draft-ietf-dmarc-arc-protocol-18.txt   draft-ietf-dmarc-arc-protocol-19.txt 
DMARC Working Group K. Andersen DMARC Working Group K. Andersen
Internet-Draft LinkedIn Internet-Draft LinkedIn
Intended status: Experimental B. Long, Ed. Intended status: Experimental B. Long, Ed.
Expires: April 5, 2019 Google Expires: May 9, 2019 Google
S. Blank, Ed. S. Blank, Ed.
Valimail Valimail
M. Kucherawy, Ed. M. Kucherawy, Ed.
TDP TDP
October 2, 2018 November 5, 2018
Authenticated Received Chain (ARC) Protocol Authenticated Received Chain (ARC) Protocol
draft-ietf-dmarc-arc-protocol-18 draft-ietf-dmarc-arc-protocol-19
Abstract Abstract
The Authenticated Received Chain (ARC) protocol provides an The Authenticated Received Chain (ARC) protocol provides an
authenticated "chain of custody" for a message, allowing each entity authenticated "chain of custody" for a message, allowing each entity
that handles the message to see what entities handled it before, and that handles the message to see what entities handled it before, and
to see what the message's authentication assessment was at each step to see what the message's authentication assessment was at each step
in the handling. in the handling.
ARC allows Internet Mail Handlers to attach assertions of message ARC allows Internet Mail Handlers to attach assertions of message
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 5, 2019. This Internet-Draft will expire on May 9, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 10 skipping to change at page 4, line 10
12.5. Mailman 3.x patch . . . . . . . . . . . . . . . . . . . 29 12.5. Mailman 3.x patch . . . . . . . . . . . . . . . . . . . 29
12.6. Copernica/MailerQ web-based validation . . . . . . . . . 30 12.6. Copernica/MailerQ web-based validation . . . . . . . . . 30
12.7. Rspamd . . . . . . . . . . . . . . . . . . . . . . . . . 30 12.7. Rspamd . . . . . . . . . . . . . . . . . . . . . . . . . 30
12.8. PERL MAIL::DKIM module . . . . . . . . . . . . . . . . . 31 12.8. PERL MAIL::DKIM module . . . . . . . . . . . . . . . . . 31
12.9. PERL Mail::Milter::Authentication module . . . . . . . . 31 12.9. PERL Mail::Milter::Authentication module . . . . . . . . 31
12.10. Sympa List Manager . . . . . . . . . . . . . . . . . . . 31 12.10. Sympa List Manager . . . . . . . . . . . . . . . . . . . 31
12.11. Oracle Messaging Server . . . . . . . . . . . . . . . . 32 12.11. Oracle Messaging Server . . . . . . . . . . . . . . . . 32
12.12. MessageSystems Momentum and PowerMTA platforms . . . . . 32 12.12. MessageSystems Momentum and PowerMTA platforms . . . . . 32
12.13. Exim . . . . . . . . . . . . . . . . . . . . . . . . . . 32 12.13. Exim . . . . . . . . . . . . . . . . . . . . . . . . . . 32
12.14. Halon MTA . . . . . . . . . . . . . . . . . . . . . . . 32 12.14. Halon MTA . . . . . . . . . . . . . . . . . . . . . . . 32
12.15. IIJ . . . . . . . . . . . . . . . . . . . . . . . . . . 33
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33
13.1. Normative References . . . . . . . . . . . . . . . . . . 33 13.1. Normative References . . . . . . . . . . . . . . . . . . 33
13.2. Informative References . . . . . . . . . . . . . . . . . 34 13.2. Informative References . . . . . . . . . . . . . . . . . 34
13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 35 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Appendix A. Appendix A - Design Requirements . . . . . . . . . . 36 Appendix A. Appendix A - Design Requirements . . . . . . . . . . 36
A.1. Primary Design Criteria . . . . . . . . . . . . . . . . . 36 A.1. Primary Design Criteria . . . . . . . . . . . . . . . . . 36
A.2. Out of Scope . . . . . . . . . . . . . . . . . . . . . . 36 A.2. Out of Scope . . . . . . . . . . . . . . . . . . . . . . 36
Appendix B. Appendix B - Example Usage . . . . . . . . . . . . . 36 Appendix B. Appendix B - Example Usage . . . . . . . . . . . . . 36
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 36 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 38
Appendix D. Comments and Feedback . . . . . . . . . . . . . . . 37 Appendix D. Comments and Feedback . . . . . . . . . . . . . . . 38
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
The utility of widely deployed email authentication technologies such The utility of widely deployed email authentication technologies such
as Sender Policy Framework (SPF) [RFC7208] and DomainKeys Identified as Sender Policy Framework (SPF) [RFC7208] and DomainKeys Identified
Mail (DKIM) [RFC6376] is impacted by the processing of Internet Mail Mail (DKIM) [RFC6376] is impacted by the processing of Internet Mail
by intermediate handlers. This impact is thoroughly documented in by intermediate handlers. This impact is thoroughly documented in
the defining documents for SPF and DKIM and further discussed in the defining documents for SPF and DKIM and further discussed in
[RFC6377] and [RFC7960]. [RFC6377] and [RFC7960].
skipping to change at page 24, line 23 skipping to change at page 24, line 23
Status: active Status: active
10.2. Email Authentication Methods Registry Update 10.2. Email Authentication Methods Registry Update
This draft adds several new items to the Email Authentication Methods This draft adds several new items to the Email Authentication Methods
registry, most recently defined in [I-D-7601bis]: registry, most recently defined in [I-D-7601bis]:
o Method: arc o Method: arc
Definition: this document Definition: this document
ptype: smtp ptype: smtp
Property: client-ip Property: remote-ip
Value: IP address of originating SMTP connection Value: IP address of originating SMTP connection
Status: active Status: active
Version: 1 Version: 1
o Method: arc o Method: arc
Definition: this document Definition: this document
ptype: header ptype: header
Property: oldest-pass Property: oldest-pass
Value: The instance id of the oldest validating AMS, or 0 if they Value: The instance id of the oldest validating AMS, or 0 if they
all pass (see Section 5.2) all pass (see Section 5.2)
skipping to change at page 33, line 10 skipping to change at page 33, line 10
Organization: Halon Organization: Halon
Status of Operation: Operational as of May 2018 Status of Operation: Operational as of May 2018
Coverage: Full spec implemented as of [ARC-DRAFT-14] Coverage: Full spec implemented as of [ARC-DRAFT-14]
Licensing: Commercial, trial version available for download Licensing: Commercial, trial version available for download
Contact Info: https://halon.io Contact Info: https://halon.io
Implementation notes: Implementation notes:
o GPL'd library with ARC capabilities: https://github.com/halon/ o GPL'd library with ARC capabilities: https://github.com/halon/
libdkimpp libdkimpp
12.15. IIJ
Organization: Internet Initiative Japan (IIJ) Status of Operation:
Operational as of October 2018
Coverage: Full spec implemented as of this document
Licensing: Internal
Contact Info: https://www.iij.ad.jp/en/
Implementation notes:
o Internal MTA implementation validated during the ARC interop
exercise in mid-October 2018
13. References 13. References
13.1. Normative References 13.1. Normative References
[draft-levine-eaiauth]
Levine, J., "E-mail Authentication for Internationalized
Mail", August 2018, <https://tools.ietf.org/html/
draft-levine-appsarea-eaiauth-03>.
[I-D-7601bis]
Kucherawy, M., "Message Header Field for Indicating
Message Authentication Status", February 2018,
<https://datatracker.ietf.org/doc/
draft-ietf-dmarc-rfc7601bis/>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>. <https://www.rfc-editor.org/info/rfc5234>.
skipping to change at page 34, line 37 skipping to change at page 35, line 12
(I-D-13)", n.d., <https://tools.ietf.org/html/ (I-D-13)", n.d., <https://tools.ietf.org/html/
draft-ietf-dmarc-arc-protocol-13>. draft-ietf-dmarc-arc-protocol-13>.
[ARC-DRAFT-14] [ARC-DRAFT-14]
Andersen, K., "Authenticated Received Chain (ARC) Protocol Andersen, K., "Authenticated Received Chain (ARC) Protocol
(I-D-14)", n.d., <https://tools.ietf.org/html/ (I-D-14)", n.d., <https://tools.ietf.org/html/
draft-ietf-dmarc-arc-protocol-14>. draft-ietf-dmarc-arc-protocol-14>.
[ARC-MULTI] [ARC-MULTI]
Andersen, K., "Using Multiple Signing Algorithms with Andersen, K., "Using Multiple Signing Algorithms with
ARC", January 2018, <https://tools.ietf.org/html/ ARC", June 2018, <https://tools.ietf.org/html/
draft-ietf-dmarc-arc-multi-01>. draft-ietf-dmarc-arc-multi-02>.
[ARC-TEST] [ARC-TEST]
Blank, S., "ARC Test Suite", January 2017, Blank, S., "ARC Test Suite", January 2017,
<https://github.com/Valimail/arc_test_suite>. <https://github.com/Valimail/arc_test_suite>.
[ARC-USAGE] [ARC-USAGE]
Jones, S., Adams, T., Rae-Grant, J., and K. Andersen, Jones, S., Adams, T., Rae-Grant, J., and K. Andersen,
"Recommended Usage of the ARC Headers", April 2018, "Recommended Usage of the ARC Headers", April 2018,
<https://tools.ietf.org/html/ <https://tools.ietf.org/html/
draft-ietf-dmarc-arc-usage-05>. draft-ietf-dmarc-arc-usage-05>.
[draft-levine-eaiauth]
Levine, J., "E-mail Authentication for Internationalized
Mail", August 2018, <https://tools.ietf.org/html/
draft-levine-appsarea-eaiauth-03>.
[ENHANCED-STATUS] [ENHANCED-STATUS]
"IANA SMTP Enhanced Status Codes", n.d., "IANA SMTP Enhanced Status Codes", n.d.,
<http://www.iana.org/assignments/smtp-enhanced-status- <http://www.iana.org/assignments/smtp-enhanced-status-
codes/smtp-enhanced-status-codes.xhtml>. codes/smtp-enhanced-status-codes.xhtml>.
[I-D-7601bis]
Kucherawy, M., "Message Header Field for Indicating
Message Authentication Status", February 2018,
<https://datatracker.ietf.org/doc/
draft-ietf-dmarc-rfc7601bis/>.
[RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based [RFC7489] Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
Message Authentication, Reporting, and Conformance Message Authentication, Reporting, and Conformance
(DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015, (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
<https://www.rfc-editor.org/info/rfc7489>. <https://www.rfc-editor.org/info/rfc7489>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205, Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016, RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>. <https://www.rfc-editor.org/info/rfc7942>.
skipping to change at page 35, line 50 skipping to change at page 36, line 11
[1] mailto:arc-discuss@dmarc.org [1] mailto:arc-discuss@dmarc.org
[2] mailto:arc-discuss@dmarc.org [2] mailto:arc-discuss@dmarc.org
[3] https://github.com/Valimail/arc_test_suite [3] https://github.com/Valimail/arc_test_suite
[4] mailto:arc-discuss@dmarc.org [4] mailto:arc-discuss@dmarc.org
[5] mailto:openarc-users@openarc.org [5] mailto:openarc-users@openarc.org
[6] https://trac.ietf.org/trac/dmarc/ticket/17 [6] mailto:dmarc@ietf.org
[7] mailto:dmarc@ietf.org
[8] mailto:arc-discuss@dmarc.org [7] mailto:arc-discuss@dmarc.org
[9] mailto:arc-interop@dmarc.org [8] mailto:arc-interop@dmarc.org
[10] https://arc-spec.org [9] https://arc-spec.org
Appendix A. Appendix A - Design Requirements Appendix A. Appendix A - Design Requirements
The specification of the ARC framework is driven by the following The specification of the ARC framework is driven by the following
high-level goals, security considerations, and practical operational high-level goals, security considerations, and practical operational
requirements. requirements.
A.1. Primary Design Criteria A.1. Primary Design Criteria
o Provide a verifiable "chain of custody" for email messages; o Provide a verifiable "chain of custody" for email messages;
skipping to change at page 36, line 39 skipping to change at page 36, line 47
Authentication-Results across trust boundaries. Authentication-Results across trust boundaries.
A.2. Out of Scope A.2. Out of Scope
ARC is not a trust framework. Users of the ARC header fields are ARC is not a trust framework. Users of the ARC header fields are
cautioned against making unsubstantiated conclusions when cautioned against making unsubstantiated conclusions when
encountering a "broken" ARC sequence. encountering a "broken" ARC sequence.
Appendix B. Appendix B - Example Usage Appendix B. Appendix B - Example Usage
[[ TODO: There have been several small changes to the spec that have The following message is an example of one which has passed through
invalidated all the old examples. Those old examples have been several intermediary handlers, some of which have modified the
removed to prevent confusion. New examples will be forthcoming message and others which have not:
shortly (early October, 2018) as existing software comes up to date
with the spec and can independently generate and validate the
examples. Issue 17 [6] ]]
<removed for now to reduce confusion> Return-Path: <jqd@d1.example>
Received: from example.org (example.org [208.69.40.157])
by gmail.example with ESMTP id d200mr22663000ykb.93.1421363207
for <fmartin@example.com>; Thu, 14 Jan 2015 15:02:40 -0800 (PST)
Received: from segv.d1.example (segv.d1.example [72.52.75.15])
by lists.example.org (8.14.5/8.14.5) with ESMTP id t0EKaNU9010123
for <arc@example.org>; Thu, 14 Jan 2015 15:01:30 -0800 (PST)
(envelope-from jqd@d1.example)
Received: from [10.10.10.131] (w-x-y-z.dsl.static.isp.com [w.x.y.z])
(authenticated bits=0)
by segv.d1.example with ESMTP id t0FN4a8O084569;
Thu, 14 Jan 2015 15:00:01 -0800 (PST)
(envelope-from jqd@d1.example)
Received: from mail-ob0-f188.google.example (mail-ob0-f188.google.example
[208.69.40.157]) by clochette.example.org with ESMTP id
d200mr22663000ykb.93.1421363268
for <fmartin@example.org>; Thu, 14 Jan 2015 15:03:15 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; cv=pass; d=clochette.example.org; s=
clochette; t=12345; b=CU87XzXlNlk5X/yW4l73UvPUcP9ivwYWxyBWcVrRs7
+HPx3K05nJhny2fvymbReAmOA9GTH/y+k9kEc59hAKVg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=
clochette.example.org; h=message-id:date:from:to:subject; s=
clochette; t=12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZY
LQ=; b=o71vwyLsK+Wm4cOSlirXoRwzEvi0vqIjd/2/GkYFYlSd/GGfKzkAgPqxf
K7ccBMP7Zjb/mpeggswHjEMS8x5NQ==
ARC-Authentication-Results: i=3; clochette.example.org; spf=fail
smtp.from=jqd@d1.example; dkim=fail (512-bit key)
header.i=@d1.example; dmarc=fail; arc=pass (as.2.gmail.example=pass,
ams.2.gmail.example=pass, as.1.lists.example.org=pass,
ams.1.lists.example.org=fail (message has been altered))
Authentication-Results: clochette.example.org; spf=fail
smtp.from=jqd@d1.example; dkim=fail (512-bit key)
header.i=@d1.example; dmarc=fail; arc=pass (as.2.gmail.example=pass,
ams.2.gmail.example=pass, as.1.lists.example.org=pass,
ams.1.lists.example.org=fail (message has been altered))
ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=gmail.example; s=20120806; t=
12345; b=Zpukh/kJL4Q7Kv391FKwTepgS56dgHIcdhhJZjsalhqkFIQQAJ4T9BE
8jjLXWpRNuh81yqnT1/jHn086RwezGw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=
gmail.example; h=message-id:date:from:to:subject; s=20120806; t=
12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYLQ=; b=CVoG44
cVZvoSs2mMig2wwqPaJ4OZS5XGMCegWqQs1wvRZJS894tJM0xO1RJLgCPsBOxdA5
9WSqI9s9DfyKDfWg==
ARC-Authentication-Results: i=2; gmail.example; spf=fail
smtp.from=jqd@d1.example; dkim=fail (512-bit key)
header.i=@example.org; dmarc=fail; arc=pass (as.1.lists.example.org=pass,
ams.1.lists.example.org=pass)
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=lists.example.org; s=dk-lists;
t=12345; b=TlCCKzgk3TrAa+G77gYYO8Fxk4q/Ml0biqduZJeOYh6+0zhwQ8u/
lHxLi21pxu347isLSuNtvIagIvAQna9a5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
lists.example.org; h=message-id:date:from:to:subject; s=
dk-lists; t=12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYL
Q=; b=DsoD3n3hiwlrN1ma8IZQFgZx8EDO7Wah3hUjIEsYKuShRKYB4LwGUiKD5Y
yHgcIwGHhSc/4+ewYqHMWDnuFxiQ==
ARC-Authentication-Results: i=1; lists.example.org; spf=pass smtp.mfrom=jqd@d1.example;
dkim=pass (512-bit key) header.i=@d1.example;
dmarc=pass
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=d1.example; h=
message-id:date:from:to:subject; s=origin2015; bh=bIxxaeIQvmOBdT
AitYfSNFgzPP4=; b=qKjd5fYibKXWWIcMKCgRYuo1vJ2fD+IAQPjX+uamXIGY2Q
0HjQ+Lq3/yHzG3JHJp6780/nKQPOWt2UDJQrJkEA==
Message-ID: <54B84785.1060301@d1.example>
Date: Thu, 14 Jan 2015 15:00:01 -0800
From: John Q Doe <jqd@d1.example>
To: arc@dmarc.example
Subject: [List 2] Example 1
Hey gang,
This is a test message.
--J.
Appendix C. Acknowledgements Appendix C. Acknowledgements
This draft originated with the work of OAR-Dev Group. This draft originated with the work of OAR-Dev Group.
The authors thank all of the OAR-Dev group for the ongoing help and The authors thank all of the OAR-Dev and the subsequent DMARC-WG
though-provoking discussions from all the participants, especially: group for the ongoing help and though-provoking discussions from all
Alex Brotman, Brandon Long, Dave Crocker, Elizabeth Zwicky, Franck the participants, especially: Alex Brotman, Brandon Long, Dave
Martin, Greg Colburn, J. Trent Adams, John Rae-Grant, Mike Hammer, Crocker, Elizabeth Zwicky, Franck Martin, Greg Colburn, J. Trent
Mike Jones, Steve Jones, Terry Zink, Tim Draegen, Gene Shuman, Scott Adams, John Rae-Grant, Mike Hammer, Mike Jones, Steve Jones, Terry
Kitterman, Bron Gondwana. Zink, Tim Draegen, Gene Shuman, Scott Kitterman, Bron Gondwana.
Grateful appreciation is extended to the people who provided feedback Grateful appreciation is extended to the people who provided feedback
through the discuss mailing list. through the discuss mailing list.
Appendix D. Comments and Feedback Appendix D. Comments and Feedback
Please address all comments, discussions, and questions to Please address all comments, discussions, and questions to
dmarc@ietf.org [7]. Earlier discussions can be found at arc- dmarc@ietf.org [6]. Earlier discussions can be found at arc-
discuss@dmarc.org [8]. Interop discussions planning can be found at discuss@dmarc.org [7]. Interop discussions planning can be found at
arc-interop@dmarc.org [9]. arc-interop@dmarc.org [8].
Some introductory material for less technical people can be found at Some introductory material for less technical people can be found at
https://arc-spec.org [10]. https://arc-spec.org [9].
Authors' Addresses Authors' Addresses
Kurt Andersen Kurt Andersen
LinkedIn LinkedIn
1000 West Maude Ave 1000 West Maude Ave
Sunnyvale, California 94085 Sunnyvale, California 94085
USA USA
Email: kurta@linkedin.com Email: kurta@linkedin.com
 End of changes. 21 change blocks. 
44 lines changed or deleted 123 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/