DMARC Fallback Domains
draft-levine-dmarcwalk-00

Document Type Active Internet-Draft (individual)
Author John Levine 
Last updated 2020-11-20
Stream (None)
Intended RFC status (None)
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                          J. Levine
Internet-Draft                                             Standcore LLC
Intended status: Standards Track                        20 November 2020
Expires: 24 May 2021

                         DMARC Fallback Domains
                       draft-levine-dmarcwalk-00

Abstract

   This document specifies a new tree walk algorithm to find a DMARC
   Fallback Domain.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 24 May 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Levine                     Expires 24 May 2021                  [Page 1]
Internet-Draft                  DMARCbis                   November 2020

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Fallback Domain . . . . . . . . . . . . . . . . . . . . . . .   2
     2.1.  Default Fallback Domain . . . . . . . . . . . . . . . . .   3
   3.  Legacy Organizational Domain  . . . . . . . . . . . . . . . .   3
   4.  Differences between Fallback and Legacy Organizational
           Domains . . . . . . . . . . . . . . . . . . . . . . . . .   4
   5.  Informative References  . . . . . . . . . . . . . . . . . . .   4
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   DMARC allows domains to publish DNS records describing their
   preference for recipients of mail purporting to be them.  The policy
   record is found in two possible places: the domain in the
   RFC5322.From[RFC5322] header, or failing that, an ancestor of that
   domain.  In the previous version of DMARC the second domain is called
   the Organizational Domain, as described below in Section 3.  This
   document describes a new algorithm to find a Fallback Domain.

   If a DMARC check uses a Fallback Domain, that domain is used in the
   same way that a Legacy Organizational Domain is used in [RFC7489].

2.  Fallback Domain

   The Fallback Domain is found using a tree walk.

   1.  Call the RFC5322.From domain the Current domain.

   2.  Delete the leftmost (low-order) label from the Current domain.
       If there are no labels left, stop.  Otherwise call the new
       shorter domain the new Current domain.

   3.  Prepend _dmarc. to the Current domain and check for a valid DMARC
       policy record at that name in the DNS.  If one exists, stop.

   4.  Otherwise, return to step 2 and repeat until four potential
       Fallback Domain names have been checked.

   For example, if the RFC5322.From domain is sales.examp1e.com, the
   sequence of names to check would be:

   _dmarc.sales.examp1e.com
   _dmarc.examp1e.com
   _dmarc.com

Levine                     Expires 24 May 2021                  [Page 2]
Internet-Draft                  DMARCbis                   November 2020

   If the RFC5322.From domain is sales.east.widgets.bigcorp.com.example,
   the sequence of names would be:

   _dmarc.sales.east.widgets.bigcorp.com.example
   _dmarc.east.widgets.bigcorp.com.example
   _dmarc.widgets.bigcorp.com.example
   _dmarc.widgets.bigcorp.com.example
   _dmarc.bigcorp.com.example

2.1.  Default Fallback Domain

   If the process in the previous section terminates after checking the
   RFC5322.From name and four potential Fallbak Domain names without
   finding a valid DMARC policy record, synthesize a policy record for
   the RFC5322.From domain containing:

   v=DMARC1; p=reject;

   The four label limit is intended to mitigate DNS attacks on mail
   systems using RFC5322.From addresses with very long labels that would
   otherwise cause very long tree walks.  This avoids the possibility of
   maliciously avoiding DMARC checks by using very long names.  Note
Show full document text