Aggregate Reports for DKIM Signers

Introduction With a growing emphasis on email security, the industry is rapidly adopting message authentication mechanisms such as DKIM and SPF. While many initiatives, including DMARC, aim to enhance message validation through their reporting features, they often fall short in meeting the diverse needs of all stakeholders in the email delivery process. Moreover, these mechanisms aren't always effective in identifying certain abuses, like DKIM replay. A notable challenge arises with marketing and transactional messages, which often contain multiple valid DKIM signatures. While DMARC reports can provide information to the 5322.From Domain holder, some DKIM signers may not receive a copy of that information. This gap in information could result in a lack of understanding when there is an issue with authentication.

Glossary

DKIM (DomainKeys Identified Mail): An email authentication method utiilizing a cryptographic signature.
DMARC (Domain-based Message Authentication, Reporting & Conformance): An email authentication mechanism that uses SPF and DKIM to verify the use of the domain in an email's visible From: header.
SPF (Sender Policy Framework): An email authentication method using an IP-based configuration.
Replay Attack: A malicious technique where an attacker intercepts and retransmits a valid data transmission, often to impersonate another user or entity.
Selector: A string used by the DKIM system to help identify the DKIM public key information.
GUID (Globally Unique Identifier): A unique reference number used as an identifier in software.
DNS (Domain Name System): A system for converting human-friendly domain names into IP addresses.
5322.From domain: The domain present in the "From:" field of an email, as defined in RFC 5322.
Aggregate Report: Summarized feedback about messages purported to come from a specific domain during a specified period.

Enhanced Awareness For Validation Outcome Visibility into DKIM signatures responsible for message authentication can be fairly important to system operators, perhaps more so when the signatures do not align with the 5322.From Domain. Allowing receivers to inform signers about potential validation errors could aid in resolving those issues, and allow for better authentication for the given message stream.

Decoding DKIM Reports: Insights and Implications The essence of DKIM aggregate reports is to furnish Signing Domain Owners with a thorough understanding of the following:

Authentication Results: The outcomes from various verification checks provide an indication of how receivers evaluate the messages. It's crucial for signing domain owners to comprehend the frequency of their successful authentications and pinpoint potential areas for improvement.
Trust in Original Senders: Before applying signatures to future messages, signing domain owners need to evaluate the credibility and reliability of the submission entity. If issues or inconsistencies arise in reports, it might signal that the original sender's practices aren't aligned with the signing domain owner's standards, leading to reconsideration of the signing relationship.

Evaluation of Submitting Entity: Allowing the signing entity to understand if the signer would like to continue to sign on behalf of the submitter. If the submitter has questionable practices, the signing may not wish to continue signing on behalf of that submitter.
Indications of DKIM Replay: DKIM replay involves the malicious reuse of a previously signed email by unauthorized entities. By identifying signs like SPF zone misalignment or unexpected volume discrepancies, signing domain owners can address potential threats and maintain the integrity of their emails.

Configuring DKIM Aggregate Reporting: A Guide to DNS Records Email security necessitates clear and accurate configuration. As domains employ authentication mechanisms, they must follow technical specifications, as well as best common practices. Domain owners may choose to use their own resources for this, or utilize a third-party to assist them with various parts of the process or on-going operations.

Delegation of sending to Third-Parties: To delegate DKIM signing to a third party, the domain owner must publish specific DNS TXT or CNAME records associated with the DKIM keys used by the third-party sender. Example: delegatedselector._domainkey.example.org TXT v=DKIM1;k=rsa;p=<data> _dmarc.example.org TXT v=DMARC1;rua=mailto:reports@example.org Here, delegatedselector is the selector. As per DMARCbis, example.org will receive DMARC aggregate reports at reports@example.org.

Receiving DKIM Aggregate Reports: For the third party DKIM signer to access DKIM aggregate reports, an additional DNS TXT record is required. Example: _report.delegatedselector._domainkey.example.org TXT
v=RDKIM;tgt=mailto:reports@thirdparty.example Additionally, to prevent unsolicited reports and denial of service against third party receiving endpoints, report senders MUST check for the existence of a DNS record: Example: example.org._report._domainkey.thirdparty.example This ensures that the third party can retrieve the reports via email without receiving unsolicited reports.

Third-Party Signature Considerations: Third-party senders might use additional signatures under their own domains to gather feedback about email quality. A typical setup: selector._domainkey.thirdparty.example TXT v=DKIM1;k=rsa;p=<data> For the DKIM aggregate reports: _report.selector._domainkey.thirdparty.example TXT
v=RDKIM;tgt=mailto:reports@thirdparty.example

Feedback Suppression and Visibility: Sending domain (5322.From) owners might sometimes prefer to suppress feedback, minimizing any potential exposure of sensitive report data or to hide their malicious intent from the signer. To maintain transparency and ensure that all parties (the domain owner and the third-party sender) have adequate visibility, report senders SHOULD transmit reports to all the specified reporting addresses.

DNS Entry Format There are a number of methods by which a domain can declare the intention to receive reports: v: This MUST be "RDKIM". If this is absent, the record is invalid. tgt: The location(s) for reports. Methods can be requested as mailto. Be mindful that more than one can be requested but not all receivers will support all varieties. Each mechanism has more detail below. If a mistake in the record is found by the receiver, the entirety of the record should be ignored. rfr: This is a pointer to another domain to use their data. May be used in conjunction with a tgt attribute. This should take the format of the FQDN, i.e., "v=RDKIM;rfr:_report.selector._domainkey.foo.com".

Example DNS Entries for DKIM-based Reporting

Basic Reporting

_report.selector1._domainkey.example.org TXT
"v=RDKIM;tgt=mailto:reporting@example.org"

Delegated Reporting (with referral record)

_report.selector1._domainkey.example.org TXT
"v=RDKIM;tgt=mailto:reporting@other.org" example.org._report._domainkey.other.org TXT
"v=RDKIM"

Two destinations

_report.selector1._domainkey.example.org TXT
"v=RDKIM;tgt=mailto:reporting@example.org,mailto:reporting@elsewhere.com" example.org._report._domainkey.elsewhere.com TXT
"v=RDKIM"

Only a referral

_report.selector1._domainkey.example.org TXT
"v=RDKIM;rfr:_report._selector1.domainkey.other.org" _report.selector1._domainkey.other.org TXT
"v=RDKIM;tgt=mailto:reporting@elsewhere.com" example.org._report._domainkey.elsewhere.com TXT
"v=RDKIM"

Dual (Or More) Signed Messages When a message has multiple signatures which verify, the reporter SHOULD send reports to all signatories who have requested reports. In the case where two (or more) signatures have the same destination tgt, this should still generate as many reports as there are valid signatures. NOTE, this needs to be expanded.

Feedback Mechanisms

mailto Similar to DMARC reports, data is aggregated and sent to the site daily.

Report Format This format will be an XML file. NOTE: There's no true reason to keep this as XML, JSON is an option. A sample file: <?xml version="1.0" encoding="UTF-8"?> <feedback xmlns="urn:ietf:params:xml:ns:dkimaggreport-1.0"> <report_metadata> <org_name>Reporter Company</org_name> <email>contact@receiver.net</email> <extra_contact_info>dest_domain: foo.net</extra_contact_info> <report_id>GUID_HERE</report_id> <date_range> <begin>151061515</begin> <end>151071241</end> </date_range> </report_metadata> <signature> <domain>example.org</domain> <selector>delegatedselector</selector> </signature> <record> <row> <source_ip>10.123.23.12</source_ip> <spf_domain>botnet.example</spf_domain> <spf_result>pass</spf_result> <spf_alignment>fail</spf_alignment> <dkim_passed>123</dkim_passed> <dkim_failed>1</dkim_failed> <dkim_alignment>true</dkim_alignment> <from_domain>example.org</from_domain> <extensions> <extension def="https://site.com/ext_def"> ... </extension> </extensions> </row> <identifiers> <sample_msg_id>uuid@bounces.example.org</sample_msg_id> </identifiers> </record> <extensions> <extension def="https://site.com/ext2_def"> ... </extension> </extensions> </feedback>

Report Declaration

Published Policy The domain is the domain from the d= in the original message signature, and the selector is from the s=. The time period for the report should be a single UTC day, and noted in the report body by the epoch timestamps with start and end.

Row Data Each row should contain information so that the recipient can understand more about how their signature is being used, whether pass or fail. source_ip: The Internet Address responsible for delivery of the message. spf_domain: The domain used during SPF evaluation, whether the HELO string or the Return-Path. Review . spf_result: Must be one of pass/fail/error. spf_alignment: Acceptable values are true/false. dkim_passed: The number of messages in this row for which DKIM evaluation succeeded. dkim_failed: The number of messages for which this DKIM signature could not be properly evaluated. dkim_alignment: Per the DKIM RFC, was the DKIM signature properly aligned with Sending Domain. Values are true/false. from_domain: The 5322.From sending Domain.

Report Metadata The subject of the report should contain a few key components:

Selector - The value from the s= being reported
Domain - The value from the d= being reported
Date - format is YYYYMMDD
GUID

Format MUST be: Subject: <selector>:<domain>; <date>; <guid> The GUID MUST be in a header for the report, called DKIM-Aggregate-Report-GUID.

Extensions The report format allows for the possibility of extensions. The extensions can be included within a row, or within the record. The absence of these sections MUST NOT result in a processing error. The party including the extension should include a URL to a definition of some sort. This would aid report receivers in understanding how to best interpret the data.

Security Considerations

Report Abuse NOTE, needs to be more fully considered. If we allow for an open target for real-time reporting, how does a report receiver ensure the sender is reputable?

Report receivers need to deduplicate reports if multiple signing domains with feedback enabled is employed
Report receivers should use DMARC logic to authenticate the reporter when deciding whether to trust the reports. For example, allow-list the RFC5322.From address of trusted reporters only if the reports are sent with DKIM domain-aligned authenticated identifier
Report senders should include a sample message-id
Report receivers should look for a sample message-id to authenticate the report as being associated with a message it has sent recently

Contributors

Notes

References

RFC5322: "Internet Message Format". IETF.
RFC6376: "DomainKeys Identified Mail (DKIM) Signatures". IETF.
RFC7489: "Domain-based Message Authentication, Reporting, and Conformance (DMARC)". IETF.
RFC7208: "Sender Policy Framework (SPF) for Authorizing Use of Domains in Email". IETF.