Internet-Draft | DMARCbis | November 2020 |
Levine | Expires 24 May 2021 | [Page] |
This document specifies a new tree walk algorithm to find a DMARC Fallback Domain.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 May 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
DMARC allows domains to publish DNS records describing their preference for recipients of mail purporting to be them. The policy record is found in two possible places: the domain in the RFC5322.From[RFC5322] header, or failing that, an ancestor of that domain. In the previous version of DMARC the second domain is called the Organizational Domain, as described below in Section 3. This document describes a new algorithm to find a Fallback Domain.¶
If a DMARC check uses a Fallback Domain, that domain is used in the same way that a Legacy Organizational Domain is used in [RFC7489].¶
The Fallback Domain is found using a tree walk.¶
Call the RFC5322.From domain the Current domain.¶
Delete the leftmost (low-order) label from the Current domain. If there are no labels left, stop. Otherwise call the new shorter domain the new Current domain.¶
Prepend _dmarc. to the Current domain and check for a valid DMARC policy record at that name in the DNS. If one exists, stop.¶
Otherwise, return to step 2 and repeat until four potential Fallback Domain names have been checked.¶
For example, if the RFC5322.From domain is sales.examp1e.com, the sequence of names to check would be:¶
_dmarc.sales.examp1e.com _dmarc.examp1e.com _dmarc.com¶
If the RFC5322.From domain is sales.east.widgets.bigcorp.com.example, the sequence of names would be:¶
_dmarc.sales.east.widgets.bigcorp.com.example _dmarc.east.widgets.bigcorp.com.example _dmarc.widgets.bigcorp.com.example _dmarc.widgets.bigcorp.com.example _dmarc.bigcorp.com.example¶
If the process in the previous section terminates after checking the RFC5322.From name and four potential Fallbak Domain names without finding a valid DMARC policy record, synthesize a policy record for the RFC5322.From domain containing:¶
v=DMARC1; p=reject;¶
The four label limit is intended to mitigate DNS attacks on mail systems using RFC5322.From addresses with very long labels that would otherwise cause very long tree walks. This avoids the possibility of maliciously avoiding DMARC checks by using very long names. Note that if the RFC5322.From name does not exist in the DNS, DMARC checks will always fail since there can be no SPF or DKIM records to validate the name.¶
The legacy Organizational Domain is determined using the following algorithm:¶
Acquire a "public suffix" list, i.e., a list of DNS domain names reserved for registrations. Some country Top-Level Domains (TLDs) make specific registration requirements, e.g., the United Kingdom places company registrations under ".co.uk"; other TLDs such as ".com" appear in the IANA registry of top-level DNS domains. A public suffix list is the union of all of these.¶
Break the subject DNS domain name into a set of "n" ordered labels. Number these labels from right to left; e.g., for "example.com", "com" would be label 1 and "example" would be label 2.¶
Search the public suffix list for the name that matches the largest number of labels found in the subject DNS domain. Let that number be "x".¶
Construct a new DNS domain name using the name that matched from the public suffix list and prefixing to it the "x+1"th label from the subject domain. This new name is the Organizational Domain.¶
Thus, since "com" is an IANA-registered TLD, a subject domain of "a.b.c.d.example.com" would have an Organizational Domain of "example.com".¶
Since the methods of finding the Fallback and Legacy Organization Domains are different, they will not always find the same policy record.¶
If there is a policy record at the Legacy Organizational domain, and not at any other intermediate name above the RFC5322.From domain, the two methods will yield the same result, so long as there are no more than four labels betwen the Legacy Organizational Domain and the Fallback Domain.¶
If there are policy records at intermediate names, those records will take precedence over the Legacy Organizational domain. This allows organizations to delegate DMARC policy authority on more finely than the Legacy Organizational domain does.¶
If there is no policy record at the the Legacy Organizational domain, but there is one at a name higher in the name tree, the result is similar to that in I-D.draft-ietf-dmarc-psd-08.¶
The use of the Default Fallback domain means that any system that sends mail using a RFC5322.From domain more than five labels long must publish a DMARC policy record or its mail will all fail DMARC checks. In practice, we have rarely seen valid mail domains that long; but if it's an issue, changing the limit from 5 labels to 7 or 10 would still deter DNS attacks.¶
The Fallback Domain method is deterministic and will always find the same record, while the Legacy Organizational method depends on the contents of the public suffix list that it uses.¶