Network Working Group A. Brotman Internet-Draft Comcast, Inc Intended status: Standards Track 6 August 2024 Expires: 7 February 2025 Aggregate Reports for DKIM Signers draft-brotman-dkim-aggregate-reporting-01 Abstract This document introduces a mechanism enabling DKIM-signing domain owners to solicit aggregate reports from email receivers. Presented in an XML format, these reports possess adaptable elements conducive for integration with current and future drafts and standards like DMARCbis. They capture the evaluation outcomes of DKIM signatures, such as 'pass' or 'fail', alongside other potential data attributes. Receivers can relay these aggregate reports to destinations designated by the DKIM-signing domain holder, contingent upon their support capabilities. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 February 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components Brotman Expires 7 February 2025 [Page 1] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Enhanced Awareness For Validation Outcome . . . . . . . . . . 3 4. Decoding DKIM Reports: Insights and Implications . . . . . . 4 5. Configuring DKIM Aggregate Reporting: A Guide to DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.1. Delegation of sending to Third-Parties: . . . . . . . . . 4 5.2. Receiving DKIM Aggregate Reports: . . . . . . . . . . . . 5 5.3. Third-Party Signature Considerations: . . . . . . . . . . 5 5.4. Feedback Suppression and Visibility: . . . . . . . . . . 5 6. DNS Entry Format . . . . . . . . . . . . . . . . . . . . . . 6 6.1. Example DNS Entries for DKIM-based Reporting . . . . . . 6 7. Dual (Or More) Signed Messages . . . . . . . . . . . . . . . 7 8. Feedback Mechanisms . . . . . . . . . . . . . . . . . . . . . 7 8.1. mailto . . . . . . . . . . . . . . . . . . . . . . . . . 7 9. Report Format . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Report Declaration . . . . . . . . . . . . . . . . . . . 8 9.1.1. Published Policy . . . . . . . . . . . . . . . . . . 9 9.2. Row Data . . . . . . . . . . . . . . . . . . . . . . . . 9 9.3. Report Metadata . . . . . . . . . . . . . . . . . . . . . 9 9.4. Extensions . . . . . . . . . . . . . . . . . . . . . . . 10 10. Security Considerations . . . . . . . . . . . . . . . . . . . 10 10.1. Report Abuse . . . . . . . . . . . . . . . . . . . . . . 10 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 10 12. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 14. Normative References . . . . . . . . . . . . . . . . . . . . 11 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction With a growing emphasis on email security, the industry is rapidly adopting message authentication mechanisms such as DKIM and SPF. While many initiatives, including DMARC, aim to enhance message validation through their reporting features, they often fall short in meeting the diverse needs of all stakeholders in the email delivery process. Moreover, these mechanisms aren't always effective in identifying certain abuses, like DKIM replay. A notable challenge arises with marketing and transactional messages, which often contain multiple valid DKIM signatures. While DMARC reports can provide information to the 5322.From Domain holder, some Brotman Expires 7 February 2025 [Page 2] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 DKIM signers may not receive a copy of that information. This gap in information could result in a lack of understanding when there is an issue with authentication. 2. Glossary * DKIM (DomainKeys Identified Mail): An email authentication method utiilizing a cryptographic signature. * DMARC (Domain-based Message Authentication, Reporting & Conformance): An email authentication mechanism that uses SPF and DKIM to verify the use of the domain in an email's visible From: header. * SPF (Sender Policy Framework): An email authentication method using an IP-based configuration. * Replay Attack: A malicious technique where an attacker intercepts and retransmits a valid data transmission, often to impersonate another user or entity. * Selector: A string used by the DKIM system to help identify the DKIM public key information. * GUID (Globally Unique Identifier): A unique reference number used as an identifier in software. * DNS (Domain Name System): A system for converting human-friendly domain names into IP addresses. * 5322.From domain: The domain present in the "From:" field of an email, as defined in RFC 5322. * Aggregate Report: Summarized feedback about messages purported to come from a specific domain during a specified period. 3. Enhanced Awareness For Validation Outcome Visibility into DKIM signatures responsible for message authentication can be fairly important to system operators, perhaps more so when the signatures do not align with the 5322.From Domain. Allowing receivers to inform signers about potential validation errors could aid in resolving those issues, and allow for better authentication for the given message stream. Brotman Expires 7 February 2025 [Page 3] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 4. Decoding DKIM Reports: Insights and Implications The essence of DKIM aggregate reports is to furnish Signing Domain Owners with a thorough understanding of the following: * Authentication Results: The outcomes from various verification checks provide an indication of how receivers evaluate the messages. It's crucial for signing domain owners to comprehend the frequency of their successful authentications and pinpoint potential areas for improvement. * Trust in Original Senders: Before applying signatures to future messages, signing domain owners need to evaluate the credibility and reliability of the submission entity. If issues or inconsistencies arise in reports, it might signal that the original sender's practices aren't aligned with the signing domain owner's standards, leading to reconsideration of the signing relationship. OR * Evaluation of Submitting Entity: Allowing the signing entity to understand if the signer would like to continue to sign on behalf of the submitter. If the submitter has questionable practices, the signing may not wish to continue signing on behalf of that submitter. * Indications of DKIM Replay: DKIM replay involves the malicious reuse of a previously signed email by unauthorized entities. By identifying signs like SPF zone misalignment or unexpected volume discrepancies, signing domain owners can address potential threats and maintain the integrity of their emails. 5. Configuring DKIM Aggregate Reporting: A Guide to DNS Records Email security necessitates clear and accurate configuration. As domains employ authentication mechanisms, they must follow technical specifications, as well as best common practices. Domain owners may choose to use their own resources for this, or utilize a third-party to assist them with various parts of the process or on-going operations. 5.1. Delegation of sending to Third-Parties: To delegate DKIM signing to a third party, the domain owner must publish specific DNS TXT or CNAME records associated with the DKIM keys used by the third-party sender. Brotman Expires 7 February 2025 [Page 4] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 Example: delegatedselector._domainkey.example.org TXT v=DKIM1;k=rsa;p= _dmarc.example.org TXT v=DMARC1;rua=mailto:reports@example.org Here, delegatedselector is the selector. As per DMARCbis, example.org will receive DMARC aggregate reports at reports@example.org. 5.2. Receiving DKIM Aggregate Reports: For the third party DKIM signer to access DKIM aggregate reports, an additional DNS TXT record is required. Example: _report.delegatedselector._domainkey.example.org TXT v=RDKIM;tgt=mailto:reports@thirdparty.example Additionally, to prevent unsolicited reports and denial of service against third party receiving endpoints, report senders MUST check for the existence of a DNS record: Example: example.org._report._domainkey.thirdparty.example This ensures that the third party can retrieve the reports via email without receiving unsolicited reports. 5.3. Third-Party Signature Considerations: Third-party senders might use additional signatures under their own domains to gather feedback about email quality. A typical setup: selector._domainkey.thirdparty.example TXT v=DKIM1;k=rsa;p= For the DKIM aggregate reports: _report.selector._domainkey.thirdparty.example TXT v=RDKIM;tgt=mailto:reports@thirdparty.example 5.4. Feedback Suppression and Visibility: Sending domain (5322.From) owners might sometimes prefer to suppress feedback, minimizing any potential exposure of sensitive report data or to hide their malicious intent from the signer. To maintain transparency and ensure that all parties (the domain owner and the third-party sender) have adequate visibility, report senders SHOULD transmit reports to all the specified reporting addresses. Brotman Expires 7 February 2025 [Page 5] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 6. DNS Entry Format There are a number of methods by which a domain can declare the intention to receive reports: v: This MUST be "RDKIM". If this is absent, the record is invalid. tgt: The location(s) for reports. Methods can be requested as mailto. Be mindful that more than one can be requested but not all receivers will support all varieties. Each mechanism has more detail below. If a mistake in the record is found by the receiver, the entirety of the record should be ignored. rfr: This is a pointer to another domain to use their data. May be used in conjunction with a tgt attribute. This should take the format of the FQDN, i.e., "v=RDKIM;rfr:_report.selector._domainkey.foo.com". 6.1. Example DNS Entries for DKIM-based Reporting * Basic Reporting _report.selector1._domainkey.example.org TXT "v=RDKIM;tgt=mailto:reporting@example.org" (mailto:reporting@example.org") * Delegated Reporting (with referral record) _report.selector1._domainkey.example.org TXT "v=RDKIM;tgt=mailto:reporting@other.org" (mailto:reporting@other.org") example.org._report._domainkey.other.org TXT "v=RDKIM" * Two destinations _report.selector1._domainkey.example.org TXT "v=RDKIM;tgt=mailto:reporting@example.org,mailto:reporting@elsewhere. com" (mailto:reporting@example.org,mailto:reporting@elsewhere.com") example.org._report._domainkey.elsewhere.com TXT "v=RDKIM" * Only a referral _report.selector1._domainkey.example.org TXT "v=RDKIM;rfr:_report._selector1.domainkey.other.org" Brotman Expires 7 February 2025 [Page 6] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 _report.selector1._domainkey.other.org TXT "v=RDKIM;tgt=mailto:reporting@elsewhere.com" (mailto:reporting@elsewhere.com") example.org._report._domainkey.elsewhere.com TXT "v=RDKIM" 7. Dual (Or More) Signed Messages When a message has multiple signatures which verify, the reporter SHOULD send reports to all signatories who have requested reports. In the case where two (or more) signatures have the same destination tgt, this should still generate as many reports as there are valid signatures. NOTE, this needs to be expanded. 8. Feedback Mechanisms 8.1. mailto Similar to DMARC reports, data is aggregated and sent to the site daily. 9. Report Format This format will be an XML file. NOTE: There's no true reason to keep this as XML, JSON is an option. A sample file: Brotman Expires 7 February 2025 [Page 7] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 Reporter Company contact@receiver.net dest_domain: foo.net GUID_HERE 151061515 151071241 example.org delegatedselector 10.123.23.12 botnet.example pass fail 123 1 true example.org ... uuid@bounces.example.org ... 9.1. Report Declaration Brotman Expires 7 February 2025 [Page 8] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 9.1.1. Published Policy The domain is the domain from the d= in the original message signature, and the selector is from the s=. The time period for the report should be a single UTC day, and noted in the report body by the epoch timestamps with start and end. 9.2. Row Data Each row should contain information so that the recipient can understand more about how their signature is being used, whether pass or fail. source_ip: The Internet Address responsible for delivery of the message. spf_domain: The domain used during SPF evaluation, whether the HELO string or the Return-Path. Review [RFC7208]. spf_result: Must be one of pass/fail/error. spf_alignment: Acceptable values are true/false. dkim_passed: The number of messages in this row for which DKIM evaluation succeeded. dkim_failed: The number of messages for which this DKIM signature could not be properly evaluated. dkim_alignment: Per the DKIM RFC, was the DKIM signature properly aligned with Sending Domain. Values are true/false. from_domain: The 5322.From sending Domain. 9.3. Report Metadata The subject of the report should contain a few key components: * Selector - The value from the s= being reported * Domain - The value from the d= being reported * Date - format is YYYYMMDD * GUID Format MUST be: Subject: :; ; Brotman Expires 7 February 2025 [Page 9] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 The GUID MUST be in a header for the report, called DKIM-Aggregate- Report-GUID. 9.4. Extensions The report format allows for the possibility of extensions. The extensions can be included within a row, or within the record. The absence of these sections MUST NOT result in a processing error. The party including the extension should include a URL to a definition of some sort. This would aid report receivers in understanding how to best interpret the data. 10. Security Considerations 10.1. Report Abuse NOTE, needs to be more fully considered. If we allow for an open target for real-time reporting, how does a report receiver ensure the sender is reputable? * Report receivers need to deduplicate reports if multiple signing domains with feedback enabled is employed * Report receivers should use DMARC logic to authenticate the reporter when deciding whether to trust the reports. For example, allow-list the RFC5322.From address of trusted reporters only if the reports are sent with DKIM domain-aligned authenticated identifier * Report senders should include a sample message-id * Report receivers should look for a sample message-id to authenticate the report as being associated with a message it has sent recently 11. Contributors 12. Notes 13. References 1. *RFC5322*: "Internet Message Format". IETF. 2. *RFC6376*: "DomainKeys Identified Mail (DKIM) Signatures". IETF. 3. *RFC7489*: "Domain-based Message Authentication, Reporting, and Conformance (DMARC)". IETF. 4. *RFC7208*: "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email". IETF. Brotman Expires 7 February 2025 [Page 10] RFC draft-brotman-dkim-aDKIM-AGGREGATE-REPORTING August 2024 14. Normative References [RFC7208] Kitterman, S., "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1", RFC 7208, DOI 10.17487/RFC7208, April 2014, . Author's Address Alex Brotman Comcast, Inc Email: alex_brotman@comcast.com Brotman Expires 7 February 2025 [Page 11]