draft-ietf-dmarc-psd-14.txt   draft-ietf-dmarc-psd-15.txt 
Network Working Group S. Kitterman Network Working Group S. Kitterman
Internet-Draft fTLD Registry Services Internet-Draft fTLD Registry Services
Intended status: Experimental T. Wicinski, Ed. Intended status: Experimental T. Wicinski, Ed.
Expires: November 27, 2021 May 26, 2021 Expires: December 16, 2021 June 14, 2021
Experimental DMARC Extension For Public Suffix Domains Experimental DMARC Extension For Public Suffix Domains
draft-ietf-dmarc-psd-14 draft-ietf-dmarc-psd-15
Abstract Abstract
Domain-based Message Authentication, Reporting, and Conformance Domain-based Message Authentication, Reporting, and Conformance
(DMARC) permits a domain-controlling organization to express domain- (DMARC) permits a domain-controlling organization to express domain-
level policies and preferences for message validation, disposition, level policies and preferences for message validation, disposition,
and reporting, which a mail-receiving organization can use to improve and reporting, which a mail-receiving organization can use to improve
mail handling. mail handling.
DMARC distinguishes the portion of a name that is a Public Suffix DMARC distinguishes the portion of a name that is a Public Suffix
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 27, 2021. This Internet-Draft will expire on December 16, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Discussion . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Discussion . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology and Definitions . . . . . . . . . . . . . . . . . 5 2. Terminology and Definitions . . . . . . . . . . . . . . . . . 5
2.1. Conventions Used in This Document . . . . . . . . . . . . 5 2.1. Conventions Used in This Document . . . . . . . . . . . . 5
2.2. Public Suffix Domain (PSD) . . . . . . . . . . . . . . . 5 2.2. Public Suffix Domain (PSD) . . . . . . . . . . . . . . . 6
2.3. Organizational Domain . . . . . . . . . . . . . . . . . . 6 2.3. Organizational Domain . . . . . . . . . . . . . . . . . . 6
2.4. Longest PSD . . . . . . . . . . . . . . . . . . . . . . . 6 2.4. Longest PSD . . . . . . . . . . . . . . . . . . . . . . . 6
2.5. Public Suffix Operator (PSO) . . . . . . . . . . . . . . 6 2.5. Public Suffix Operator (PSO) . . . . . . . . . . . . . . 6
2.6. PSO Controlled Domain Names . . . . . . . . . . . . . . . 6 2.6. PSO Controlled Domain Names . . . . . . . . . . . . . . . 6
2.7. Non-existent Domains . . . . . . . . . . . . . . . . . . 6 2.7. Non-existent Domains . . . . . . . . . . . . . . . . . . 6
3. PSD DMARC Updates to DMARC Requirements . . . . . . . . . . . 6 3. PSD DMARC Updates to DMARC Requirements . . . . . . . . . . . 7
3.1. General Updates . . . . . . . . . . . . . . . . . . . . . 7 3.1. General Updates . . . . . . . . . . . . . . . . . . . . . 7
3.2. Changes in Section 6.3 "General Record Format" . . . . . 7 3.2. Changes in Section 6.3 "General Record Format" . . . . . 7
3.3. Changes in Section 6.5 "Domain Owner Actions" . . . . . . 7 3.3. Changes in Section 6.4 "Formal Definition" . . . . . . . 7
3.4. Changes in Section 6.6.1 "Extract Author Domain" . . . . 8 3.4. Changes in Section 6.5 "Domain Owner Actions" . . . . . . 8
3.5. Changes in Section 6.6.3 "Policy Discovery" . . . . . . . 8 3.5. Changes in Section 6.6.1 "Extract Author Domain" . . . . 8
3.6. Changes in Section 7 "DMARC Feedback" . . . . . . . . . . 8 3.6. Changes in Section 6.6.3 "Policy Discovery" . . . . . . . 8
3.7. Changes in Section 7 "DMARC Feedback" . . . . . . . . . . 9
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6.1. Subdomain Policy Tag . . . . . . . . . . . . . . . . . . 10 6.1. Subdomain Policy Tag . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 11
7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Appendix A. PSD DMARC Privacy Concern Mitigation Experiment . . 12 Appendix A. PSD DMARC Privacy Concern Mitigation Experiment . . 12
Appendix B. DMARC PSD Registry Examples . . . . . . . . . . . . 12 Appendix B. DMARC PSD Registry Examples . . . . . . . . . . . . 13
B.1. DMARC PSD DNS Query Service . . . . . . . . . . . . . . . 13 B.1. DMARC PSD DNS Query Service . . . . . . . . . . . . . . . 13
B.2. DMARC Public Suffix Domain (PSD) Registry . . . . . . . . 13 B.2. DMARC Public Suffix Domain (PSD) Registry . . . . . . . . 13
B.3. DMARC PSD PSL Extension . . . . . . . . . . . . . . . . . 13 B.3. DMARC PSD PSL Extension . . . . . . . . . . . . . . . . . 14
Appendix C. Implementations . . . . . . . . . . . . . . . . . . 14 Appendix C. Implementations . . . . . . . . . . . . . . . . . . 14
C.1. Authheaders Module . . . . . . . . . . . . . . . . . . . 14 C.1. Authheaders Module . . . . . . . . . . . . . . . . . . . 14
C.2. Zdkimfilter Module . . . . . . . . . . . . . . . . . . . 14 C.2. Zdkimfilter Module . . . . . . . . . . . . . . . . . . . 14
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
DMARC [RFC7489] provides a mechanism for publishing organizational DMARC [RFC7489] provides a mechanism for publishing organizational
policy information to email receivers. DMARC allows policy to be policy information to email receivers. DMARC allows policy to be
specified for both individual domains and for organizational domains specified for both individual domains and for organizational domains
and their sub-domains within a single organization. and their sub-domains within a single organization.
To determine the organizational domain for a message under To determine the organizational domain for a message under
evaluation, and thus where to look for a policy statement, DMARC evaluation, and thus where to look for a policy statement, DMARC
skipping to change at page 7, line 41 skipping to change at page 7, line 46
the "sp" tag' is updated to read 'Policy applies to the domain the "sp" tag' is updated to read 'Policy applies to the domain
queried and to subdomains, unless subdomain policy is explicitly queried and to subdomains, unless subdomain policy is explicitly
described using the "sp" or "np" tags.' described using the "sp" or "np" tags.'
sp: The sentence 'If absent, the policy specified by the "p" tag sp: The sentence 'If absent, the policy specified by the "p" tag
MUST be applied for subdomains' is updated to read 'If both the MUST be applied for subdomains' is updated to read 'If both the
"sp" tag is absent and the "np" tag is either absent or not "sp" tag is absent and the "np" tag is either absent or not
applicable, the policy specified by the "p" tag MUST be applied applicable, the policy specified by the "p" tag MUST be applied
for subdomains. for subdomains.
3.3. Changes in Section 6.5 "Domain Owner Actions" 3.3. Changes in Section 6.4 "Formal Definition"
The ABNF for DMARC shall updated to include a new definition "dmarc-
nprequest" which is defined as:
dmarc-nprequest = "np" *WSP "=" *WSP
( "none" / "quarantine" / "reject" )
The "dmarc-record" definition is also updated to include the
following:
[dmarc-sep dmarc-nprequest]
3.4. Changes in Section 6.5 "Domain Owner Actions"
In addition to the DMARC domain owner actions, PSOs that require use In addition to the DMARC domain owner actions, PSOs that require use
of DMARC and participate in PSD DMARC ought to make that information of DMARC and participate in PSD DMARC ought to make that information
available to receivers. This document is an experimental mechanism available to receivers. This document is an experimental mechanism
for doing so. See the [this document] experiment description for doing so. See the [this document] experiment description
(Appendix A). (Appendix A).
3.4. Changes in Section 6.6.1 "Extract Author Domain" 3.5. Changes in Section 6.6.1 "Extract Author Domain"
Experience with DMARC has shown that some implementations short- Experience with DMARC has shown that some implementations short-
circuit messages, bypassing DMARC policy application, when the domain circuit messages, bypassing DMARC policy application, when the domain
name extracted by the receiver (from the RFC5322.From) is on the name extracted by the receiver (from the RFC5322.From) is on the
public suffix list used by the receiver. This negates the capability public suffix list used by the receiver. This negates the capability
being created by this specification. Therefore, the following being created by this specification. Therefore, the following
paragraph is appended to Section 6.6.1 of DMARC: paragraph is appended to Section 6.6.1 of DMARC:
Note that domain names that appear on a public suffix list are not Note that domain names that appear on a public suffix list are not
exempt from DMARC policy application and reporting. exempt from DMARC policy application and reporting.
3.5. Changes in Section 6.6.3 "Policy Discovery" 3.6. Changes in Section 6.6.3 "Policy Discovery"
A new step between step 3 and 4 is added: A new step between step 3 and 4 is added:
3A. If the set is now empty and the longest PSD (Section 2.4) of the 3A. If the set is now empty and the longest PSD (Section 2.4) of the
Organizational Domain is one that the receiver has determined is Organizational Domain is one that the receiver has determined is
acceptable for PSD DMARC (discussed in the [this document] acceptable for PSD DMARC (discussed in the [this document]
experiment description (Appendix A)), the Mail Receiver MUST query experiment description (Appendix A)), the Mail Receiver MUST query
the DNS for a DMARC TXT record at the DNS domain matching the the DNS for a DMARC TXT record at the DNS domain matching the
[this document] longest PSD (Section 2.4) in place of the [this document] longest PSD (Section 2.4) in place of the
RFC5322.From domain in the message (if different). A possibly RFC5322.From domain in the message (if different). A possibly
skipping to change at page 8, line 43 skipping to change at page 9, line 11
longest PSD (Section 2.4). The receiver would check to see if that longest PSD (Section 2.4). The receiver would check to see if that
PSD is listed in the DMARC PSD Registry, and if so, perform the PSD is listed in the DMARC PSD Registry, and if so, perform the
policy lookup at "_dmarc.compute.cloudcompany.com.example". policy lookup at "_dmarc.compute.cloudcompany.com.example".
Note: Because the PSD policy query comes after the Organizational Note: Because the PSD policy query comes after the Organizational
Domain policy query, PSD policy is not used for Organizational Domain policy query, PSD policy is not used for Organizational
domains that have published a DMARC policy. Specifically, this is domains that have published a DMARC policy. Specifically, this is
not a mechanism to provide feedback addresses (RUA/RUF) when an not a mechanism to provide feedback addresses (RUA/RUF) when an
Organizational Domain has declined to do so. Organizational Domain has declined to do so.
3.6. Changes in Section 7 "DMARC Feedback" 3.7. Changes in Section 7 "DMARC Feedback"
If this experiment is successful, this paragraph is added to this If this experiment is successful, this paragraph is added to this
section. section.
Operational note for PSD DMARC: For PSOs, feedback for non-existent Operational note for PSD DMARC: For PSOs, feedback for non-existent
domains is desirable and useful, just as it is for org-level DMARC domains is desirable and useful, just as it is for org-level DMARC
operators. See Section 4 of [this document] for discussion of operators. See Section 4 of [this document] for discussion of
Privacy Considerations for PSD DMARC. Privacy Considerations for PSD DMARC.
4. Privacy Considerations 4. Privacy Considerations
 End of changes. 14 change blocks. 
19 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/