAs [mta].

Receiver systems on the non-SMTP side of a protocol gateway may be unable to evaluate DKIM and SPF. If a message passes through a second protocol gateway back into the SMTP domain, the transformations commonly break the original DKIM signature(s).

Gateway-level forwarding can introduce DMARC interoperability issues if the Gateway is configured to rewrite the message into alternate recipient domains. For example, an acquisition may lead an acquiring company to decide to decommission the acquired company's domains by rewriting messages to use the domain of the acquiring company. Since the RFC5322.To header field is usually DKIM-signed, this kind of rewriting will invalidate such DKIM signatures.

3.2.5. Boundary Filters

To enforce security boundaries, organizations can subject messages to analysis for conformance with their safety policies. A filter might alter the content to render it safe, such as by removing or otherwise altering content deemed unacceptable.

Boundary Filters share the same DMARC interoperability issues as ReSenders.

Issues may arise with SPF and DKIM evaluation if performed after filter modifications.

Examples of Boundary Filters include:

3.3. Combinations

Indirect email flows can be combined. For example, a university student may subscribe to a mailing list (using his university email address) while this university email address is configured to forward all emails to a freemail or a post-education corporate account provider where a more permanent email address for this student exists.

Within an organization the message may pass through various MTAs [mta], each of which performs a different function (authentication, filtering, distribution, etc.)

4. Possible Mitigations of Interoperability Issues

Solutions to interoperability issues between DMARC and indirect email flows vary widely in their scope and implications. They range from improvements to underlying processors, such as proper handling of multiple DKIM signatures, to more radical changes to the messaging architecture. This section describes possible ways to address interoperability issues. Note that these particular mechanisms may not be considered "best practices" and may, in some cases, violate various conventions or expectations.

Receivers sometimes need to deliver email messages that do not conform to any standard or protocol, but are otherwise desired by end users. Mitigating the impact of DMARC on indirect email flows is especially important to receivers that operate services where ease of use and compatibility with existing email flows is a priority.

DMARC provides a mechanism (local policy) for receivers to make decisions about identity alignment acceptability based on information outside DMARC and communicate those decisions as "overrides" to the sender. This facility can be used to ease some interoperability issues, although care is needed to ensure that this does not create loopholes for abuse.

To further complicate the usage of mitigations, mitigation may not be desired if the email in question is of a certain category of high value or high risk (security-related) transactional messages (dealing with financial transactions or medical records, for example). In these cases, mitigating the impact of DMARC due to indirect email flows may not be desirable (counter-productive, or allowing for abuse).

As a final note, mail systems are diverse and widely deployed. Systems of various ages and capabilities are expected to preserve interoperability with the rest of the SMTP ecosystem. For instance, Qmail is still used, although the base code has not been updated since 1998. ezmlm, a once popular mailing list manager, is still deployed but has not been updated since 1997, although a new version, ezmlm-idx exists. Old versions of other open and closed source MTAs are still commonly in operation. When dealing with aging or unsupported systems, some solutions may be time-consuming and/or disruptive to implement.

4.1. Mitigations in Current Use

Because DMARC is already widely deployed, many operators already have mitigations in use. These mitigations vary in their effectiveness and side effects, but have the advantage that they are currently available.

4.1.1. Mitigations for Senders

4.1.1.1. Identifier Alignment

4.1.1.2. Message Modification

4.1.2. Mitigations for Receivers

4.1.2.1. Identifier Alignment

4.1.2.2. Policy Override

4.1.3. Mitigations for ReSenders

4.1.3.1. Changes to the RFC5322.From

Many ReSender issues can be avoided by using an RFC5322.From header field under the ReSender's control, instead of the initial RFC5322.From. This will correct identifier alignment issues and allow arbitrary message modification as long as the ReSender signs the message with an aligned domain signature. When ReSenders change the RFC5322.From, it is desirable to preserve the information about the original initiator of the message.

A first option is to use the Original-From [RFC5703] (or X-Original-From) header field for this purpose in various contexts (X- header fields name are discouraged by [RFC6648]). However, handling of Original-From (or X-Original-From) is not defined anywhere. It is not currently used consistently or displayed to the user, and in any situation where it is used, it is a new unauthenticated identifier available for exploitation unless included within the scope of the new DKIM signature(s).

Another option for ReSenders is to rewrite the RFC5322.From header field address to a locally controlled address which will be forwarded back to the original sender (subject to its own ReSender forwarding mitigations!).

4.1.3.2. Avoiding Message Modification

4.1.3.3. Mailing Lists

[RFC6377] provides some guidance on using DKIM with Mailing lists. The following mitigation techniques can be used to ease interoperability issues with DMARC and Mailing lists:

All these techniques may provide some specific challenges to MUAs and different operational usages for end users (like rewriting filters to sort emails in folders). There will be some time before all implications are understood and accommodated.

4.2. Proposed and In-Progress Mitigations

The following mitigations are based on Internet Drafts (I-Ds) which have not yet received broad consensus. They are described here to offer exploratory path for solutions. These solutions should not be used in a production environment. Because of the transient nature of I-Ds, specific citations are not included because a number of them will inevitably become obsolete and those which gain concensus in the community will become RFCs and should be discovered as such.

4.2.1. Getting More Radical: Requiring New Communication Paths Between MUAs

In practice a number of operators are using strict alignment mode in DMARC in order to avoid receiving new and innovative forms of unwanted and unauthentic email through systems purporting to be mailing list handlers. The receiving ADMD has no knowledge of which lists the user has subscribed to and which they have not. One avenue of exploration would be for the user to authorize mailing lists as proxies for authentication, at which point the receiving ADMD would be vesting some trust in the mailing list service. The creators of DKIM foresaw precisely this possibility at the time by not tightly binding any semantics to the RFC5322.From header field. Some experimental work has taken place in this area, as mentioned above. Additional work might examine a new communication path to the user to authorize some form of transitive trust.

5. IANA Considerations

This document contains no actions for IANA. [RFC Editor: Please delete this section prior to publication.]

6. Security Considerations

This document is an analysis of DMARC's impact on indirect email flows. It describes the possibility of accidental denial-of-service that can be created by rejections of messages by DMARC-aware Mail Receivers.

In Section 4.1.1.1, discusses the importance of appropriate DKIM key management vis a vis third party email senders.

In Section 4.1.3.3, warns that rewriting the RFC5322.From header field and changing the domain name should not be done with any domain.

7. Acknowledgments

Miles Fidelman, John Levine, David Crocker, Stephen J. Turnbull, Rolf E. Sonneveld, Tim Draegen and Franck Martin contributed to the IETF DMARC Working Group's wiki page listing all known interoperability issues with DMARC and indirect email flows.

Tim Draegen created the first draft of this document from these contributions and by hamfistedly mapping contributions into the language of [RFC5598].

8. References

8.1. Normative References

[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996.
[RFC3463] Vaudreuil, G., "Enhanced Mail System Status Codes", RFC 3463, DOI 10.17487/RFC3463, January 2003.
[RFC5228] Guenther, P. and T. Showalter, "Sieve: An Email Filtering Language", RFC 5228, DOI 10.17487/RFC5228, January 2008.
[RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, DOI 10.17487/RFC5321, October 2008.
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, DOI 10.17487/RFC5322, October 2008.
[RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, DOI 10.17487/RFC5598, July 2009.
[RFC5703] Hansen, T. and C. Daboo, "Sieve Email Filtering: MIME Part Tests, Iteration, Extraction, Replacement, and Enclosure", RFC 5703, DOI 10.17487/RFC5703, October 2009.
[RFC6376] Crocker, D., Hansen, T. and M. Kucherawy, "DomainKeys Identified Mail (DKIM) Signatures", STD 76, RFC 6376, DOI 10.17487/RFC6376, September 2011.
[RFC6377] Kucherawy, M., "DomainKeys Identified Mail (DKIM) and Mailing Lists", BCP 167, RFC 6377, DOI 10.17487/RFC6377, September 2011.
[RFC6648] Saint-Andre, P., Crocker, D. and M. Nottingham, "Deprecating the "X-" Prefix and Similar Constructs in Application Protocols", BCP 178, RFC 6648, DOI 10.17487/RFC6648, June 2012.
[RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", RFC 7208, DOI 10.17487/RFC7208, April 2014.
[RFC7372] Kucherawy, M., "Email Authentication Status Codes", RFC 7372, DOI 10.17487/RFC7372, September 2014.

8.2. Informative References

[RFC7489] Kucherawy, M. and E. Zwicky, "Domain-based Message Authentication, Reporting, and Conformance (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015.
[RFC7601] Kucherawy, M., "Message Header Field for Indicating Message Authentication Status", RFC 7601, DOI 10.17487/RFC7601, August 2015.

Authors' Addresses

Franck Martin (editor) LinkedIn Mountain View, CA USA EMail: fmartin@linkedin.com
Eliot Lear (editor) Cisco Systems GmbH Richtistrasse 7 Wallisellen, ZH CH-8304 Switzerland Phone: +41 44 878 9200 EMail: lear@cisco.com
Tim Draegen (editor) dmarcian, inc. PO Box 1007 Brevard, NC 28712 USA EMail: tim@dmarcian.com
Elizabeth Zwicky (editor) Yahoo Sunnyvale, CA USA EMail: zwicky@yahoo-inc.com
Kurt Andersen (editor) LinkedIn 2029 Stierlin Court Mt. View, CA 94043 USA EMail: kandersen@linkedin.com