RFC draft-brotman-dkim-aggregate-reporting-01 DKIM-AGGREGATE-REPORTING August 2024
Brotman Expires 7 February 2025 [Page]
Workgroup:
Network Working Group
RFC:
draft-brotman-dkim-aggregate-reporting-01
Published:
Intended Status:
Standards Track
Expires:
Author:
A. Brotman
Comcast, Inc

Aggregate Reports for DKIM Signers

Abstract

This document introduces a mechanism enabling DKIM-signing domain owners to solicit aggregate reports from email receivers. Presented in an XML format, these reports possess adaptable elements conducive for integration with current and future drafts and standards like DMARCbis. They capture the evaluation outcomes of DKIM signatures, such as 'pass' or 'fail', alongside other potential data attributes. Receivers can relay these aggregate reports to destinations designated by the DKIM-signing domain holder, contingent upon their support capabilities.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 February 2025.

Table of Contents

1. Introduction

With a growing emphasis on email security, the industry is rapidly adopting message authentication mechanisms such as DKIM and SPF. While many initiatives, including DMARC, aim to enhance message validation through their reporting features, they often fall short in meeting the diverse needs of all stakeholders in the email delivery process. Moreover, these mechanisms aren't always effective in identifying certain abuses, like DKIM replay.

A notable challenge arises with marketing and transactional messages, which often contain multiple valid DKIM signatures. While DMARC reports can provide information to the 5322.From Domain holder, some DKIM signers may not receive a copy of that information. This gap in information could result in a lack of understanding when there is an issue with authentication.

2. Glossary

3. Enhanced Awareness For Validation Outcome

Visibility into DKIM signatures responsible for message authentication can be fairly important to system operators, perhaps more so when the signatures do not align with the 5322.From Domain. Allowing receivers to inform signers about potential validation errors could aid in resolving those issues, and allow for better authentication for the given message stream.

4. Decoding DKIM Reports: Insights and Implications

The essence of DKIM aggregate reports is to furnish Signing Domain Owners with a thorough understanding of the following:

OR

5. Configuring DKIM Aggregate Reporting: A Guide to DNS Records

Email security necessitates clear and accurate configuration. As domains employ authentication mechanisms, they must follow technical specifications, as well as best common practices. Domain owners may choose to use their own resources for this, or utilize a third-party to assist them with various parts of the process or on-going operations.

5.1. Delegation of sending to Third-Parties:

To delegate DKIM signing to a third party, the domain owner must publish specific DNS TXT or CNAME records associated with the DKIM keys used by the third-party sender.

Example: delegatedselector._domainkey.example.org TXT v=DKIM1;k=rsa;p=<data>

_dmarc.example.org TXT v=DMARC1;rua=mailto:reports@example.org

Here, delegatedselector is the selector. As per DMARCbis, example.org will receive DMARC aggregate reports at reports@example.org.

5.2. Receiving DKIM Aggregate Reports:

For the third party DKIM signer to access DKIM aggregate reports, an additional DNS TXT record is required.

Example: _report.delegatedselector._domainkey.example.org TXT
v=RDKIM;tgt=mailto:reports@thirdparty.example

Additionally, to prevent unsolicited reports and denial of service against third party receiving endpoints, report senders MUST check for the existence of a DNS record:

Example: example.org._report._domainkey.thirdparty.example

This ensures that the third party can retrieve the reports via email without receiving unsolicited reports.

5.3. Third-Party Signature Considerations:

Third-party senders might use additional signatures under their own domains to gather feedback about email quality. A typical setup:

selector._domainkey.thirdparty.example TXT v=DKIM1;k=rsa;p=<data>

For the DKIM aggregate reports: _report.selector._domainkey.thirdparty.example TXT
v=RDKIM;tgt=mailto:reports@thirdparty.example

5.4. Feedback Suppression and Visibility:

Sending domain (5322.From) owners might sometimes prefer to suppress feedback, minimizing any potential exposure of sensitive report data or to hide their malicious intent from the signer. To maintain transparency and ensure that all parties (the domain owner and the third-party sender) have adequate visibility, report senders SHOULD transmit reports to all the specified reporting addresses.

6. DNS Entry Format

There are a number of methods by which a domain can declare the intention to receive reports:

v: This MUST be "RDKIM". If this is absent, the record is invalid.

tgt: The location(s) for reports. Methods can be requested as mailto. Be mindful that more than one can be requested but not all receivers will support all varieties. Each mechanism has more detail below. If a mistake in the record is found by the receiver, the entirety of the record should be ignored.

rfr: This is a pointer to another domain to use their data. May be used in conjunction with a tgt attribute. This should take the format of the FQDN, i.e., "v=RDKIM;rfr:_report.selector._domainkey.foo.com".

6.1. Example DNS Entries for DKIM-based Reporting

  • Basic Reporting

_report.selector1._domainkey.example.org TXT
"v=RDKIM;tgt=mailto:reporting@example.org"

  • Delegated Reporting (with referral record)

_report.selector1._domainkey.example.org TXT
"v=RDKIM;tgt=mailto:reporting@other.org"

example.org._report._domainkey.other.org TXT
"v=RDKIM"

  • Two destinations

_report.selector1._domainkey.example.org TXT
"v=RDKIM;tgt=mailto:reporting@example.org,mailto:reporting@elsewhere.com"

example.org._report._domainkey.elsewhere.com TXT
"v=RDKIM"

  • Only a referral

_report.selector1._domainkey.example.org TXT
"v=RDKIM;rfr:_report._selector1.domainkey.other.org"

_report.selector1._domainkey.other.org TXT
"v=RDKIM;tgt=mailto:reporting@elsewhere.com"

example.org._report._domainkey.elsewhere.com TXT
"v=RDKIM"

7. Dual (Or More) Signed Messages

When a message has multiple signatures which verify, the reporter SHOULD send reports to all signatories who have requested reports. In the case where two (or more) signatures have the same destination tgt, this should still generate as many reports as there are valid signatures.

NOTE, this needs to be expanded.

8. Feedback Mechanisms

8.1. mailto

Similar to DMARC reports, data is aggregated and sent to the site daily.

9. Report Format

This format will be an XML file.

NOTE: There's no true reason to keep this as XML, JSON is an option.

A sample file:

<?xml version="1.0" encoding="UTF-8"?>
<feedback xmlns="urn:ietf:params:xml:ns:dkimaggreport-1.0">
    <report_metadata>
        <org_name>Reporter Company</org_name>
        <email>contact@receiver.net</email>
        <extra_contact_info>dest_domain: foo.net</extra_contact_info>
        <report_id>GUID_HERE</report_id>
        <date_range>
            <begin>151061515</begin>
            <end>151071241</end>
        </date_range>
    </report_metadata>
    <signature>
        <domain>example.org</domain>
        <selector>delegatedselector</selector>
    </signature>
    <record>
        <row>
            <source_ip>10.123.23.12</source_ip>
            <spf_domain>botnet.example</spf_domain>
            <spf_result>pass</spf_result>
            <spf_alignment>fail</spf_alignment>
            <dkim_passed>123</dkim_passed>
            <dkim_failed>1</dkim_failed>
            <dkim_alignment>true</dkim_alignment>
            <from_domain>example.org</from_domain>
            <extensions>
              <extension def="https://site.com/ext_def">
                ...
              </extension>
            </extensions>
        </row>
        <identifiers>
            <sample_msg_id>uuid@bounces.example.org</sample_msg_id>
        </identifiers>
    </record>
    <extensions>
      <extension def="https://site.com/ext2_def">
        ...
      </extension>
    </extensions>
</feedback>

9.1. Report Declaration

9.1.1. Published Policy

The domain is the domain from the d= in the original message signature, and the selector is from the s=.

The time period for the report should be a single UTC day, and noted in the report body by the epoch timestamps with start and end.

9.2. Row Data

Each row should contain information so that the recipient can understand more about how their signature is being used, whether pass or fail.

source_ip: The Internet Address responsible for delivery of the message.

spf_domain: The domain used during SPF evaluation, whether the HELO string or the Return-Path. Review [RFC7208].

spf_result: Must be one of pass/fail/error.

spf_alignment: Acceptable values are true/false.

dkim_passed: The number of messages in this row for which DKIM evaluation succeeded.

dkim_failed: The number of messages for which this DKIM signature could not be properly evaluated.

dkim_alignment: Per the DKIM RFC, was the DKIM signature properly aligned with Sending Domain. Values are true/false.

from_domain: The 5322.From sending Domain.

9.3. Report Metadata

The subject of the report should contain a few key components:

  • Selector - The value from the s= being reported
  • Domain - The value from the d= being reported
  • Date - format is YYYYMMDD
  • GUID

Format MUST be:

Subject: <selector>:<domain>; <date>; <guid>

The GUID MUST be in a header for the report, called DKIM-Aggregate-Report-GUID.

9.4. Extensions

The report format allows for the possibility of extensions. The extensions can be included within a row, or within the record. The absence of these sections MUST NOT result in a processing error. The party including the extension should include a URL to a definition of some sort. This would aid report receivers in understanding how to best interpret the data.

10. Security Considerations

10.1. Report Abuse

NOTE, needs to be more fully considered. If we allow for an open target for real-time reporting, how does a report receiver ensure the sender is reputable?

  • Report receivers need to deduplicate reports if multiple signing domains with feedback enabled is employed
  • Report receivers should use DMARC logic to authenticate the reporter when deciding whether to trust the reports. For example, allow-list the RFC5322.From address of trusted reporters only if the reports are sent with DKIM domain-aligned authenticated identifier
  • Report senders should include a sample message-id
  • Report receivers should look for a sample message-id to authenticate the report as being associated with a message it has sent recently

11. Contributors

12. Notes

13. References

  1. RFC5322: "Internet Message Format". IETF.

  2. RFC6376: "DomainKeys Identified Mail (DKIM) Signatures". IETF.

  3. RFC7489: "Domain-based Message Authentication, Reporting, and Conformance (DMARC)". IETF.

  4. RFC7208: "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email". IETF.

14. Normative References

[RFC7208]
Kitterman, S., "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", RFC 7208, DOI 10.17487/RFC7208, , <https://www.rfc-editor.org/info/rfc7208>.

Author's Address

Alex Brotman
Comcast, Inc