draft-ietf-dmarc-arc-protocol-21.txt   draft-ietf-dmarc-arc-protocol-22.txt 
DMARC Working Group K. Andersen DMARC Working Group K. Andersen
Internet-Draft LinkedIn Internet-Draft LinkedIn
Intended status: Experimental B. Long, Ed. Intended status: Experimental B. Long, Ed.
Expires: May 11, 2019 Google Expires: June 15, 2019 Google
S. Blank, Ed. S. Blank, Ed.
Valimail Valimail
M. Kucherawy, Ed. M. Kucherawy, Ed.
TDP TDP
November 7, 2018 December 12, 2018
Authenticated Received Chain (ARC) Protocol Authenticated Received Chain (ARC) Protocol
draft-ietf-dmarc-arc-protocol-21 draft-ietf-dmarc-arc-protocol-22
Abstract Abstract
The Authenticated Received Chain (ARC) protocol provides an The Authenticated Received Chain (ARC) protocol provides an
authenticated "chain of custody" for a message, allowing each entity authenticated "chain of custody" for a message, allowing each entity
that handles the message to see what entities handled it before, and that handles the message to see what entities handled it before, and
to see what the message's authentication assessment was at each step to see what the message's authentication assessment was at each step
in the handling. in the handling.
ARC allows Internet Mail Handlers to attach assertions of message ARC allows Internet Mail Handlers to attach assertions of message
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 11, 2019. This Internet-Draft will expire on June 15, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 21, line 36 skipping to change at page 21, line 36
EXAMPLE: EXAMPLE:
<policy_evaluated> <policy_evaluated>
<disposition>none</disposition> <disposition>none</disposition>
<dkim>fail</dkim> <dkim>fail</dkim>
<spf>fail</spf> <spf>fail</spf>
<reason> <reason>
<type>local_policy</type> <type>local_policy</type>
<comment>arc=pass as[2].d=d2.example as[2].s=s2 <comment>arc=pass as[2].d=d2.example as[2].s=s2
as[1].d=d1.example as[1].s=s3 as[1].d=d1.example as[1].s=s3
remote-ip[1]=10.10.10.13</comment> remote-ip[1]=2001:DB8::1A</comment>
</reason> </reason>
</policy_evaluated> </policy_evaluated>
In the above example DMARC XML reporting fragment, data relating to In the above example DMARC XML reporting fragment, data relating to
specific validated ARC Sets are enumerated using array syntax (eg, specific validated ARC Sets are enumerated using array syntax (eg,
"as[2]" means AS header field with instance value of 2). d2.example "as[2]" means AS header field with instance value of 2). d2.example
is the Sealing domain for ARC Set #2 (i=2) and d1.example is the is the Sealing domain for ARC Set #2 (i=2) and d1.example is the
Sealing domain for ARC Set #1 (i=1). Sealing domain for ARC Set #1 (i=1).
Depending on the reporting practices of intermediate message Depending on the reporting practices of intermediate message
skipping to change at page 22, line 20 skipping to change at page 22, line 20
Such information is also included in existing non-ARC related header Such information is also included in existing non-ARC related header
fields such as the "Received" header fields. fields such as the "Received" header fields.
9. Security Considerations 9. Security Considerations
The Security Considerations of [RFC6376] and [I-D-7601bis] apply The Security Considerations of [RFC6376] and [I-D-7601bis] apply
directly to this specification. directly to this specification.
As with other domain authentication technologies (such as SPF, DKIM, As with other domain authentication technologies (such as SPF, DKIM,
and DMARC), ARC makes no claims about the semantic content of and DMARC), ARC makes no claims about the semantic content of
messages. messages. A received message with an ARC chain provides evidence (at
instance N) that: The sealing domain (ARC-Seal d=) processed a
message with this body, determined the reported ARC-Authentication-
Results, and the ARC chain 1..N-1.
9.1. Increased Header Field Size 9.1. Increased Header Field Size
Inclusion of Authenticated Received Chains into messages may cause Inclusion of Authenticated Received Chains into messages may cause
issues for older or constrained MTAs due to increased total header issues for older or constrained MTAs due to increased total header
field size. Large header field blocks, in general, may cause field size. Large header field blocks, in general, may cause
failures to deliver or other outage scenarios for such MTAs. ARC failures to deliver or other outage scenarios for such MTAs. ARC
itself would not cause problems. itself would not cause problems.
9.2. DNS Operations 9.2. DNS Operations
skipping to change at page 24, line 21 skipping to change at page 24, line 21
Code: "none", "pass", "fail" Code: "none", "pass", "fail"
Specification: this document 2.2 Specification: this document 2.2
Status: active Status: active
10.2. Email Authentication Methods Registry Update 10.2. Email Authentication Methods Registry Update
This draft adds several new items to the Email Authentication Methods This draft adds several new items to the Email Authentication Methods
registry, most recently defined in [I-D-7601bis]: registry, most recently defined in [I-D-7601bis]:
o Method: arc o Method: arc
Definition: this document Definition: this document section 6
ptype: smtp ptype: smtp
Property: remote-ip Property: remote-ip
Value: IP address of originating SMTP connection Value: IP address (v4 or v6) of originating SMTP connection
Status: active Status: active
Version: 1 Version: 1
o Method: arc o Method: arc
Definition: this document Definition: this document section 6
ptype: header ptype: header
Property: oldest-pass Property: oldest-pass
Value: The instance id of the oldest validating AMS, or 0 if they Value: The instance id of the oldest validating AMS, or 0 if they
all pass (see Section 5.2) all pass (see Section 5.2)
Status: active Status: active
Version: 1 Version: 1
o Method: dkim
Definition: [I-D-7601bis]
ptype: header
Property: s
Value: value of signature "s" tag
Status: active
Version: 1
10.3. Definitions of the ARC header fields 10.3. Definitions of the ARC header fields
This specification adds three new header fields to the "Permanent This specification adds three new header fields to the "Permanent
Message Header Field Registry", as follows: Message Header Field Registry", as follows:
o Header field name: ARC-Seal o Header field name: ARC-Seal
Applicable protocol: mail Applicable protocol: mail
Status: Experimental Status: Experimental
Author/Change controller: IETF Author/Change controller: IETF
Specification document(s): this document Specification document(s): this document
skipping to change at page 37, line 10 skipping to change at page 37, line 10
message and others which have not: message and others which have not:
Return-Path: <jqd@d1.example> Return-Path: <jqd@d1.example>
Received: from example.org (example.org [208.69.40.157]) Received: from example.org (example.org [208.69.40.157])
by gmail.example with ESMTP id d200mr22663000ykb.93.1421363207 by gmail.example with ESMTP id d200mr22663000ykb.93.1421363207
for <fmartin@example.com>; Thu, 14 Jan 2015 15:02:40 -0800 (PST) for <fmartin@example.com>; Thu, 14 Jan 2015 15:02:40 -0800 (PST)
Received: from segv.d1.example (segv.d1.example [72.52.75.15]) Received: from segv.d1.example (segv.d1.example [72.52.75.15])
by lists.example.org (8.14.5/8.14.5) with ESMTP id t0EKaNU9010123 by lists.example.org (8.14.5/8.14.5) with ESMTP id t0EKaNU9010123
for <arc@example.org>; Thu, 14 Jan 2015 15:01:30 -0800 (PST) for <arc@example.org>; Thu, 14 Jan 2015 15:01:30 -0800 (PST)
(envelope-from jqd@d1.example) (envelope-from jqd@d1.example)
Received: from [10.10.10.131] (w-x-y-z.dsl.static.isp.com [w.x.y.z]) Received: from [2001:DB8::1A] (w-x-y-z.dsl.static.isp.example [w.x.y.z])
(authenticated bits=0) (authenticated bits=0)
by segv.d1.example with ESMTP id t0FN4a8O084569; by segv.d1.example with ESMTP id t0FN4a8O084569;
Thu, 14 Jan 2015 15:00:01 -0800 (PST) Thu, 14 Jan 2015 15:00:01 -0800 (PST)
(envelope-from jqd@d1.example) (envelope-from jqd@d1.example)
Received: from mail-ob0-f188.google.example (mail-ob0-f188.google.example Received: from mail-ob0-f188.google.example
[208.69.40.157]) by clochette.example.org with ESMTP id (mail-ob0-f188.google.example [208.69.40.157]) by
d200mr22663000ykb.93.1421363268 clochette.example.org with ESMTP id d200mr22663000ykb.93.1421363268
for <fmartin@example.org>; Thu, 14 Jan 2015 15:03:15 -0800 (PST) for <fmartin@example.org>; Thu, 14 Jan 2015 15:03:15 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; cv=pass; d=clochette.example.org; s= ARC-Seal: i=3; a=rsa-sha256; cv=pass; d=clochette.example.org; s=
clochette; t=12345; b=CU87XzXlNlk5X/yW4l73UvPUcP9ivwYWxyBWcVrRs7 clochette; t=12345; b=CU87XzXlNlk5X/yW4l73UvPUcP9ivwYWxyBWcVrRs7
+HPx3K05nJhny2fvymbReAmOA9GTH/y+k9kEc59hAKVg== +HPx3K05nJhny2fvymbReAmOA9GTH/y+k9kEc59hAKVg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d= ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=
clochette.example.org; h=message-id:date:from:to:subject; s= clochette.example.org; h=message-id:date:from:to:subject; s=
clochette; t=12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZY clochette; t=12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZY
LQ=; b=o71vwyLsK+Wm4cOSlirXoRwzEvi0vqIjd/2/GkYFYlSd/GGfKzkAgPqxf LQ=; b=o71vwyLsK+Wm4cOSlirXoRwzEvi0vqIjd/2/GkYFYlSd/GGfKzkAgPqxf
K7ccBMP7Zjb/mpeggswHjEMS8x5NQ== K7ccBMP7Zjb/mpeggswHjEMS8x5NQ==
ARC-Authentication-Results: i=3; clochette.example.org; spf=fail ARC-Authentication-Results: i=3; clochette.example.org; spf=fail
skipping to change at page 37, line 47 skipping to change at page 37, line 47
ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=gmail.example; s=20120806; t= ARC-Seal: i=2; a=rsa-sha256; cv=pass; d=gmail.example; s=20120806; t=
12345; b=Zpukh/kJL4Q7Kv391FKwTepgS56dgHIcdhhJZjsalhqkFIQQAJ4T9BE 12345; b=Zpukh/kJL4Q7Kv391FKwTepgS56dgHIcdhhJZjsalhqkFIQQAJ4T9BE
8jjLXWpRNuh81yqnT1/jHn086RwezGw== 8jjLXWpRNuh81yqnT1/jHn086RwezGw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=
gmail.example; h=message-id:date:from:to:subject; s=20120806; t= gmail.example; h=message-id:date:from:to:subject; s=20120806; t=
12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYLQ=; b=CVoG44 12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYLQ=; b=CVoG44
cVZvoSs2mMig2wwqPaJ4OZS5XGMCegWqQs1wvRZJS894tJM0xO1RJLgCPsBOxdA5 cVZvoSs2mMig2wwqPaJ4OZS5XGMCegWqQs1wvRZJS894tJM0xO1RJLgCPsBOxdA5
9WSqI9s9DfyKDfWg== 9WSqI9s9DfyKDfWg==
ARC-Authentication-Results: i=2; gmail.example; spf=fail ARC-Authentication-Results: i=2; gmail.example; spf=fail
smtp.from=jqd@d1.example; dkim=fail (512-bit key) smtp.from=jqd@d1.example; dkim=fail (512-bit key)
header.i=@example.org; dmarc=fail; arc=pass (as.1.lists.example.org=pass, header.i=@example.org; dmarc=fail; arc=pass
ams.1.lists.example.org=pass) (as.1.lists.example.org=pass, ams.1.lists.example.org=pass)
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=lists.example.org; s=dk-lists; ARC-Seal: i=1; a=rsa-sha256; cv=none; d=lists.example.org; s=dk-lists;
t=12345; b=TlCCKzgk3TrAa+G77gYYO8Fxk4q/Ml0biqduZJeOYh6+0zhwQ8u/ t=12345; b=TlCCKzgk3TrAa+G77gYYO8Fxk4q/Ml0biqduZJeOYh6+0zhwQ8u/
lHxLi21pxu347isLSuNtvIagIvAQna9a5A== lHxLi21pxu347isLSuNtvIagIvAQna9a5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
lists.example.org; h=message-id:date:from:to:subject; s= lists.example.org; h=message-id:date:from:to:subject; s=
dk-lists; t=12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYL dk-lists; t=12345; bh=KWSe46TZKCcDbH4klJPo+tjk5LWJnVRlP5pvjXFZYL
Q=; b=DsoD3n3hiwlrN1ma8IZQFgZx8EDO7Wah3hUjIEsYKuShRKYB4LwGUiKD5Y Q=; b=DsoD3n3hiwlrN1ma8IZQFgZx8EDO7Wah3hUjIEsYKuShRKYB4LwGUiKD5Y
yHgcIwGHhSc/4+ewYqHMWDnuFxiQ== yHgcIwGHhSc/4+ewYqHMWDnuFxiQ==
ARC-Authentication-Results: i=1; lists.example.org; spf=pass smtp.mfrom=jqd@d1.example; ARC-Authentication-Results: i=1; lists.example.org; spf=pass
dkim=pass (512-bit key) header.i=@d1.example; smtp.mfrom=jqd@d1.example; dkim=pass (512-bit key)
dmarc=pass header.i=@d1.example; dmarc=pass
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=d1.example; h= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=d1.example; h=
message-id:date:from:to:subject; s=origin2015; bh=bIxxaeIQvmOBdT message-id:date:from:to:subject; s=origin2015; bh=bIxxaeIQvmOBdT
AitYfSNFgzPP4=; b=qKjd5fYibKXWWIcMKCgRYuo1vJ2fD+IAQPjX+uamXIGY2Q AitYfSNFgzPP4=; b=qKjd5fYibKXWWIcMKCgRYuo1vJ2fD+IAQPjX+uamXIGY2Q
0HjQ+Lq3/yHzG3JHJp6780/nKQPOWt2UDJQrJkEA== 0HjQ+Lq3/yHzG3JHJp6780/nKQPOWt2UDJQrJkEA==
Message-ID: <54B84785.1060301@d1.example> Message-ID: <54B84785.1060301@d1.example>
Date: Thu, 14 Jan 2015 15:00:01 -0800 Date: Thu, 14 Jan 2015 15:00:01 -0800
From: John Q Doe <jqd@d1.example> From: John Q Doe <jqd@d1.example>
To: arc@dmarc.example To: arc@dmarc.example
Subject: [List 2] Example 1 Subject: [List 2] Example 1
 End of changes. 14 change blocks. 
26 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/