summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7960.txt
blob: 339eb2f253a82ae50bf6558c1c6dbb3d003f248c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
Internet Engineering Task Force (IETF)                    F. Martin, Ed.
Request for Comments: 7960                                      LinkedIn
Category: Informational                                     E. Lear, Ed.
ISSN: 2070-1721                                       Cisco Systems GmbH
                                                         T. Draegen, Ed.
                                                          dmarcian, inc.
                                                          E. Zwicky, Ed.
                                                                   Yahoo
                                                        K. Andersen, Ed.
                                                                LinkedIn
                                                          September 2016


  Interoperability Issues between Domain-based Message Authentication,
      Reporting, and Conformance (DMARC) and Indirect Email Flows

Abstract

   Domain-based Message Authentication, Reporting, and Conformance
   (DMARC) introduces a mechanism for expressing domain-level policies
   and preferences for email message validation, disposition, and
   reporting.  However, the DMARC mechanism enables potentially
   disruptive interoperability issues when messages do not flow directly
   from the author's administrative domain to the final Recipients.
   Collectively, these email flows are referred to as "indirect email
   flows".  This document describes these interoperability issues and
   presents possible methods for addressing them.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7960.








Martin, et al.                Informational                     [Page 1]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ....................................................3
      1.1. Document Conventions .......................................4
   2. Causes of Interoperability Issues ...............................4
      2.1. Identifier Alignment .......................................4
           2.1.1. DKIM Identifier(s) ..................................5
           2.1.2. SPF Identifier(s) ...................................6
           2.1.3. Multiple RFC5322.From Addresses .....................6
      2.2. Message Forwarding .........................................6
      2.3. Message Modification .......................................7
   3. Internet Mail Architecture, DMARC, and Indirect Email Flows .....8
      3.1. Message Handling System ....................................8
           3.1.1. Message Submission Agents ...........................8
           3.1.2. Message Transfer Agents .............................9
                  3.1.2.1. Message Encoding ...........................9
                  3.1.2.2. Header Standardization ....................10
                  3.1.2.3. Content Validation ........................10
           3.1.3. Message Delivery Agents ............................10
      3.2. Mediators .................................................11
           3.2.1. Alias ..............................................11
           3.2.2. ReSenders ..........................................12
           3.2.3. Mailing Lists ......................................12
                  3.2.3.1. Mailing List Operational Effects ..........13
           3.2.4. Gateways ...........................................13
           3.2.5. Boundary Filters ...................................14
      3.3. Combinations ..............................................15
   4. Possible Mitigations of Interoperability Issues ................15
      4.1. Mitigations in Current Use ................................16
           4.1.1. Mitigations for Senders ............................16
                  4.1.1.1. Identifier Alignment ......................16
                  4.1.1.2. Message Modification ......................17
           4.1.2. Mitigations for Receivers ..........................17



Martin, et al.                Informational                     [Page 2]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


                  4.1.2.1. Identifier Alignment ......................17
                  4.1.2.2. Policy Override ...........................17
           4.1.3. Mitigations for ReSenders ..........................18
                  4.1.3.1. Changes to the RFC5322.From ...............18
                  4.1.3.2. Avoiding Message Modification .............18
                  4.1.3.3. Mailing Lists .............................18
      4.2. Proposed and In-Progress Mitigations ......................20
           4.2.1. Getting More Radical: Requiring New
                  Communication Paths between MUAs ...................21
   5. Security Considerations ........................................21
   6. References .....................................................22
      6.1. Normative References ......................................22
      6.2. Informative References ....................................23
   Appendix A.  Example SPF Bounce ...................................24
     A.1.  Initial Message ...........................................24
     A.2.  Notification Message ......................................25
   Acknowledgments ...................................................26
   Authors' Addresses ................................................27

1.  Introduction

   DMARC [RFC7489] introduces a mechanism for expressing domain-level
   policies and preferences for message validation, disposition, and
   reporting.  The DMARC mechanism, especially when employed with
   restrictive policies, encounters several different types of
   interoperability issues due to third-party message sourcing, message
   transformation, or rerouting.  In particular, DMARC with restrictive
   policies causes problems for many Mailing Lists.

   At the time of writing this document, the DMARC base specification
   has been published as Informational RFC 7489 [RFC7489] and has seen
   significant deployment within the email community.

   Cases in which email does not flow directly from the author's
   administrative domain to the recipient's domain(s) are collectively
   referred to in this document as "indirect email flows".  Due to
   existing and increasing adoption of DMARC, the impact of DMARC-based
   email rejection policies on indirect email flows can be significant
   for a select subset of general email traffic.

   Several known causes of interoperability issues are presented,
   followed by a description of components within the Internet Mail
   Architecture [RFC5598] where interoperability issues can arise.

   Finally, known and possible methods for addressing interoperability
   issues are presented.  There are often multiple ways to address any
   given interoperability issue.  While this document strives to be
   comprehensive in its review, it should not be treated as complete.



Martin, et al.                Informational                     [Page 3]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   Note that some practices that are in use at the time of this document
   may or may not be "best practices", especially as future standards
   evolve.

1.1.  Document Conventions

   The notation used in this document for structured fields is taken
   from [RFC5598], Section 1.3.

   The term "notification message" ([RFC5321], Section 4.5.5) is used to
   refer to a message with a null RFC5321.MailFrom.

   The terms "Organizational Domain" and "Authenticated Identifiers" are
   specified in DMARC ([RFC7489], Section 3).

   All words that begin with capital letters take their formal meanings
   from these references.

2.  Causes of Interoperability Issues

   Interoperability issues between DMARC and indirect email flows arise
   when conformance to the DMARC specification leads a receiving
   implementation to apply DMARC-based policy restrictions to messages
   that are both compliant with the architecture as specified in
   [RFC5598] and viewed as legitimate by the intended Recipient.

   Note that domains that assert a "p=none" policy and email messages
   that pass standard DMARC validation do not have any interoperability
   issues.

   Email messages that do not conform to IETF email specifications but
   are considered legitimate by the intended Recipients are not
   discussed in this document.

   The rest of this section describes several conceptual causes of
   interoperability issues.

2.1.  Identifier Alignment

   Note to operators and administrators: The identifiers that are used
   by the Sender Policy Framework (SPF) are technical components of the
   transport process for SMTP.  They may or may not, as described below,
   bear a meaningful relationship to the content or source of the
   message itself.  This "relationship by proximity" can be a point of
   confusion for non-technical end users, either recipients or senders.






Martin, et al.                Informational                     [Page 4]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   DMARC relies on DomainKeys Identified Mail (DKIM) [RFC6376] and SPF
   [RFC7208] to perform message source validation.  The DMARC [RFC7489]
   specification refers to source domains that are validated by DKIM or
   SPF as "Authenticated Identifiers".  To be used by DMARC, an
   "Authenticated Identifier" must also be related to the domain found
   in the message's RFC5322.From header field [RFC5322].  This
   relationship between an Authenticated Identifier's domain and the
   domain of the RFC5322.From is referred to as "Identifier Alignment".

   DMARC allows for Identifier Alignment to be determined in two
   different modes: strict and relaxed.  Strict mode requires an exact
   match between the domain of any of the Authenticated Identifiers and
   the message's RFC5322.From header field [RFC5322].  Relaxed mode
   allows for Identifier Alignment if Authenticated Identifiers and the
   message's RFC5322.From header field [RFC5322] share the same
   Organizational Domain.  In general, DMARC interoperability issues are
   the same for both strict and relaxed alignment, but strict alignment
   constrains the possible solutions because of the more rigorous
   matching requirement.  Some of the mitigations described in this
   document only work with the relaxed mode of Identifier Alignment.

2.1.1.  DKIM Identifier(s)

   DKIM provides a cryptographic means for one or more domain
   identifiers to be associated with a particular message.  As a
   standalone technology, DKIM identifiers are not required to be
   related to the source of the message's content.  However, for a DKIM
   identifier to align in DMARC, the signing domain of a valid signature
   must be part of the same Organizational Domain as the domain in the
   RFC5322.From header field [RFC5322].

   In addition, DKIM allows for the possibility of multiple valid
   signatures.  These multiple signatures may be from the same or
   different domains; there are no restrictions within the DKIM
   specification.  The DMARC mechanism will process Authenticated
   Identifiers that are based on DKIM signatures until an aligned
   Authenticated Identifier is found (if any).  However, operational
   experience has shown that some implementations have difficulty
   processing multiple signatures.  Implementations that cannot process
   multiple DKIM signatures may incorrectly flag messages as "not
   passing" (DMARC alignment) and erroneously apply DMARC-based policy
   to otherwise conforming messages.









Martin, et al.                Informational                     [Page 5]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


2.1.2.  SPF Identifier(s)

   The SPF specification [RFC7208] defines two Authenticated Identifiers
   for each message.  These identifiers derive from:

   a.  the RFC5321.MailFrom [RFC5321] domain, and

   b.  the RFC5321.HELO/.EHLO SMTP domain.

   In the SPF specification, the RFC7208.MAILFROM [RFC7208] value is
   defined to be based on RFC5321.MailFrom unless that value is absent
   (as in the case of notification messages), in which case, the second
   (RFC5321.HELO/.EHLO) identifier value is used.  This "fallback"
   definition has occasionally been misunderstood by operators of MTA
   systems since notification messages are often an "automatic" feature
   of MTA software.  Some MTA software does not provide the ability to
   apply a DKIM signature to such notification messages.

   See Appendix A for an example treatment of this scenario.

   For the purposes of DMARC validation/alignment, the hybrid
   RFC7208.MAILFROM [RFC7208] identifier's domain is used if and only if
   it is aligned with the RFC5322.From [RFC5322] domain.  The alignment
   of the validated domain is determined based on the DMARC record's
   "strict" or "relaxed" designation as described above for the DKIM
   identifiers and in [RFC7489].

2.1.3.  Multiple RFC5322.From Addresses

   [RFC5322] permits only one From header field, but it may contain
   multiple mailboxes.  Since this is an extremely rare usage, DMARC
   specifies that the handling of this situation is implementation
   dependent.

   Because the presence of multiple domains can be used by an attacker
   (an attacker could add their domain to the RFC5322.From field,
   provide arbitrary new content, and sign the message), the DMARC
   specification recommends that the strictest policy be applied to such
   messages (Section 6.6.1 of [RFC7489]).

2.2.  Message Forwarding

   Section 3 describes forwarding behavior as it relates to the
   components of the Internet Mail Architecture.

   All forwarding operations involve the retransmission of email.  As
   discussed above, in order for SPF to yield an Authenticated
   Identifier that is pertinent to DMARC, the domain of the



Martin, et al.                Informational                     [Page 6]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   RFC7208.MAILFROM must be in alignment with the RFC5322.From header
   field.  Forwarding introduces specific issues to the availability of
   SPF-based Authenticated Identifiers:

   o  If the RFC5321.MailFrom is present and the forwarder maintains the
      original RFC5321.MailFrom, SPF validation will fail unless the
      forwarder is an authorized part of the originator's email sending
      infrastructure.  If the forwarder replaces the RFC5321.MailFrom
      with its own domain, SPF might pass, but Identifier Alignment with
      the RFC5322.From header field will fail.

   o  If the RFC5321.MailFrom is empty (as in the case of Delivery
      Status Notifications), the RFC5321.HELO/.EHLO domain of the
      forwarder will likely be in a different Organizational Domain than
      the original RFC5322.From header field's domain.  SPF may pass,
      but Identifier Alignment with the RFC5322.From header field will
      fail.

   In both cases, SPF cannot yield relevant Authenticated Identifiers,
   and DKIM must be relied upon to produce results that are relevant to
   DMARC.

2.3.  Message Modification

   Modification of email content invalidates most DKIM signatures, and
   many message-forwarding systems modify email content.  Mailing List
   processors are a common example of such systems, but other forwarding
   systems also make modifications.

   Although DKIM provides a length flag so that content can be appended
   without invalidating the signature, in practice, particularly with
   MIME-encoded [RFC2045] messages, a Mailing List processor will do
   more than simply append content (see Section 5.3 of [RFC5598] for
   details).  Furthermore, the length flag is seldom used due to
   security issues (see Section 8.2 of [RFC6376] for additional security
   considerations).  Therefore, this method is only mentioned here for
   completeness.

   DKIM describes two canonicalizations for use when preparing the
   header and body for DKIM processing: simple and relaxed.  The latter
   is designed to accommodate trivial modifications to whitespace and
   folding that, at least in the header case, generally have no semantic
   significance.  However, the relaxed canonicalization is more
   computationally intensive and may not have been preferred in the
   early deployment of DKIM, leaving some deployments using the less
   forgiving "simple" canonicalization.  While the prevalence is
   unknown, there are some DKIM verifiers that have problems evaluating
   relaxed canonicalization correctly.



Martin, et al.                Informational                     [Page 7]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


3.  Internet Mail Architecture, DMARC, and Indirect Email Flows

   This section describes components within the Internet Mail
   Architecture [RFC5598] where interoperability issues between DMARC
   and indirect email flows can be found.

3.1.  Message Handling System

   Section 4 of [RFC5598] describes six basic components that make up
   the Message Handling System (MHS):

   o  Message

   o  Message User Agent (MUA)

   o  Message Submission Agent (MSA)

   o  Message Transfer Agent (MTA)

   o  Message Delivery Agent (MDA)

   o  Message Store (MS)

   Of these components, MSA, MTA, and MDA are discussed in relation to
   interoperability with DMARC.

   Section 5 of [RFC5598] also defines a Mediator as a hybrid of several
   component types.  A Mediator is given special consideration in this
   section due to the unique issues they face when attempting to
   interoperate with DMARC.

3.1.1.  Message Submission Agents

   An MSA accepts messages submitted by a Message User Agent (MUA) and
   enforces the policies of the hosting ADministrative Management Domain
   (ADMD) and the requirements of Internet standards.

   MSAs are split into two sub-components:

   o  Author-focused MSA functions (aMSA)

   o  MHS-focused MSA functions (hMSA)

   MSA interoperability issues with DMARC begin when an aMSA accepts a
   message where the RFC5322.From header field contains a domain that is
   outside of the ADMD of the MSA.  This situation manifests in one of
   several ways, such as when someone uses a mail service with their own
   domain but has failed to properly configure an SPF record or when an



Martin, et al.                Informational                     [Page 8]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   MUA attempts to transmit mail as someone else.  Examples of the
   latter situation include "forward-to-friend" functionality commonly
   found on news/article websites or "send-as" functionality present on
   some MUAs.

   When an hMSA takes responsibility for transit of a message containing
   a domain in the RFC5322.From header field that is outside of the
   hMSA's ADMD, the hMSA faces DMARC interoperability issues if the
   domain publishes a DMARC policy of "quarantine" or "reject".  These
   issues are marked by the inherent difficulty of establishing
   alignment with the domain present in a message's RFC5322.From header
   field.  Examples of this issue include:

   o  Partially open relays - a residential ISP that allows its
      customers to relay non-local domains through its infrastructure.

   o  Embedded devices - cable/DSL modems, firewalls, wireless access
      points, and printers that send email using hardcoded domains.

   o  Devices that send mail on behalf of a user - scanners, security
      cameras, and alarms that send mail as their owner or a device
      user.

   o  Email service providers - ESPs that service customers who are
      using domains that publish a DMARC "reject" policy.

   o  Calendaring software - an invited member of an event modifies the
      event, causing the calendaring software to emit an update that
      claims to come from the creator of the event.

3.1.2.  Message Transfer Agents

   MTAs relay a message until the message reaches a destination MDA.
   Some common message-handling strategies break the integrity of DKIM
   signatures.  A restrictive DMARC policy along with a broken DKIM
   signature causes latent interoperability problems to become overt
   problems.

3.1.2.1.  Message Encoding

   An MTA may modify the message encoding, for instance, by converting
   8-bit MIME sections to quoted-printable 7-bit sections.  This
   modification is outside the scope of DKIM canonicalization and will
   invalidate DKIM signatures that include message content.







Martin, et al.                Informational                     [Page 9]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   An MTA could also re-encode the message without changing the encoding
   type: receiving a MIME-encoded message and producing a semantically
   and semiotically equivalent MIME body that is not identical to the
   original.  This is characteristic of systems that use some other
   message representation internally.

3.1.2.2.  Header Standardization

   An MTA may rewrite headers to bring them into compliance with
   existing RFCs.  For example, some common MTAs will correct
   comprehensible but non-compliant date formats to compliant ones.

   Header rewriting is outside the scope of DKIM canonicalization and
   will invalidate DKIM signatures.  All downstream DMARC processing
   with be unable to utilize DKIM to yield Authenticated Identifiers due
   to header rewriting.

   Providing solutions for issues relating to non-RFC-compliant emails
   is outside the scope of this document.

3.1.2.3.  Content Validation

   An MTA may also implement security-motivated changes to the content
   of email messages, dropping or altering sections of messages, causing
   breakage of DKIM signatures.

3.1.3.  Message Delivery Agents

   The MDA transfers a message from the MHS to a mailbox.  Like the MSA,
   the MDA consists of two sub-components:

   o  MHS-focused MDA functions (hMDA)

   o  Recipient-focused MDA functions (rMDA)

   Both the hMDA and the rMDA can redirect a message to an alternative
   address.  DMARC interoperability issues related to redirecting of
   messages are described in Section 3.2.

   Sieve [RFC5228] functionality often lives in the rMDA sub-component
   and can cause DMARC interoperability issues.  The Sieve 'addheader'
   and 'deleteheader' filtering actions can modify messages and
   invalidate DKIM signatures, removing DKIM-supplied Authenticated
   Identifiers as inputs to the DMARC mechanism.  There are also Sieve
   extensions [RFC5703] that modify the body.  Sieve alterations may
   only become an issue when the email is reintroduced into the
   transport infrastructure.




Martin, et al.                Informational                    [Page 10]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


3.2.  Mediators

   Mediators [RFC5598] forward messages through a re-posting process.
   Mediators share some functionality with basic MTA relaying but have
   greater flexibility in both addressing and content modifications.

   DMARC interoperability issues are common within the context of
   Mediators, which are often used precisely for their ability to modify
   messages.

   The DMARC design does not cope with some Mediator functionality such
   as content modifications that invalidate DKIM signatures and
   RFC5321.MailFrom rewriting to support SPF authentication of re-sent
   mail when the new Recipient receives the message from the Mediator
   rather than the initial organization.

3.2.1.  Alias

   An Alias is a simple re-addressing facility that provides one or more
   new Internet Mail addresses, rather than a single, internal one.  A
   message continues through the transfer service for delivery to one or
   more alternative addresses.

   Aliases can be implemented by mailbox-level forwarding (e.g., through
   "dot-forwarding"), Sieve-level forwarding (through the Sieve
   "redirect" action), or other methods.  When an Alias preserves
   message content and does not make significant header changes, DKIM
   signatures may remain valid.  However, Aliases often extend the
   delivery path outside of the scope covered by the originating ADMD's
   SPF record(s).

   Examples of Aliasing include:

   o  Forwarding email between free email (freemail) providers to try
      different interfaces while maintaining an original email address;

   o  Consolidating many email addresses into a single account to
      centralize processing; and

   o  Services that provide "activity-based", "role-based", "vanity", or
      "temporary" email addresses such as universities and professional
      associations.  For instance, professional or alumni institutions
      may offer their members an Alias for the duration of their
      membership but may not want to deal with the long-term storage of
      emails.






Martin, et al.                Informational                    [Page 11]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   In most cases, the aMSA providing Alias services has no
   administrative relationship to the ADMD of the originator or the
   Final Recipient, so solutions to Alias-related DMARC failure should
   not assume such a relationship.

3.2.2.  ReSenders

   ReSenders "splice" a message's addressing information to connect the
   Author of the original message with the Recipient(s) of the new
   message.  The new Recipient sees the message as being from the
   original Author, even if the Mediator adds commentary.

   Without Authenticated Identifiers aligned with the Author's
   RFC5322.From header field domain, the new Recipient has no way to
   achieve a passing DMARC evaluation.

   Examples of ReSenders include MUA-level forwarding by resending a
   message to a new Recipient or by forwarding a message "inline" to a
   new Recipient (this does not include forwarding a message "as an
   attachment").  An additional example comes in the form of calendaring
   software that allows a meeting attendee (not the meeting organizer)
   to modify the content of an invite generating new invitations that
   claim to be reissued from the meeting organizer.

3.2.3.  Mailing Lists

   A Mailing List receives messages as an explicit addressee and then
   reposts them to a list of subscribed members.  The Mailing List
   performs a task that can be viewed as an elaboration of the ReSender
   actions.

   Mailing Lists share the same DMARC interoperability issues as
   ReSenders (Section 3.2.2) and very commonly modify headers or message
   content in ways that will cause DKIM to fail, including:

   o  prepending the RFC5322.Subject header field with a tag, to allow
      the Recipient to easily identify the Mailing List within a subject
      line listing;

   o  adding a footer to the email body to contain administrative
      instructions;

   o  removing some MIME-parts from the email or converting the message
      to text only;

   o  encrypting the body with the Recipient's key using PGP (Pretty
      Good Privacy) or S/MIME;




Martin, et al.                Informational                    [Page 12]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   o  enforcing community standards by rewriting banned words; and

   o  allowing moderators to add arbitrary commentary to messages
      (discussed in [RFC6377]).

   Any such modifications would invalidate a DKIM signature.

   Header and content modifications are common for many Mailing Lists
   and are often central to present Mailing List functionality and
   usage.  Furthermore, MUAs have come to rely on Mailing List message
   modifications to present messages to end users in expected ways.

3.2.3.1.  Mailing List Operational Effects

   Mailing Lists may also have the following DMARC interoperability
   issues:

   o  Subscribed members may not receive email from members that post
      using domains that publish a DMARC "p=reject" policy.

   o  Mailing Lists may interpret DMARC-related email rejections as an
      inability to deliver email to the Recipients that are checking and
      enforcing DMARC policy.  This processing may cause subscribers
      that are checking and enforcing DMARC policy to be inadvertently
      suspended or removed from the Mailing List.

3.2.4.  Gateways

   A Gateway performs the basic routing and transfer work of message
   relaying, but it is also permitted to modify content, structure,
   addressing, and/or other attributes as needed to send the message
   into a messaging environment that operates under different standards
   or potentially incompatible policies.

   Gateways share the same DMARC interoperability issues as ReSenders
   (Section 3.2.2).

   Gateways may also share the same DMARC interoperability issues as
   MTAs (Section 3.1.2).

   Receiver systems on the non-SMTP side of a protocol Gateway may be
   unable to evaluate DKIM and SPF.  If a message passes through a
   second protocol Gateway back into the SMTP domain, the
   transformations commonly break the original DKIM signature(s).

   Gateway-level forwarding can introduce DMARC interoperability issues
   if the Gateway is configured to rewrite the message into alternate
   receiving domains.  For example, an acquisition may lead an acquiring



Martin, et al.                Informational                    [Page 13]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   company to decide to decommission the acquired company's domains by
   rewriting messages to use the domain of the acquiring company.  Since
   the RFC5322.To header field is usually DKIM-signed, this kind of
   rewriting will invalidate such DKIM signatures.

3.2.5.  Boundary Filters

   To enforce security boundaries, organizations can subject messages to
   analysis for conformance with their safety policies.  A filter might
   alter the content to render it safe, such as by removing or otherwise
   altering content deemed unacceptable.

   Boundary Filters share the same DMARC interoperability issues as
   ReSenders.

   Issues may arise with SPF and DKIM evaluation if performed after
   filter modifications.

   Examples of Boundary Filters include:

   o  Malware scanning: To protect readers and its reputation, an MTA
      that transfers a message may remove content believed to be harmful
      from messages, reformulate content to canonical formats in order
      to make them more trustworthy or easier to scan, and/or add text
      in the body to indicate the message has been scanned.  Any such
      modifications would invalidate a DKIM signature.

   o  Spam filtering: To protect its reputation and assist other MTAs,
      an MTA may modify a message to indicate its decision that the
      message is likely to be unwanted and/or add text in the body to
      indicate that such filtering has been done.

   o  Other text additions: An MTA may add an organizational disclaimer
      or advertisement, for instance.

   o  URL alteration: Some systems will rewrite or alter embedded URLs
      as a way to control the potential threat from malware.

   o  Secondary MX services: The secondary MX for an organization may be
      external to the normal mail processing for the organization, and
      it may queue and forward to the primary when it becomes available.
      This will not invalidate DKIM but will prevent the primary from
      validating SPF normally.  In this case, however, it is
      inappropriate for a primary MX server to perform an SPF check
      against its own secondaries.  Rather, the secondary MX should
      perform this function and employ some trusted mechanism to
      communicate the results of the SPF, DKIM, and DMARC evaluation(s)
      to the primary MX server.



Martin, et al.                Informational                    [Page 14]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


3.3.  Combinations

   Indirect email flows can be combined.  For example, a university
   student may subscribe to a Mailing List (using his university email
   address) while this university email address is configured to forward
   all emails to a freemail or a post-education corporate account
   provider where a more permanent email address for this student
   exists.

   Within an organization, the message may pass through various MTAs
   (Section 3.1.2), each of which performs a different function
   (authentication, filtering, distribution, etc.).

4.  Possible Mitigations of Interoperability Issues

   Solutions to interoperability issues between DMARC and indirect email
   flows vary widely in their scope and implications.  They range from
   improvements to underlying processing, such as proper handling of
   multiple DKIM signatures, to more radical changes to the messaging
   architecture.  This section describes possible ways to address
   interoperability issues.  Note that these particular mechanisms may
   not be considered "best practices" and may, in some cases, violate
   various conventions or expectations.

   Receivers sometimes need to deliver email messages that do not
   conform to any standard or protocol, but are otherwise desired by end
   users.  Mitigating the impact of DMARC on indirect email flows is
   especially important to receivers that operate services where ease of
   use and compatibility with existing email flows is a priority.

   DMARC provides a mechanism (local policy) for receivers to make
   decisions about identity alignment acceptability based on information
   outside DMARC and communicate those decisions as "overrides" to the
   sender.  This facility can be used to ease some interoperability
   issues, although care is needed to ensure that this does not create
   loopholes for abuse.

   To further complicate the usage of mitigations, mitigation may not be
   desired if the email in question is of a certain category of high
   value or high risk (security-related) transactional messages (dealing
   with financial transactions or medical records, for example).  In
   these cases, mitigating the impact of DMARC due to indirect email
   flows may not be desirable (counterproductive or allowing for abuse).

   As a final note, mail systems are diverse and widely deployed.
   Systems of various ages and capabilities are expected to preserve
   interoperability with the rest of the SMTP ecosystem.  For instance,
   Qmail is still used, although the base code has not been updated



Martin, et al.                Informational                    [Page 15]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   since 1998. ezmlm, a once popular MLM, is still deployed but has not
   been updated since 1997, although a new version (ezmlm-idx) exists.
   Old versions of other open- and closed-source MTAs are still commonly
   in operation.  When dealing with aging or unsupported systems, some
   solutions may be time-consuming and/or disruptive to implement.

4.1.  Mitigations in Current Use

   Because DMARC is already widely deployed, many operators already have
   mitigations in use.  These mitigations vary in their effectiveness
   and side effects but have the advantage that they are currently
   available.

4.1.1.  Mitigations for Senders

4.1.1.1.  Identifier Alignment

   o  MTAs handling multiple domains may choose to change
      RFC5321.MailFrom to align with RFC5322.From to improve SPF
      usability for DMARC.

   o  MTAs handling multiple domains may also choose to align
      RFC5321.HELO/.EHLO to RFC5322.From, particularly when sending
      notification messages.  Dynamically adjusting the
      RFC5321.HELO/.EHLO based on the RFC5322.From may not be possible
      for some MTA software.

   o  MTAs may choose to DKIM-sign notification messages with an aligned
      domain to allow a DKIM-based DMARC pass.

   o  MTAs sending email on behalf of multiple domains may require
      Domain Owners to provide DKIM keys to use DKIM to avoid SPF
      validation issues, given the requirement for DMARC alignment with
      the RFC5322.From header field.  Managing DKIM keys with a third
      party has security risks that should be carefully managed (see
      also [RFC6376], Section 8).  Methods involving CNAMEs and/or
      subdomains may alleviate some risks.

   o  Senders who are sending on behalf of users in other administrative
      domains may choose to use an RFC5322.From under the sender's
      control.  The new From can be either a forwarding address in a
      domain controlled by the Sender or a placeholder address, with the
      original user's address in an RFC5322.Reply-to header field.
      However, performing this modification may cause the Recipient's
      MUA to deviate from customary behavior.






Martin, et al.                Informational                    [Page 16]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   o  When implementing "forward-to-friend" functionality, one approach
      to avoid DMARC failures is to pass a well-formed message to the
      user's MUA so that it may fill in an appropriate identity and
      submit through its own MSA.

   o  Senders can use domains with distinct DMARC policies for email
      sent directly and email known to use indirect mail flows.
      However, for most well-known brands, all active domains are likely
      to be targeted equally by abusers.

4.1.1.2.  Message Modification

   o  Senders can maximize survivability of DKIM signatures by limiting
      the header fields they sign and using relaxed canonicalization.
      Using the DKIM length tag to allow appended signatures is
      discouraged due to the security risk created by allowing arbitrary
      content to be appended to legitimate email.

   o  Senders can also maximize survivability by starting with RFC-
      compliant headers and common body formats.

   o  In order to minimize transport-based conversions, Senders can
      convert messages to a lowest denominator MIME content-transfer
      encoding such as quoted-printable or base64 before signing
      ([RFC6376], Section 5.3).

4.1.2.  Mitigations for Receivers

4.1.2.1.  Identifier Alignment

   o  Receivers should update DKIM handling libraries to ensure that
      they process all valid DKIM signatures and check each signature
      for alignment.

4.1.2.2.  Policy Override

   o  Receivers can amalgamate data from their user base to create lists
      of forwarders and use such lists to inform DMARC local policy
      overrides.  This process may be easier for large receivers where
      data and resources to create such lists are more readily available
      than at smaller sites, where there are fewer accounts that receive
      forwarded mail and other resources may be scarce.









Martin, et al.                Informational                    [Page 17]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


4.1.3.  Mitigations for ReSenders

4.1.3.1.  Changes to the RFC5322.From

   Many ReSender issues can be avoided by using an RFC5322.From header
   field under the ReSender's control, instead of the initial
   RFC5322.From.  This will correct Identifier Alignment issues and
   allow arbitrary message modification as long as the ReSender signs
   the message with an aligned domain signature.  When ReSenders change
   the RFC5322.From, it is desirable to preserve the information about
   the original initiator of the message.

   A first option is to use the Original-From [RFC5703] (or X-Original-
   From) header field for this purpose in various contexts (X- header
   field names are discouraged by [RFC6648]).  However, handling of
   Original-From (or X-Original-From) is not defined anywhere.  It is
   not currently used consistently or displayed to the user, and in any
   situation where it is used, it is a new unauthenticated identifier
   available for exploitation unless included within the scope of the
   new DKIM signature(s).

   Another option for ReSenders is to rewrite the RFC5322.From header
   field address to a locally controlled address that will be forwarded
   back to the original sender (subject to its own ReSender forwarding
   mitigations).

4.1.3.2.  Avoiding Message Modification

   o  Forwarders can choose to add email header fields instead of
      modifying existing headers or bodies, for instance, to indicate a
      message may be spam.

   o  Forwarders can minimize the circumstances in which they choose to
      fix messages, preferring to preserve non-compliant headers to
      creating DKIM failures.

   o  Forwarders can choose to reject messages with suspect or harmful
      content instead of modifying them.

4.1.3.3.  Mailing Lists

   [RFC6377] provides some guidance on using DKIM with Mailing lists.
   The following mitigation techniques can be used to ease
   interoperability issues with DMARC and Mailing lists:

   o  Configuring the Mailing List Manager (MLM) to alter the
      RFC5322.From header field to use the domain of the MLM is a
      mitigation policy that is now present in several different Mailing



Martin, et al.                Informational                    [Page 18]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


      List software distributions.  Since most list subscribers prefer
      to know the identity of the Author of the original message,
      typically this information may be provided in the display name
      part of the RFC5322.From header field.  This display name needs to
      be carefully crafted so as to not collide with the original
      display name of the Author, nor contain something that looks like
      an email address or domain name.  These modifications may to some
      extent defeat the purpose of DMARC itself.  It may make it
      difficult to ensure that users of all email clients can easily
      reply to the Author, the list, or all using the email client
      features provided for that purpose.  Use of the RFC5322.Reply-To
      header field can alleviate this problem depending on whether the
      Mailing List is configured to reply-to-list, reply-to-author, or
      reply-to-fixed-address; however, it is important to note that this
      header field can take multiple email addresses.  When altering the
      RFC5322.From, there are three possibilities:

      1.  change it to put the Mailing List email address,

      2.  change it to a locally defined address that will be forwarded
          back to the original sender, or

      3.  "break" the address by modifying the domain to a non-existent
          domain (such as by adding a suffix like ".invalid").

      The latter modification may create issues because it is an invalid
      domain name, and some MTAs may pay particular attention to the
      validity of email addresses in RFC5322.From and the reputation of
      the domains present there.

   o  Configuring the MLM to "wrap" the message in a MIME message/rfc822
      part and to send as the Mailing List email address.  Many email
      clients (as of the publication of this document), especially
      mobile clients, have difficulty reading such messages, and this is
      not expected to change soon.

   o  Configuring the MLM to not modify the message so that the DKIM
      signature remains valid.  Some Mailing Lists are set up this way
      and require few additional changes to ensure the DKIM signature is
      preserved.  Moving lists that currently modify mail to a policy
      like this may be too much of a change for the members of such
      lists.

   o  Rejecting posts or membership requests from domains with a DMARC
      policy other than "p=none".  However, members or potential members
      of such Mailing Lists may complain of unfair exclusion.





Martin, et al.                Informational                    [Page 19]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   o  To alleviate unsubscribes to the Mailing List due to the messages
      bouncing because of DMARC, the MLM needs to not act on
      notification messages due to message authentication issues.
      [RFC3463] specifies Enhanced Mail System Status Codes, which help
      differentiate between various failure conditions.  Correctly
      interpreting Extended SMTP error messages is useful in this case.
      In particular, extended status codes for SPF and DKIM causes are
      defined in [RFC7372], and DMARC-related failure indications are
      discussed in DMARC ([RFC7489], Section 10.3).

   All these techniques may provide some specific challenges to MUAs and
   different operational usages for end users (like rewriting filters to
   sort emails in folders).  There will be some time before all
   implications are understood and accommodated.

4.2.  Proposed and In-Progress Mitigations

   The following mitigations are based on Internet-Drafts (I-Ds) that
   are still in process.  They are described here to offer an
   exploratory path for solutions.  These solutions should not be used
   in a production environment.  Because of the transient nature of
   I-Ds, specific citations are not included because a number of them
   will inevitably become obsolete, and those that gain consensus in the
   community will become RFCs and should be discovered as such.

   o  Third-party authorization schemes provide ways to extend
      Identifier Alignment under control of the Domain Owner.

   o  Ways to canonicalize messages that transit Mailing Lists so that
      their alterations can be isolated from the original signed
      content.

   o  Mechanisms to record message transformations applied at each hop
      so they can be reversed and the original signed content recovered.

   o  "Conditional" DKIM signatures, whereby the Author domain indicates
      its signature is only good if accompanied by a signature from an
      expected downstream relay.

   o  Mechanisms to extend Authentication-Results [RFC7601] to multiple
      hops, creating a provable chain of custody as well as a view of
      message authentication results at each handling step.









Martin, et al.                Informational                    [Page 20]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


4.2.1.  Getting More Radical: Requiring New Communication Paths between
        MUAs

   In practice, a number of operators are using strict alignment mode in
   DMARC in order to avoid receiving new and innovative forms of
   unwanted and unauthentic email through systems purporting to be
   Mailing List handlers.  The receiving ADMD has no knowledge of which
   lists the user has subscribed to and which they have not.  One avenue
   of exploration would be for the user to authorize Mailing Lists as
   proxies for authentication, at which point the receiving ADMD would
   be vesting some trust in the Mailing List service.  The creators of
   DKIM foresaw precisely this possibility at the time by not tightly
   binding any semantics to the RFC5322.From header field.  Some
   experimental work has taken place in this area, as mentioned above.
   Additional work might examine a new communication path to the user to
   authorize some form of transitive trust.

5.  Security Considerations

   This document is an analysis of DMARC's impact on indirect email
   flows.  It describes the possibility of accidental denial of service
   that can be created by rejections of messages by DMARC-aware mail
   receivers.

   Section 4.1.1.1 discusses the importance of appropriate DKIM key
   management vis-a-vis third-party email senders.

   Section 4.1.3.3 warns that rewriting the RFC5322.From header field to
   create an artificial domain name should not be done with any domain.






















Martin, et al.                Informational                    [Page 21]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


6.  References

6.1.  Normative References

   [RFC2045]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part One: Format of Internet Message
              Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
              <http://www.rfc-editor.org/info/rfc2045>.

   [RFC3463]  Vaudreuil, G., "Enhanced Mail System Status Codes",
              RFC 3463, DOI 10.17487/RFC3463, January 2003,
              <http://www.rfc-editor.org/info/rfc3463>.

   [RFC5228]  Guenther, P., Ed. and T. Showalter, Ed., "Sieve: An Email
              Filtering Language", RFC 5228, DOI 10.17487/RFC5228,
              January 2008, <http://www.rfc-editor.org/info/rfc5228>.

   [RFC5321]  Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
              DOI 10.17487/RFC5321, October 2008,
              <http://www.rfc-editor.org/info/rfc5321>.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <http://www.rfc-editor.org/info/rfc5322>.

   [RFC5598]  Crocker, D., "Internet Mail Architecture", RFC 5598,
              DOI 10.17487/RFC5598, July 2009,
              <http://www.rfc-editor.org/info/rfc5598>.

   [RFC5703]  Hansen, T. and C. Daboo, "Sieve Email Filtering: MIME Part
              Tests, Iteration, Extraction, Replacement, and Enclosure",
              RFC 5703, DOI 10.17487/RFC5703, October 2009,
              <http://www.rfc-editor.org/info/rfc5703>.

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              <http://www.rfc-editor.org/info/rfc6376>.

   [RFC6377]  Kucherawy, M., "DomainKeys Identified Mail (DKIM) and
              Mailing Lists", BCP 167, RFC 6377, DOI 10.17487/RFC6377,
              September 2011, <http://www.rfc-editor.org/info/rfc6377>.

   [RFC6648]  Saint-Andre, P., Crocker, D., and M. Nottingham,
              "Deprecating the "X-" Prefix and Similar Constructs in
              Application Protocols", BCP 178, RFC 6648,
              DOI 10.17487/RFC6648, June 2012,
              <http://www.rfc-editor.org/info/rfc6648>.



Martin, et al.                Informational                    [Page 22]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


   [RFC7208]  Kitterman, S., "Sender Policy Framework (SPF) for
              Authorizing Use of Domains in Email, Version 1", RFC 7208,
              DOI 10.17487/RFC7208, April 2014,
              <http://www.rfc-editor.org/info/rfc7208>.

   [RFC7372]  Kucherawy, M., "Email Authentication Status Codes",
              RFC 7372, DOI 10.17487/RFC7372, September 2014,
              <http://www.rfc-editor.org/info/rfc7372>.

6.2.  Informative References

   [RFC7489]  Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
              Message Authentication, Reporting, and Conformance
              (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
              <http://www.rfc-editor.org/info/rfc7489>.

   [RFC7601]  Kucherawy, M., "Message Header Field for Indicating
              Message Authentication Status", RFC 7601,
              DOI 10.17487/RFC7601, August 2015,
              <http://www.rfc-editor.org/info/rfc7601>.































Martin, et al.                Informational                    [Page 23]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


Appendix A.  Example SPF Bounce

   This example illustrates a notification message "bounce".

A.1.  Initial Message

   Here is the message as it exits the Origin MTA (segv.d1.example):

 Return-Path: <jqd@d1.example>
 Received: from [10.10.10.131] (w-x-y-z.dsl.static.isp.com [w.x.y.z])
     (authenticated bits=0)
     by segv.d1.example with ESMTP id t0FN4a8O084569;
     Thu, 14 Jan 2015 15:00:01 -0800 (PST)
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=d1.example;
     s=20130426; t=1421363082;
     bh=EoJqaaRvhrngQxmQ3VnRIIMRBgecuKf1pdkxtfGyWaU=;
     h=Message-ID:Date:From:MIME-Version:To:CC:Subject:Content-Type:
      Content-Transfer-Encoding;
     b=HxsvPubDE+R96v9dM9Y7V3dJUXvajd6rvF5ec5BPe/vpVBRJnD4I2weEIyYijrvQw
      bv9uUA1t94kMN0Q+haFo6hiQPnkuDxku5+oxyZWOqtNH7CTMgcBWWTp4QD4Gd3TRJl
      gotsX4RkbNcUhlfnoQ0p+CywWjieI8aR6eof6WDQ=
 Message-ID: <54B84785.1060301@d1.example>
 Date: Thu, 14 Jan 2015 15:00:01 -0800
 From: John Q Doe <jqd@d1.example>
 To: no-recipient@dmarc.org
 Subject: Example 1

 Hey gang,
 This is a test message.
 --J.





















Martin, et al.                Informational                    [Page 24]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


A.2.  Notification Message

   When dmarc.org rejects the message without a DKIM signature, it
   specifies the RFC5321.HELO/.EHLO domain as dmarc.org.local, which has
   no SPF record. dmarc.org has a reject policy in place for such non-
   passing cases.  Since there is no DKIM signature on the notification
   message, the failed SPF lookup results in a dmarc=fail, and
   d1.example could be expected to discard the notification message
   itself:

 Return-Path: <>
 Received: from dmarc.org.local (mail.dmarc.org. [192.0.2.1])
    by mx.d1.example with ESMTPS id Lkm25302jJR5
    for <jqd@d1.example>
    (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Thu, 14 Jan 2015 15:00:24 -0800 (PST)
 Authentication-Results: mx.d1.example;
    spf=none (d1.example: dmarc.org.local does not designate
    permitted sender hosts) smtp.mail=;
    dmarc=fail (p=REJECT dis=NONE) header.from=dmarc.org
 MIME-Version: 1.0
 Received: from segv.d1.example (segv.d1.example [198.51.100.1])
  by 192.0.2.2 with SMTP id u67mr102828634qge33; Thu,
  14 Jan 2015 15:00:24 -0800 (PST)
 From: Mail Delivery Subsystem <mailer-daemon@dmarc.org>
 To: jqd@d1.example
 Subject: Delivery Status Notification (Failure)
 Message-ID: <001a11c16e6a9ead220528df294a@dmarc.org>
 Date: Thu, 14 Jan 2016 23:00:24 +0000
 Content-Type: text/plain; charset=UTF-8

 This is an automatically generated Delivery Status Notification

 Delivery to the following recipient failed permanently:

      no-recipient@dmarc.org

 Technical details of permanent failure:
 Your message was rejected by the server for the recipient domain
   dmarc.org by mail.dmarc.org [192.0.2.1].

 The error that the other server returned was:
 550 5.1.1 <no-recipient@dmarc.org>... User unknown

 ----- Original message -----
 Return-Path: <jqd@d1.example>
 Received: from [203.252.0.131] (131-0-252-203-dsl.static.example.com
     [203.252.0.131]) (authenticated bits=0)



Martin, et al.                Informational                    [Page 25]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


     by segv.d1.example with ESMTP id t0FN4a8O084569;
     Thu, 14 Jan 2015 15:00:01 -0800 (PST)
     (envelope-from jqd@d1.example)
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=d1.example;
     s=20130426; t=1421363082;
     bh=EoJqaaRvhrngQxmQ3VnRIIMRBgecuKf1pdkxtfGyWaU=;
     h=Message-ID:Date:From:MIME-Version:To:CC:Subject:Content-Type:
      Content-Transfer-Encoding;
     b=HxsvPubDE+R96v9dM9Y7V3dJUXvajd6rvF5ec5BPe/vpVBRJnD4I2weEIyYijrvQw
      bv9uUA1t94kMN0Q+haFo6hiQPnkuDxku5+oxyZWOqtNH7CTMgcBWWTp4QD4Gd3TRJl
      gotsX4RkbNcUhlfnoQ0p+CywWjieI8aR6eof6WDQ=
 Message-ID: <54B84785.1060301@d1.example>
 Date: Thu, 14 Jan 2015 15:00:01 -0800
 From: John Q Doe <jqd@d1.example>
 To: no-recipient@dmarc.org
 Subject: Example 1

 Hey gang,
 This is a test message.
 --J.

Acknowledgments

   Miles Fidelman, John Levine, David Crocker, Stephen J. Turnbull, Rolf
   E. Sonneveld, Tim Draegen, and Franck Martin contributed to the IETF
   DMARC Working Group's wiki page listing all known interoperability
   issues with DMARC and indirect email flows.

   Tim Draegen created the first draft of this document from these
   contributions and by ham-fistedly mapping contributions into the
   language of [RFC5598].




















Martin, et al.                Informational                    [Page 26]
^L
RFC 7960           DMARC Indirect Email Interop Issues    September 2016


Authors' Addresses

   Franck Martin (editor)
   LinkedIn
   Mountain View, CA
   United States of America

   Email: fmartin@linkedin.com


   Eliot Lear (editor)
   Cisco Systems GmbH
   Richtistrasse 7
   Wallisellen, ZH  CH-8304
   Switzerland

   Phone: +41 44 878 9200
   Email: lear@cisco.com


   Tim Draegen (editor)
   dmarcian, inc.
   PO Box 1007
   Brevard, NC  28712
   United States of America

   Email: tim@dmarcian.com


   Elizabeth Zwicky (editor)
   Yahoo
   Sunnyvale, CA
   United States of America

   Email: zwicky@yahoo-inc.com


   Kurt Andersen (editor)
   LinkedIn
   2029 Stierlin Court
   Mountain View, CA  94043
   United States of America

   Email: kandersen@linkedin.com







Martin, et al.                Informational                    [Page 27]
^L