draft-ietf-dmarc-arc-protocol-22.txt   draft-ietf-dmarc-arc-protocol-23.txt 
DMARC Working Group K. Andersen DMARC Working Group K. Andersen
Internet-Draft LinkedIn Internet-Draft LinkedIn
Intended status: Experimental B. Long, Ed. Intended status: Experimental B. Long, Ed.
Expires: June 15, 2019 Google Expires: June 21, 2019 Google
S. Blank, Ed. S. Blank, Ed.
Valimail Valimail
M. Kucherawy, Ed. M. Kucherawy, Ed.
TDP TDP
December 12, 2018 December 18, 2018
Authenticated Received Chain (ARC) Protocol Authenticated Received Chain (ARC) Protocol
draft-ietf-dmarc-arc-protocol-22 draft-ietf-dmarc-arc-protocol-23
Abstract Abstract
The Authenticated Received Chain (ARC) protocol provides an The Authenticated Received Chain (ARC) protocol provides an
authenticated "chain of custody" for a message, allowing each entity authenticated "chain of custody" for a message, allowing each entity
that handles the message to see what entities handled it before, and that handles the message to see what entities handled it before, and
to see what the message's authentication assessment was at each step to see what the message's authentication assessment was at each step
in the handling. in the handling.
ARC allows Internet Mail Handlers to attach assertions of message ARC allows Internet Mail Handlers to attach assertions of message
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 15, 2019. This Internet-Draft will expire on June 21, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 5 skipping to change at page 4, line 5
12. Implementation Status . . . . . . . . . . . . . . . . . . . . 27 12. Implementation Status . . . . . . . . . . . . . . . . . . . . 27
12.1. GMail test reflector and incoming validation . . . . . . 28 12.1. GMail test reflector and incoming validation . . . . . . 28
12.2. AOL test reflector and internal tagging . . . . . . . . 28 12.2. AOL test reflector and internal tagging . . . . . . . . 28
12.3. dkimpy . . . . . . . . . . . . . . . . . . . . . . . . . 29 12.3. dkimpy . . . . . . . . . . . . . . . . . . . . . . . . . 29
12.4. OpenARC . . . . . . . . . . . . . . . . . . . . . . . . 29 12.4. OpenARC . . . . . . . . . . . . . . . . . . . . . . . . 29
12.5. Mailman 3.x patch . . . . . . . . . . . . . . . . . . . 29 12.5. Mailman 3.x patch . . . . . . . . . . . . . . . . . . . 29
12.6. Copernica/MailerQ web-based validation . . . . . . . . . 30 12.6. Copernica/MailerQ web-based validation . . . . . . . . . 30
12.7. Rspamd . . . . . . . . . . . . . . . . . . . . . . . . . 30 12.7. Rspamd . . . . . . . . . . . . . . . . . . . . . . . . . 30
12.8. PERL MAIL::DKIM module . . . . . . . . . . . . . . . . . 31 12.8. PERL MAIL::DKIM module . . . . . . . . . . . . . . . . . 31
12.9. PERL Mail::Milter::Authentication module . . . . . . . . 31 12.9. PERL Mail::Milter::Authentication module . . . . . . . . 31
12.10. Sympa List Manager . . . . . . . . . . . . . . . . . . . 31 12.10. Sympa List Manager . . . . . . . . . . . . . . . . . . . 32
12.11. Oracle Messaging Server . . . . . . . . . . . . . . . . 32 12.11. Oracle Messaging Server . . . . . . . . . . . . . . . . 32
12.12. MessageSystems Momentum and PowerMTA platforms . . . . . 32 12.12. MessageSystems Momentum and PowerMTA platforms . . . . . 32
12.13. Exim . . . . . . . . . . . . . . . . . . . . . . . . . . 32 12.13. Exim . . . . . . . . . . . . . . . . . . . . . . . . . . 33
12.14. Halon MTA . . . . . . . . . . . . . . . . . . . . . . . 32 12.14. Halon MTA . . . . . . . . . . . . . . . . . . . . . . . 33
12.15. IIJ . . . . . . . . . . . . . . . . . . . . . . . . . . 33 12.15. IIJ . . . . . . . . . . . . . . . . . . . . . . . . . . 33
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 33
13.1. Normative References . . . . . . . . . . . . . . . . . . 33 13.1. Normative References . . . . . . . . . . . . . . . . . . 33
13.2. Informative References . . . . . . . . . . . . . . . . . 34 13.2. Informative References . . . . . . . . . . . . . . . . . 35
13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 35 13.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Appendix A. Design Requirements . . . . . . . . . . . . . . . . 36 Appendix A. Design Requirements . . . . . . . . . . . . . . . . 36
A.1. Primary Design Criteria . . . . . . . . . . . . . . . . . 36 A.1. Primary Design Criteria . . . . . . . . . . . . . . . . . 36
A.2. Out of Scope . . . . . . . . . . . . . . . . . . . . . . 36 A.2. Out of Scope . . . . . . . . . . . . . . . . . . . . . . 37
Appendix B. Example Usage . . . . . . . . . . . . . . . . . . . 36 Appendix B. Example Usage . . . . . . . . . . . . . . . . . . . 37
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 38 Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 39
Appendix D. Comments and Feedback . . . . . . . . . . . . . . . 38 Appendix D. Comments and Feedback . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
The utility of widely deployed email authentication technologies such The utility of widely deployed email authentication technologies such
as Sender Policy Framework (SPF) [RFC7208] and DomainKeys Identified as Sender Policy Framework (SPF) [RFC7208] and DomainKeys Identified
Mail (DKIM) [RFC6376] is impacted by the processing of Internet Mail Mail (DKIM) [RFC6376] is impacted by the processing of Internet Mail
by intermediate handlers. This impact is thoroughly documented in by intermediate handlers. This impact is thoroughly documented in
the defining documents for SPF and DKIM and further discussed in the defining documents for SPF and DKIM and further discussed in
[RFC6377] and [RFC7960]. [RFC6377] and [RFC7960].
skipping to change at page 22, line 20 skipping to change at page 22, line 20
Such information is also included in existing non-ARC related header Such information is also included in existing non-ARC related header
fields such as the "Received" header fields. fields such as the "Received" header fields.
9. Security Considerations 9. Security Considerations
The Security Considerations of [RFC6376] and [I-D-7601bis] apply The Security Considerations of [RFC6376] and [I-D-7601bis] apply
directly to this specification. directly to this specification.
As with other domain authentication technologies (such as SPF, DKIM, As with other domain authentication technologies (such as SPF, DKIM,
and DMARC), ARC makes no claims about the semantic content of and DMARC), ARC makes no claims about the semantic content of
messages. A received message with an ARC chain provides evidence (at messages.
instance N) that: The sealing domain (ARC-Seal d=) processed a A received message with an ARC chain provides evidence (at instance
message with this body, determined the reported ARC-Authentication- N) that: The sealing domain (ARC-Seal d=) processed a message with
Results, and the ARC chain 1..N-1. this body, determined the authentication assessment reported in the
ARC-Authentication-Results, and the ARC chain 1..N-1 (with the
validation status as reported in the cv field).
9.1. Increased Header Field Size 9.1. Increased Header Field Size
Inclusion of Authenticated Received Chains into messages may cause Inclusion of Authenticated Received Chains into messages may cause
issues for older or constrained MTAs due to increased total header issues for older or constrained MTAs due to increased total header
field size. Large header field blocks, in general, may cause field size. Large header field blocks, in general, may cause
failures to deliver or other outage scenarios for such MTAs. ARC failures to deliver or other outage scenarios for such MTAs. ARC
itself would not cause problems. itself would not cause problems.
9.2. DNS Operations 9.2. DNS Operations
skipping to change at page 28, line 25 skipping to change at page 28, line 25
For a few of the implementations, later status information was For a few of the implementations, later status information was
available as of August 2018. available as of August 2018.
12.1. GMail test reflector and incoming validation 12.1. GMail test reflector and incoming validation
Organization: Google Organization: Google
Description: Internal production implementation with both debug Description: Internal production implementation with both debug
analysis and validating + sealing pass-through function analysis and validating + sealing pass-through function
Status of Operation: Production - Incoming Validation Status of Operation: Production - Incoming Validation
Coverage: Full spec implemented as of [ARC-DRAFT-14] Coverage: Full spec implemented as of this document
Licensing: Proprietary - Internal only Licensing: Internal only
Implementation Notes: Implementation Notes:
o Full functionality was demonstrated during the interop testing on o Full functionality was demonstrated during the interop testing on
2018-03-17. 2018-03-17 and 2018-10-12. All traffic going into GSuite, Google
Groups, or GMail mailboxes will have ARC validation and sealing.
Contact Info: arc-discuss@dmarc.org [1] Contact Info: arc-discuss@dmarc.org [1]
12.2. AOL test reflector and internal tagging 12.2. AOL test reflector and internal tagging
Organization: AOL Organization: AOL
Description: Internal prototype implementation with both debug Description: Internal prototype implementation with both debug
analysis and validating + sealing pass-through function analysis and validating + sealing pass-through function
Status of Operation: Beta Status of Operation: Beta
Coverage: ARC Chain validity status checking is operational, but only Coverage: ARC Chain validity status checking is operational, but only
skipping to change at page 29, line 4 skipping to change at page 29, line 5
conforms to [ARC-DRAFT-05] conforms to [ARC-DRAFT-05]
Licensing: Proprietary - Internal only Licensing: Proprietary - Internal only
Implementation Notes: Implementation Notes:
o 2017-07-15: Full functionality verified during the interop o 2017-07-15: Full functionality verified during the interop
testing. testing.
o 2018-06: Partially retired but still accessible by special request o 2018-06: Partially retired but still accessible by special request
due to the in process evolution of the AOL mail infrastructure to due to the in process evolution of the AOL mail infrastructure to
the integrated OATH environment. The implementation was based on the integrated OATH environment. The implementation was based on
the Apache James DKIM code base and may be contributed back to the Apache James DKIM code base.
that project in the future.
o 2018-10: No longer available due to infrastucture changes at AOL/
Yahoo!/Oath.
Contact Info: arc-discuss@dmarc.org [2] Contact Info: arc-discuss@dmarc.org [2]
12.3. dkimpy 12.3. dkimpy
Organization: dkimpy developers/Scott Kitterman Organization: dkimpy developers/Scott Kitterman
Description: Python DKIM package Description: Python DKIM package
Status of Operation: Production Status of Operation: Production
Coverage: Coverage: Full spec implemented as of this document
o 2017-07-15: The internal test suite is incomplete, but the command o 2017-07-15: The internal test suite is incomplete, but the command
line developmental version of validator was demonstrated to line developmental version of validator was demonstrated to
interoperate with the Google and AOL implementations during the interoperate with the Google and AOL implementations during the
interop on 2017-07-15 and the released version passes the tests in interop on 2017-07-15 and the released version passes the tests in
[ARC-TEST] arc_test_suite [3] with both python and python3. [ARC-TEST] arc_test_suite [3] with both python and python3.
o 2018-10: Re-validated in the interop
Licensing: Open/Other (same as dkimpy package = BCD version 2) Licensing: Open/Other (same as dkimpy package = BCD version 2)
Contact Info: https://launchpad.net/dkimpy Contact Info: https://launchpad.net/dkimpy
12.4. OpenARC 12.4. OpenARC
Organization: TDP/Murray Kucherawy Organization: TDP/Murray Kucherawy
Description: Implementation of milter functionality related to the Description: Implementation of milter functionality related to the
OpenDKIM and OpenDMARC packages OpenDKIM and OpenDMARC packages
Status of Operation: Beta Status of Operation: Beta
Coverage: Built to support [ARC-DRAFT-14] Coverage: Built to support this document
Licensing: Open/Other (same as OpenDKIM and OpenDMARC packages) Licensing: Open/Other (same as OpenDKIM and OpenDMARC packages)
Implementation Notes: Implementation Notes:
o Known issues have been resolved with release X o 2018-10: Validated with one bug discovered during interop
o 2018-11: Known issues have been resolved with release 1.0.0-Beta2
Contact Info: arc-discuss@dmarc.org [4], openarc-users@openarc.org Contact Info: arc-discuss@dmarc.org [4], openarc-users@openarc.org
[5] [5]
12.5. Mailman 3.x patch 12.5. Mailman 3.x patch
Organization: Mailman development team Organization: Mailman development team
Description: Integrated ARC capabilities within the Mailman 3.2 Description: Integrated ARC capabilities within the Mailman 3.2
package package
Status of Operation: Patch submitted Status of Operation: Patch submitted
Coverage: Based on OpenARC Coverage: Based on OpenARC
Licensing: Same as mailman package - GPL Licensing: Same as mailman package - GPL
Implementation Notes: Implementation Notes:
o Appears to work properly in at least one beta deployment, but o Appears to work properly in at least one beta deployment, but
waiting on acceptance of the pull request into the mainline of waiting on acceptance of the pull request into the mainline of
mailman development mailman development
o Discussions continuing with Mailman team to get this integrated
Contact Info: https://www.gnu.org/software/mailman/contact.html Contact Info: https://www.gnu.org/software/mailman/contact.html
12.6. Copernica/MailerQ web-based validation 12.6. Copernica/MailerQ web-based validation
Organization: Copernica Organization: Copernica
Description: Web-based validation of ARC-signed messages Description: Web-based validation of ARC-signed messages
Status of Operation: Beta Status of Operation: Beta
Coverage: Built to support [ARC-DRAFT-05] Coverage: Built to support [ARC-DRAFT-05]
Licensing: On-line usage only Licensing: On-line usage only
Implementation Notes: Implementation Notes:
skipping to change at page 30, line 31 skipping to change at page 30, line 37
o Requires full message content to be pasted into a web form found o Requires full message content to be pasted into a web form found
at http://arc.mailerq.com/ (warning - https is not supported). at http://arc.mailerq.com/ (warning - https is not supported).
o An additional instance of an ARC signature can be added if one is o An additional instance of an ARC signature can be added if one is
willing to paste a private key into an unsecured web form. willing to paste a private key into an unsecured web form.
o 2017-07-15: Testing shows that results match the other o 2017-07-15: Testing shows that results match the other
implementations listed in this section. implementations listed in this section.
o 2018-10: not tested during interop
Contact Info: https://www.copernica.com/ Contact Info: https://www.copernica.com/
12.7. Rspamd 12.7. Rspamd
Organization: Rspamd community Organization: Rspamd community
Description: ARC signing and verification module Description: ARC signing and verification module
Status of Operation: Production, though deployment usage is unknown Status of Operation: Production, though deployment usage is unknown
Coverage: Built to support [ARC-DRAFT-14] Coverage: Built to support [ARC-DRAFT-14]
Licensing: Open source Licensing: Open source
Implementation Notes: Implementation Notes:
skipping to change at page 30, line 43 skipping to change at page 31, line 4
12.7. Rspamd 12.7. Rspamd
Organization: Rspamd community Organization: Rspamd community
Description: ARC signing and verification module Description: ARC signing and verification module
Status of Operation: Production, though deployment usage is unknown Status of Operation: Production, though deployment usage is unknown
Coverage: Built to support [ARC-DRAFT-14] Coverage: Built to support [ARC-DRAFT-14]
Licensing: Open source Licensing: Open source
Implementation Notes: Implementation Notes:
o 2017-06-12: Released with version 1.6.0 o 2017-06-12: Released with version 1.6.0
o 2017-07-15: Testing during the interop showed that the validation o 2017-07-15: Testing during the interop showed that the validation
functionality interoperated with the Google, AOL, dkimpy and functionality interoperated with the Google, AOL, dkimpy and
MailerQ implementations MailerQ implementations
o 2018-10: Re-validated during the interop
Contact Info: https://rspamd.com/doc/modules/arc.html and Contact Info: https://rspamd.com/doc/modules/arc.html and
https://github.com/vstakhov/rspamd https://github.com/vstakhov/rspamd
12.8. PERL MAIL::DKIM module 12.8. PERL MAIL::DKIM module
Organization: FastMail Organization: FastMail
Description: Email domain authentication (sign and/or verify) module, Description: Email domain authentication (sign and/or verify) module,
previously included SPF / DKIM / DMARC, now has ARC added previously included SPF / DKIM / DMARC, now has ARC added
Status of Operation: Production, deployment usage unknown Status of Operation: Production, deployment usage unknown
Coverage: Built to support [ARC-DRAFT-10] Coverage: Built to support [ARC-DRAFT-10]
Licensing: Open Source Licensing: Open Source
Implementation Notes: Implementation Notes:
o 2017-12-15: v0.50 released with full test set passing for ARC o 2017-12-15: v0.50 released with full test set passing for ARC
o 2018-10: Revalidated during the interop and used for the creation
of the Appendix B example
Contact Info: http://search.cpan.org/~mbradshaw/Mail-DKIM-0.50/ Contact Info: http://search.cpan.org/~mbradshaw/Mail-DKIM-0.50/
12.9. PERL Mail::Milter::Authentication module 12.9. PERL Mail::Milter::Authentication module
Organization: FastMail Organization: FastMail
Description: Email domain authentication milter, uses MAIL::DKIM (see Description: Email domain authentication milter, uses MAIL::DKIM (see
above) above)
Status of Operation: Initial validation completed during IETF99 Status of Operation: Initial validation completed during IETF99
hackathon with some follow-on work during the week hackathon with some follow-on work during the week
Coverage: Built to support [ARC-DRAFT-14] Coverage: Built to support [ARC-DRAFT-14]
Licensing: Open Source Licensing: Open Source
Implementation Notes: Implementation Notes:
o 2017-07-15: Validation functionality which interoperates with o 2017-07-15: Validation functionality which interoperates with
Gmail, AOL, dkimpy was demonstrated; later in the week of IETF99, Gmail, AOL, dkimpy was demonstrated; later in the week of IETF99,
the signing functionality was reported to be working the signing functionality was reported to be working
o 2017-07-20: ARC functionality has not yet been pushed back to the o 2017-07-20: ARC functionality has not yet been pushed back to the
github repo but should be showing up soon github repo but should be showing up soon
o 2018-10: Revalidated during the interop
Contact Info: https://github.com/fastmail/authentication_milter Contact Info: https://github.com/fastmail/authentication_milter
12.10. Sympa List Manager 12.10. Sympa List Manager
Organization: Sympa Dev Community Organization: Sympa Dev Community
Description: Work in progress Description: Beta released Status of Operation: Beta released
Status of Operation: Work in progress Coverage: Built to support this document, based on Mail::DKIM module
Coverage: unknown
Licensing: open source Licensing: open source
Implementation Notes: Implementation Notes:
o 2018-01-05: Tracked as https://github.com/sympa-community/sympa/ o 2018-01-05: Tracked as https://github.com/sympa-community/sympa/
issues/153 issues/153
o 2018-12-08: Sympa 6.2.37 beta 3 incorporates ARC support,
scheduled for stable release 6.2.38 on 2018-12-21
Contact Info: https://github.com/sympa-community Contact Info: https://github.com/sympa-community
12.11. Oracle Messaging Server 12.11. Oracle Messaging Server
Organization: Oracle Organization: Oracle
Description: Description:
Status of Operation: Initial development work during IETF99 Status of Operation: Initial development work during IETF99
hackathon. Framework code is complete, crypto functionality requires hackathon. Framework code is complete, crypto functionality requires
integration with libsodium integration with libsodium
Coverage: Work in progress Coverage: Work in progress
skipping to change at page 32, line 31 skipping to change at page 32, line 47
12.12. MessageSystems Momentum and PowerMTA platforms 12.12. MessageSystems Momentum and PowerMTA platforms
Organization: MessageSystems/SparkPost Organization: MessageSystems/SparkPost
Description: OpenARC integration into the LUA-enabled Momentum Description: OpenARC integration into the LUA-enabled Momentum
processing space processing space
Status of Operation: Beta Status of Operation: Beta
Coverage: Same as OpenARC Coverage: Same as OpenARC
Licensing: Unknown Licensing: Unknown
Implementation Notes: Implementation Notes:
o Initial deployments for validation expected in mid-2018. o 2018-10: Beta version in private evaluation, not tested during
interop.
Contact Info: TBD Contact Info: TBD
12.13. Exim 12.13. Exim
Organization: Exim developers Organization: Exim developers
Status of Operation: Operational; requires specific enabling for Status of Operation: Operational; requires specific enabling for
compile. compile.
Coverage: Full spec implemented as of [ARC-DRAFT-13] Coverage: Full spec implemented as of [ARC-DRAFT-13]
Licensing: GPL Licensing: GPL
Contact Info: exim-users@exim.org Contact Info: exim-users@exim.org
Implementation notes: Implementation notes:
o Implemented as of Exim 4.91 o Implemented as of Exim 4.91
12.14. Halon MTA 12.14. Halon MTA
Organization: Halon Organization: Halon
Status of Operation: Operational as of May 2018 Status of Operation: Operational as of May 2018
Coverage: Full spec implemented as of [ARC-DRAFT-14] Coverage: Full spec implemented as of this document Licensing:
Licensing: Commercial, trial version available for download Commercial, trial version available for download
Contact Info: https://halon.io Contact Info: https://halon.io
Implementation notes: Implementation notes:
o GPL'd library with ARC capabilities: https://github.com/halon/ o GPL'd library with ARC capabilities: https://github.com/halon/
libdkimpp libdkimpp
o 2018-10: Validated during interop
12.15. IIJ 12.15. IIJ
Organization: Internet Initiative Japan (IIJ) Status of Operation: Organization: Internet Initiative Japan (IIJ) Status of Operation:
Operational as of October 2018 Operational as of October 2018
Coverage: Full spec implemented as of this document Coverage: Full spec implemented as of this document
Licensing: Internal Licensing: Internal
Contact Info: https://www.iij.ad.jp/en/ Contact Info: https://www.iij.ad.jp/en/
Implementation notes: Implementation notes:
o Internal MTA implementation validated during the ARC interop o 2018-10: Internal MTA implementation validated during the ARC
exercise in mid-October 2018 interop
13. References 13. References
13.1. Normative References 13.1. Normative References
[draft-levine-eaiauth] [draft-levine-eaiauth]
Levine, J., "E-mail Authentication for Internationalized Levine, J., "E-mail Authentication for Internationalized
Mail", August 2018, <https://tools.ietf.org/html/ Mail", August 2018, <https://tools.ietf.org/html/
draft-levine-appsarea-eaiauth-03>. draft-levine-appsarea-eaiauth-03>.
 End of changes. 28 change blocks. 
34 lines changed or deleted 58 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/