1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
|
<pre>Network Working Group M. Kucherawy
Request for Comments: 5451 Sendmail, Inc.
Category: Standards Track April 2009
<span class="h1">Message Header Field for Indicating Message Authentication Status</span>
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
This memo defines a new header field for use with electronic mail
messages to indicate the results of message authentication efforts.
Any receiver-side software, such as mail filters or Mail User Agents
(MUAs), may use this message header field to relay that information
in a convenient way to users or to make sorting and filtering
decisions.
<span class="grey">Kucherawy Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-1.1">1.1</a>. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-1.2">1.2</a>. Trust Boundary . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-1.3">1.3</a>. Processing Scope . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-1.4">1.4</a>. Requirements . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-1.5">1.5</a>. Definitions . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-1.5.1">1.5.1</a>. General . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-1.5.2">1.5.2</a>. Security . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-1.5.3">1.5.3</a>. Email Architecture . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-1.6">1.6</a>. Trust Environment . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-2">2</a>. Definition and Format of the Header Field . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-2.1">2.1</a>. General Description . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-2.2">2.2</a>. Formal Definition . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-2.3">2.3</a>. Authentication Identifier Field . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-2.4">2.4</a>. Result Values . . . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-2.4.1">2.4.1</a>. DKIM and DomainKeys Results . . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-2.4.2">2.4.2</a>. SPF and Sender-ID Results . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-2.4.3">2.4.3</a>. "iprev" Results . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-2.4.4">2.4.4</a>. SMTP AUTH Results . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-2.4.5">2.4.5</a>. Extension Result Codes . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-2.5">2.5</a>. Authentication Methods . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-2.5.1">2.5.1</a>. Definition of Initial Methods . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-2.5.2">2.5.2</a>. Extension Methods . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-3">3</a>. The "iprev" Authentication Method . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-4">4</a>. Adding the Header Field to A Message . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-4.1">4.1</a>. Header Field Position and Interpretation . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-4.2">4.2</a>. Local Policy Enforcement . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-5">5</a>. Removing the Header Field . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-6">6</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-6.1">6.1</a>. The Authentication-Results Header Field . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-6.2">6.2</a>. Email Authentication Method Name Registry . . . . . . . . <a href="#page-22">22</a>
<a href="#section-6.3">6.3</a>. Email Authentication Result Name Registry . . . . . . . . <a href="#page-24">24</a>
<a href="#section-7">7</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-7.1">7.1</a>. Forged Header Fields . . . . . . . . . . . . . . . . . . . <a href="#page-26">26</a>
<a href="#section-7.2">7.2</a>. Misleading Results . . . . . . . . . . . . . . . . . . . . <a href="#page-27">27</a>
<a href="#section-7.3">7.3</a>. Header Field Position . . . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7.4">7.4</a>. Reverse IP Query Denial-of-Service Attacks . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7.5">7.5</a>. Mitigation of Backscatter . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7.6">7.6</a>. Internal MTA Lists . . . . . . . . . . . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7.7">7.7</a>. Attacks against Authentication Methods . . . . . . . . . . <a href="#page-28">28</a>
<a href="#section-7.8">7.8</a>. Intentionally Malformed Header Fields . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.9">7.9</a>. Compromised Internal Hosts . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.10">7.10</a>. Encapsulated Instances . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<a href="#section-7.11">7.11</a>. Reverse Mapping . . . . . . . . . . . . . . . . . . . . . <a href="#page-29">29</a>
<span class="grey">Kucherawy Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<a href="#section-8">8</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-8.1">8.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#section-8.2">8.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-30">30</a>
<a href="#appendix-A">Appendix A</a>. Legacy MUAs . . . . . . . . . . . . . . . . . . . . . <a href="#page-32">32</a>
<a href="#appendix-B">Appendix B</a>. Authentication-Results Examples . . . . . . . . . . . <a href="#page-33">33</a>
<a href="#appendix-B.1">B.1</a>. Trivial Case; Header Field Not Present . . . . . . . . . . <a href="#page-33">33</a>
B.2. Nearly Trivial Case; Service Provided, But No
Authentication Done . . . . . . . . . . . . . . . . . . . <a href="#page-34">34</a>
<a href="#appendix-B.3">B.3</a>. Service Provided, Authentication Done . . . . . . . . . . <a href="#page-35">35</a>
B.4. Service Provided, Several Authentications Done, Single
MTA . . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-36">36</a>
B.5. Service Provided, Several Authentications Done,
Different MTAs . . . . . . . . . . . . . . . . . . . . . . <a href="#page-37">37</a>
<a href="#appendix-B.6">B.6</a>. Service Provided, Multi-Tiered Authentication Done . . . . <a href="#page-39">39</a>
<a href="#appendix-C">Appendix C</a>. Operational Considerations about Message
Authentication . . . . . . . . . . . . . . . . . . . <a href="#page-41">41</a>
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-43">43</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This memo defines a new header field for electronic mail messages
that presents the results of a message authentication effort in a
machine-readable format. The intent is to create a place to collect
such data when message authentication mechanisms are in use so that a
Mail User Agent (MUA) and downstream filters can make filtering
decisions and/or provide a recommendation to the user as to the
validity of the message's origin and possibly the integrity of its
content.
End users are not expected to be direct consumers of this header
field. This header field is intended for consumption by programs
that will then use or render such data in a human-usable form.
This memo defines both the format of this new header field and
discusses the implications of its presence or absence. However, it
does not discuss how the data contained in the header field should be
used (i.e. what filtering decisions are appropriate, or how an MUA
might render these results) as these are local policy and/or user
interface design questions that are not appropriate for this memo.
At the time of publication of this memo, [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>], [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>],
[<a href="#ref-DOMAINKEYS" title=""Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys)"">DOMAINKEYS</a>], [<a href="#ref-SENDERID" title=""Sender ID: Authenticating E-Mail"">SENDERID</a>], and [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] are published DNS domain-level
email authentication methods in common use. This proposal is not
intended to be restricted to domain-based authentication, but this
has proven to be a good starting point for implementations. As
various methods emerge, it is necessary to prepare for their
appearance and encourage convergence in the area of interfacing
verifiers to filters and MUAs.
<span class="grey">Kucherawy Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
Although [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] defined a header field called Received-SPF and
[<a href="#ref-DOMAINKEYS" title=""Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys)"">DOMAINKEYS</a>] defined one called DomainKey-Status for this purpose,
those header fields are specific to the conveyance of their
respective results only and thus are insufficient to satisfy the
requirements enumerated below.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Purpose</span>
The header field defined in this memo is expected to serve several
purposes:
1. Convey the results of various message authentication checks being
applied by upstream filters and Mail Transfer Agents (MTAs) to
MUAs and downstream filters within the same "trust domain", as
such agents may wish to render those results to end users or use
that data to apply more or less stringent content checks based on
authentication results;
2. Provide a common location within a message for this data;
3. Create an extensible framework for reporting new authentication
methods as they emerge.
In particular, the mere presence of this header field should not be
construed as meaning that its data is valid, but rather that it is
asserting validity based on one or more authentication schemes
somewhere upstream. For an MUA or downstream filter to treat the
assertions as actually valid, there must be an assessment of the
trust relationship between such agents and the validating MTA.
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Trust Boundary</span>
This document makes several references to the "trust boundary" of an
administrative management domain (ADMD). Given the diversity among
existing mail environments, a precise definition of this term isn't
possible.
Simply put, a transfer from the creator of the header field to the
consumer must occur within a context of trust that the creator's
information is correct. How this trust is obtained is outside the
scope of this document. It is entirely a local matter.
Thus, this document defines a "trust boundary" as the delineation
between "external" and "internal" entities; "external" here includes
all hosts that do not deliberately provide some kind of messaging
service for the receiving ADMD's users, and "internal" includes those
hosts that do. By this definition, the hosts within a "trust
boundary" may lie entirely within a receiving ADMD's direct control,
<span class="grey">Kucherawy Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
or they can include hosts managed by another ADMD (such as an ISP or
commercial filtering service) but that also provide services for the
former.
<span class="h3"><a class="selflink" id="section-1.3" href="#section-1.3">1.3</a>. Processing Scope</span>
This proposal is intended to address the needs of authenticating
messages or properties of messages during their actual transport. It
is not meant to address the security of messages that might be
encapsulated within other messages, such as a message/rfc822 [<a href="#ref-MIME" title=""Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies"">MIME</a>]
part within a message.
<span class="h3"><a class="selflink" id="section-1.4" href="#section-1.4">1.4</a>. Requirements</span>
This memo establishes no new requirements on existing protocols or
servers.
In particular, this memo establishes no requirement on MTAs to reject
or filter arriving messages that do not pass authentication checks.
The data conveyed by the defined header field's contents are for the
information of MUAs and filters and should be used at their
discretion.
<span class="h3"><a class="selflink" id="section-1.5" href="#section-1.5">1.5</a>. Definitions</span>
This section defines various terms used throughout this document.
<span class="h4"><a class="selflink" id="section-1.5.1" href="#section-1.5.1">1.5.1</a>. General</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="#ref-KEYWORDS" title=""Key words for use in RFCs to Indicate Requirement Levels"">KEYWORDS</a>].
<span class="h4"><a class="selflink" id="section-1.5.2" href="#section-1.5.2">1.5.2</a>. Security</span>
[<a id="ref-SECURITY">SECURITY</a>] discusses authentication and authorization and the
conflation of the two concepts. The use of those terms within the
context of recent message-security work has given rise to slightly
different definitions, and this document reflects those current
usages, as follows:
o "Authorization" is the establishment of permission to use a
resource or represent an identity. In this context, authorization
indicates that a message from a particular ADMD arrived via a
route the ADMD has explicitly approved.
<span class="grey">Kucherawy Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
o "Authentication" is the assertion of validity of a piece of data
about a message (such as the sender's identity) or the message in
its entirety.
As examples: [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] and [<a href="#ref-SENDERID" title=""Sender ID: Authenticating E-Mail"">SENDERID</a>] are authorization mechanisms in
that they express a result that shows whether or not the ADMD that
apparently sent the message has explicitly authorized the connecting
[<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] client to relay messages on its behalf but do not actually
validate any property of the message itself. By contrast, [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] is
agnostic as to the routing of a message but uses cryptographic
signatures to authenticate agents claiming responsibility for the
message (which implies authorization) and ensure it was not modified
in transit. Since the signatures are not tied to SMTP connections,
they can be added by either the ADMD of origin, intermediate ADMDs
(such as a mailing list server), or both.
Rather than create a separate header field for each class of
solution, this proposal groups them both into a single header field.
<span class="h4"><a class="selflink" id="section-1.5.3" href="#section-1.5.3">1.5.3</a>. Email Architecture</span>
o A "border MTA" is an MTA that acts as a gateway between the
general Internet and the users within an organizational boundary.
(See also <a href="#section-1.2">Section 1.2</a>.)
o A "delivery MTA" (or Mail Delivery Agent or MDA) is an MTA that
actually enacts delivery of a message to a user's inbox or other
final delivery.
o An "intermediate MTA" is an MTA that handles messages after a
border MTA and before a delivery MTA.
<span class="grey">Kucherawy Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
The following diagram illustrates the flow of mail among these
defined components:
+-----+ +-----+ +------------+
| MUA |-->| MSA |-->| Border MTA |
+-----+ +-----+ +------------+
|
|
V
+----------+
| Internet |
+----------+
|
|
V
+-----+ +-----+ +------------------+ +------------+
| MUA |<--| MDA |<--| Intermediate MTA |<--| Border MTA |
+-----+ +-----+ +------------------+ +------------+
Generally, it is assumed that the work of applying message
authentication schemes takes place at a border MTA or a delivery MTA.
This specification is written with that assumption in mind. However,
there are some sites at which the entire mail infrastructure consists
of a single host. In such cases, such terms as "border MTA" and
"delivery MTA" may well apply to the same machine or even the very
same agent. It is also possible that some message authentication
tests could take place on an intermediate MTA. Although this
document doesn't specifically describe such cases, they are not meant
to be excluded from this specification.
See [<a href="#ref-EMAIL-ARCH" title=""Internet Mail Architecture"">EMAIL-ARCH</a>] for further discussion on general email system
architecture, and <a href="#appendix-C">Appendix C</a> of this memo for discussion about the
common aspects of email authentication in current environments.
<span class="h3"><a class="selflink" id="section-1.6" href="#section-1.6">1.6</a>. Trust Environment</span>
This new header field permits one or more message validation
mechanisms to communicate its output to one or more separate
assessment mechanisms. These mechanisms operate within a unified
trust boundary that defines an Administrative Management Domain
(ADMD). An ADMD contains one or more entities that perform
validation and generate the header field, and one or more that
consume it for some type of assessment. The field contains no
integrity or validation mechanism of its own, so its presence must be
trusted implicitly. Hence, use of the header field depends upon
ensuring that mail entering the ADMD has instances of the header
field claiming to be valid within its boundaries removed, so that
occurrences of such header fields can be used safely by consumers.
<span class="grey">Kucherawy Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
The "authserv-id" token defined in <a href="#section-2.2">Section 2.2</a> can be used to label
an entire ADMD or a specific validation engine within an ADMD.
Although the labeling scheme is left as an operational choice, some
guidance for selecting a token is provided within this proposal.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Definition and Format of the Header Field</span>
This section gives a general overview of the format of the header
field being defined, and then provides more formal specification.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. General Description</span>
The new header field being defined here is called "Authentication-
Results". It is a Structured Header Field as defined in [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>] and
thus all of the related definitions in that document apply.
This new header field SHOULD be added at the top of the message as it
transits MTAs that do authentication checks so some idea of how far
away the checks were done can be inferred. It therefore should be
treated as a Trace Field as defined in [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>], and thus all of the
related definitions in that document apply.
The value of the header field (after removing [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>] comments)
consists of an authentication identifier, an optional version, and
then a series of "method=result" statements indicating which
authentication method(s) were applied and their respective results,
and then, for each applied method, an optional "reason" string plus
optional "property=value" statements indicating which message
properties were evaluated to reach that conclusion.
The header field MAY appear more than once in a single message, or
more than one result MAY be represented in a single header field, or
a combination of these MAY be applied.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Formal Definition</span>
Formally, the header field is specified as follows using [<a href="#ref-ABNF" title=""Augmented BNF for Syntax Specifications: ABNF"">ABNF</a>]:
authres-header = "Authentication-Results:" [CFWS] authserv-id
[ CFWS version ]
( [CFWS] ";" [CFWS] "none" / 1*resinfo ) [CFWS] CRLF
; the special case of "none" is used to indicate that no
; message authentication is performed
authserv-id = dot-atom
; see below for a description of this element
<span class="grey">Kucherawy Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
version = 1*DIGIT [CFWS]
; indicates which version of this specification is in use;
; this specification is version "1"; the absence of a
; version implies this version of the specification
resinfo = [CFWS] ";" methodspec [ CFWS reasonspec ]
*( CFWS propspec )
methodspec = [CFWS] method [CFWS] "=" [CFWS] result
; indicates which authentication method was evaluated
reasonspec = "reason" [CFWS] "=" [CFWS] value
; a free-form comment on the reason the given result
; was returned
propspec = ptype [CFWS] "." [CFWS] property [CFWS] "=" pvalue
; an indication of which properties of the message
; were evaluated by the authentication scheme being
; applied to yield the reported result and would be
; useful to reveal to end users as authenticated
method = dot-atom [ [CFWS] "/" [CFWS] version ]
; a method indicates which method's result is
; represented by "result", and is one of the methods
; explicitly defined as valid in this document
; or is an extension method as defined below
result = dot-atom
; indicates the results of the attempt to authenticate
; the message; see below for details
ptype = "smtp" / "header" / "body" / "policy"
; indicates whether the property being evaluated was
; a parameter to an [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] command, or was a value taken
; from a message header field, or was some property of
; the message body, or some other property evaluated by
; the receiving MTA
property = dot-atom
; if "ptype" is "smtp", this indicates which [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>]
; command provided the value that was evaluated by the
; authentication scheme being applied; if "ptype" is
; "header", this indicates from which header field the
; value being evaluated was extracted; if "ptype" is
; "body", this indicates the offset into the body at which
; content of interest was detected; if "ptype" is "policy"
; then this indicates the name of the policy that caused
; this header field to be added (see below)
<span class="grey">Kucherawy Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
pvalue = [CFWS] ( value / [ [ local-part ] "@" ] domain-name )
[CFWS]
; the value extracted from the message property defined
; by the "ptype.property" construction; if the value
; identifies something intended to be an e-mail identity,
; then it MUST use the right hand portion of this ABNF
; definition
The "local-part" is as defined in <a href="#section-3.4.1">Section 3.4.1</a>, and "dot-atom" is
defined in <a href="#section-3.2.3">Section 3.2.3</a>, of [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>].
The "value" is as defined in Section 5.1 of [<a href="#ref-MIME" title=""Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies"">MIME</a>].
The "domain-name" is as defined in Section 3.5 of [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>].
The "dot-atom" used in a "result" above is further constrained by the
necessity of being enumerated in <a href="#section-2.4">Section 2.4</a> or an amendment to it.
See <a href="#section-2.3">Section 2.3</a> for a description of the "authserv-id" element.
The list of commands eligible for use with the "smtp" ptype can be
found in [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] and subsequent amendments.
"CFWS" is as defined in Section 3.2.2 of [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>].
The "propspec" may be omitted if, for example, the method was unable
to extract any properties to do its evaluation yet has a result to
report.
The "ptype" and "property" values used by each authentication method
should be defined in the specification for that method (or its
amendments).
The "ptype" and "property" are case-insensitive.
A "ptype" value of "policy" indicates a policy decision about the
message not specific to a property of the message that could be
extracted. For example, if a method would normally report a
"ptype.property" of "header.From" and no From: header field was
present, the method can use "policy" to indicate that no conclusion
about the authenticity of the message could be reached.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Authentication Identifier Field</span>
Every Authentication-Results header field has an authentication
identifier field ("authserv-id" above). This is similar in syntax to
a fully-qualified domain name.
<span class="grey">Kucherawy Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
The authentication identifier field provides a unique identifier that
refers to the authenticating service within a given ADMD. The
uniqueness of the identifier MUST be guaranteed by the ADMD that
generates it and must pertain to exactly that one ADMD. This
identifier is intended to be machine-readable and not necessarily
meaningful to users. MUAs or downstream filters SHOULD use this
identifier to determine whether or not the data contained in an
Authentication-Results header field should be used.
For simplicity and scalability, the authentication identifier SHOULD
be a common token used throughout the ADMD, such as the DNS domain
name used by or within that ADMD.
For tracing and debugging purposes, the authentication identifier MAY
instead be the hostname of the MTA performing the authentication
check whose result is being reported. This is also useful for
another purpose, as described in <a href="#section-4">Section 4</a>. Moreover, some
implementations have considered appending a delimiter such as "/" and
following it with useful transport tracing data such as the [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>]
queue ID or a timestamp.
It should be noted, however, that using a local, relative identifier
like a single hostname, rather than a hierarchical and globally
unique ADMD identifier like a DNS domain name, makes configuration
more difficult for large sites. The hierarchical identifier permits
aggregating related, trusted systems together under a single, parent
identifier, which in turn permits assessing the trust relationship
with a single reference. The alternative is a flat namespace
requiring individually listing each trusted system. Since consumers
must use the identifier to determine whether to use the contents of
the header field:
o Changes to the identifier impose a large, centralized
administrative burden.
o Ongoing administrative changes require constantly updating this
centralized table, making it difficult to ensure that an MUA or
downstream filter will have access to accurate information for
assessing the usability of the header field's content. In
particular, consumers of the header field will need to know not
only the current identifier(s) in use, but previous ones as well
to account for delivery latency or later re-assessment of the
header field's contents.
Examples of valid authentication identifiers are "example.com",
"mail.example.org", "ms1.newyork.example.com", and "example-auth".
<span class="grey">Kucherawy Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h3"><a class="selflink" id="section-2.4" href="#section-2.4">2.4</a>. Result Values</span>
Each individual authentication method returns one of a set of
specific result values. The subsections below define these results
for the authentication methods specifically supported by this memo,
and verifiers SHOULD use these values as described below. New
methods not specified in this document intended to be supported by
the header field defined in this memo MUST include a similar result
table either in its defining memo or in a supplementary one.
<span class="h4"><a class="selflink" id="section-2.4.1" href="#section-2.4.1">2.4.1</a>. DKIM and DomainKeys Results</span>
The result values used by [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] and [<a href="#ref-DOMAINKEYS" title=""Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys)"">DOMAINKEYS</a>] are as follows:
none: The message was not signed.
pass: The message was signed, the signature or signatures were
acceptable to the verifier, and the signature(s) passed
verification tests.
fail: The message was signed and the signature or signatures were
acceptable to the verifier, but they failed the verification
test(s).
policy: The message was signed but the signature or signatures were
not acceptable to the verifier.
neutral: The message was signed but the signature or signatures
contained syntax errors or were not otherwise able to be
processed. This result SHOULD also be used for other failures not
covered elsewhere in this list.
temperror: The message could not be verified due to some error that
is likely transient in nature, such as a temporary inability to
retrieve a public key. A later attempt may produce a final
result.
permerror: The message could not be verified due to some error that
is unrecoverable, such as a required header field being absent. A
later attempt is unlikely to produce a final result.
A signature is "acceptable to the verifier" if it passes local policy
checks (or there are no specific local policy checks). For example,
a verifier might require that the signature(s) on the message be
added using the DNS domain present in the From: header field of the
message, thus making third-party signatures unacceptable.
<span class="grey">Kucherawy Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
[<a id="ref-DKIM">DKIM</a>] advises that if a message fails verification, it should be
treated as an unsigned message. A report of "fail" here permits the
receiver of the report to decide how to handle the failure. A report
of "neutral" or "none" preempts that choice, ensuring the message
will be treated as if it had not been signed.
<span class="h4"><a class="selflink" id="section-2.4.2" href="#section-2.4.2">2.4.2</a>. SPF and Sender-ID Results</span>
The result values are used by [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] and [<a href="#ref-SENDERID" title=""Sender ID: Authenticating E-Mail"">SENDERID</a>] as follows:
none: No policy records were published at the sender's DNS domain.
neutral: The sender's ADMD has asserted that it cannot or does not
want to assert whether or not the sending IP address is authorized
to send mail using the sender's DNS domain.
pass: The client is authorized by the sender's ADMD to inject or
relay mail on behalf of the sender's DNS domain.
policy: The client is authorized to inject or relay mail on behalf
of the sender's DNS domain according to the authentication
method's algorithm, but local policy dictates that the result is
unacceptable.
hardfail: This client is explicitly not authorized to inject or
relay mail using the sender's DNS domain.
softfail: The sender's ADMD believes the client was not authorized
to inject or relay mail using the sender's DNS domain, but is
unwilling to make a strong assertion to that effect.
temperror: The message could not be verified due to some error that
is likely transient in nature, such as a temporary inability to
retrieve a policy record from DNS. A later attempt may produce a
final result.
permerror: The message could not be verified due to some error that
is unrecoverable, such as a required header field being absent or
a syntax error in a retrieved DNS TXT record. A later attempt is
unlikely to produce a final result.
The distinction between and interpretation of "none" and "neutral"
under these methods is discussed further in [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>].
The "policy" result would be returned if, for example, [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] returned
as "pass" result, but a local policy check matches the sending DNS
domain to one found in an explicit list of unacceptable DNS domains
(e.g., spammers).
<span class="grey">Kucherawy Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
If the retrieved sender policies used to evaluate [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] and
[<a href="#ref-SENDERID" title=""Sender ID: Authenticating E-Mail"">SENDERID</a>] do not contain explicit provisions for authenticating the
local-part (see Section 3.4.1 of [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>]) of an address, the "pvalue"
reported along with results for these mechanisms SHOULD NOT include
the local-part.
<span class="h4"><a class="selflink" id="section-2.4.3" href="#section-2.4.3">2.4.3</a>. "iprev" Results</span>
The result values are used by the "iprev" method, defined in
<a href="#section-3">Section 3</a>, are as follows:
pass: The DNS evaluation succeeded, i.e., the "reverse" and
"forward" lookup results were returned and were in agreement.
fail: The DNS evaluation failed. In particular, the "reverse" and
"forward" lookups each produced results but they were not in
agreement, or the "forward" query completed but produced no
result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an
RCODE of 0 (NOERROR) in a reply containing no answers, was
returned.
temperror: The DNS evaluation could not be completed due to some
error that is likely transient in nature, such as a temporary DNS
error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or
other error condition resulted. A later attempt may produce a
final result.
permerror: The DNS evaluation could not be completed because no PTR
data are published for the connecting IP address, e.g., a DNS
RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)
in a reply containing no answers, was returned. This prevented
completion of the evaluation.
There is no "none" for this method since any TCP connection
delivering email has an IP address associated with it, so some kind
of evaluation will always be possible.
For discussion of the format of DNS replies, see [<a href="#ref-DNS" title=""Domain names - implementation and specification"">DNS</a>].
<span class="h4"><a class="selflink" id="section-2.4.4" href="#section-2.4.4">2.4.4</a>. SMTP AUTH Results</span>
The result values are used by the [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>] method are as follows:
none: SMTP authentication was not attempted.
pass: The SMTP client had authenticated to the server reporting the
result using the protocol described in [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>].
<span class="grey">Kucherawy Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
fail: The SMTP client had attempted to authenticate to the server
using the protocol described in [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>] but was not successful, yet
continued to send the message about which a result is being
reported.
temperror: The SMTP client attempted to authenticate using the
protocol described in [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>] but was not able to complete the
attempt due to some error which is likely transient in nature,
such as a temporary Lightweight Directory Access Protocol (LDAP)
lookup error. A later attempt may produce a final result.
permerror: The SMTP client attempted to authenticate using the
protocol described in [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>] but was not able to complete the
attempt due to some error that is likely not transient in nature,
such as a permanent LDAP lookup error. A later attempt is not
likely produce a final result.
Note that an agent making use of the data provided by this header
field SHOULD consider "fail" and "temperror" to be the synonymous in
terms of message authentication, i.e., the client did not
authenticate.
<span class="h4"><a class="selflink" id="section-2.4.5" href="#section-2.4.5">2.4.5</a>. Extension Result Codes</span>
Additional result codes (extension results) might be defined in the
future by later revisions or extensions to this specification.
Extension results beginning with "x-" will never be defined as
standard fields; such names are reserved for experimental use.
Result codes not beginning with "x-" MUST be registered with the
Internet Assigned Numbers Authority (IANA) and published in an RFC.
See <a href="#section-6">Section 6</a> for further details.
Implementations reporting new result codes MUST use the "x-" prefix
until such time as the new method is registered by IANA.
Extension results MUST only be used within ADMDs that have explicitly
consented to use them. These results and the parameters associated
with them are not documented in RFCs. Therefore, they are subject to
change at any time and not suitable for production use. Any MTA, MUA
or downstream filter intended for production use SHOULD ignore or
delete any Authentication-Results header field that includes an
extension result.
<span class="h3"><a class="selflink" id="section-2.5" href="#section-2.5">2.5</a>. Authentication Methods</span>
This section defines the supported authentication methods and
discusses the proper means for applying experimental and other
extension methods.
<span class="grey">Kucherawy Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h4"><a class="selflink" id="section-2.5.1" href="#section-2.5.1">2.5.1</a>. Definition of Initial Methods</span>
As they are currently existing specifications for message
authentication, it is appropriate to define an authentication method
identifier for each of [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>], [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>], [<a href="#ref-DOMAINKEYS" title=""Domain-Based Email Authentication Using Public Keys Advertised in the DNS (DomainKeys)"">DOMAINKEYS</a>], [<a href="#ref-SENDERID" title=""Sender ID: Authenticating E-Mail"">SENDERID</a>], and
[<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>]. Therefore, the authentication method identifiers "auth",
"dkim", "domainkeys", "sender-id", and "spf", respectively are hereby
defined for MTAs applying those specifications for email message
authentication.
Furthermore, method "iprev" is defined in <a href="#section-3">Section 3</a>.
See <a href="#section-6">Section 6</a> for details.
<span class="h4"><a class="selflink" id="section-2.5.2" href="#section-2.5.2">2.5.2</a>. Extension Methods</span>
Additional authentication method identifiers (extension methods) may
be defined in the future by later revisions or extensions to this
specification. Extension methods beginning with "x-" will never be
defined as standard fields; such names are reserved for experimental
use. Method identifiers not beginning with "x-" MUST be registered
with the Internet Assigned Numbers Authority (IANA) and published in
an RFC. See <a href="#section-6">Section 6</a> for further details.
Extension methods may be defined for the following reasons:
1. To allow additional information from new authentication systems
to be communicated to MUAs or downstream filters. The names of
such identifiers should reflect the name of the method being
defined, but should not be needlessly long.
2. To allow the creation of "sub-identifiers" that indicate
different levels of authentication and differentiate between
their relative strengths, e.g., "auth1-weak" and "auth1-strong".
Implementations of new methods MUST use the "x-" prefix until such
time as the new method is registered by IANA.
Authentication method implementors are encouraged to provide adequate
information, via [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>] comments if necessary, to allow an MUA
developer to understand or relay ancillary details of authentication
results. For example, if it might be of interest to relay what data
was used to perform an evaluation, such information could be relayed
as a comment in the header field, such as:
Authentication-Results: example.com;
foo=pass bar.baz=blob (2 of 3 tests OK)
<span class="grey">Kucherawy Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
Experimental method identifiers MUST only be used within ADMDs that
have explicitly consented to use them. These method identifiers and
the parameters associated with them are not documented in RFCs.
Therefore, they are subject to change at any time and not suitable
for production use. Any MTA, MUA, or downstream filter intended for
production use SHOULD ignore or delete any Authentication-Results
header field that includes an experimental method identifier.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. The "iprev" Authentication Method</span>
This section defines an additional authentication method called
"iprev".
In general, "iprev" is an attempt to verify that a client appears to
be valid based on some DNS queries. Upon receiving a session
initiation of some kind from a client, the IP address of the client
peer is queried for matching names (i.e., a number-to-name
translation, also known as a "reverse lookup" or a "PTR" record
query). Once that result is acquired, a lookup of each of the names
(i.e., a name-to-number translation, or an "A" or "AAAA" record
query) thus retrieved is done. The response to this second check
should result in at least one mapping back to the client's IP
address.
More algorithmically: if the client peer's IP address is I, the list
of names to which I maps (after a "PTR" query) is the set N, and the
union of IP addresses to which each member of N maps (after
corresponding "A" and "AAAA" queries) is L, then this test is
successful if I is an element of L.
The response to a PTR query could contain multiple names. To prevent
heavy DNS loads, agents performing these queries MUST be implemented
such that the number of names evaluated by generation of
corresponding A or AAAA queries is finite, though it MAY be
configurable by an administrator. As an example, Section 5.5 of
[<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] chose a limit of 10 for its implementation of this algorithm.
[<a id="ref-DNS-IP6">DNS-IP6</a>] discusses the query formats for the IPv6 case.
A successful test using this algorithm constitutes a result of "pass"
since the ADMD in which the client's PTR claims it belongs has
confirmed that claim by including corresponding data in its DNS
domain. A failure to match constitutes a "fail". There is no case
in which a "neutral" result can be returned. The remaining
"temperror" and "permerror" cases refer, respectively, to temporary
and permanent DNS query errors.
<span class="grey">Kucherawy Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
There is some contention regarding the wisdom and reliability of this
test. For example, in some regions it can be difficult for this test
ever to pass because the practice of arranging to match the forward
and reverse DNS is infrequently observed. Therefore, the actual
implementation details of how a verifier performs an "iprev" test are
not specified here. The verifier MAY report a successful or failed
"iprev" test at its discretion having done some kind of check of the
validity of the connection's identity using DNS. It is incumbent
upon an agent making use of the reported "iprev" result to understand
what exactly that particular verifier is attempting to report.
Extensive discussion of reverse DNS mapping and its implications can
be found in [<a href="#ref-DNSOP-REVERSE" title=""Considerations for the use of DNS Reverse Mapping"">DNSOP-REVERSE</a>]. In particular, it recommends that
applications avoid using this test as a means of authentication or
security. Its presence in this memo is not an endorsement, but is
merely acknowledgement that the method remains common and provides
the means to relay the results of that test.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Adding the Header Field to A Message</span>
This specification makes no attempt to evaluate the relative
strengths of various message authentication methods that may become
available. As such, the order of the presented authentication
methods and results MUST NOT be used either to imply or infer the
importance or strength of any given method over another. Instead,
the MUA or downstream filter consuming this header field must
interpret the result of each method based on its own knowledge of
what that method evaluates.
Each "method" MUST refer to an authentication method declared in the
IANA registry, or an extension method as defined in <a href="#section-2.5.2">Section 2.5.2</a>,
and each "result" MUST refer to a result code declared in the IANA
registry, or an extension result code as defined in <a href="#section-2.4.5">Section 2.4.5</a>.
See <a href="#section-6">Section 6</a> for further information about the registered methods
and result codes.
An MTA compliant with this specification MUST add this header field
(after performing one or more message authentication tests) to
indicate which MTA or ADMD performed the test, which test got applied
and what the result was. If an MTA applies more than one such test,
it MUST add this header field either once per test, or once
indicating all of the results. An MTA MUST NOT add a result to an
existing header field.
An MTA MAY add this header field containing only the authentication
identifier portion to indicate explicitly that no message
authentication schemes were applied prior to delivery of this
message.
<span class="grey">Kucherawy Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
An MTA adding this header field must take steps to identify it as
legitimate to the MUAs or downstream filters that will ultimately
consume its content. One required process to do so is described in
<a href="#section-5">Section 5</a>. Further measures may be required in some environments.
Some possible solutions are enumerated in <a href="#section-7.1">Section 7.1</a>. This memo
does not mandate any specific solution to this issue as each
environment has its own facilities and limitations.
For MTAs that add this header field, adding header fields in order
(at the top), per Section 3.6 of [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>], is particularly important.
Moreover, this header field SHOULD be inserted above any other trace
header fields such MTAs might prepend. This allows easy detection of
header fields that can be trusted.
End users making direct use of this header field may inadvertently
trust information that has not been properly vetted. If, for
example, a basic [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] result were to be relayed that claims an
authenticated addr-spec, the local-part of that addr-spec has
actually not been authenticated. Thus, an MTA adding this header
field SHOULD NOT include any data that has not been authenticated by
the method(s) being applied. Moreover, MUAs SHOULD NOT render to
users such information if it is presented by a method known not to
authenticate it.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Header Field Position and Interpretation</span>
In order to ensure non-ambiguous results and avoid the impact of
false header fields, MUAs and downstream filters SHOULD NOT interpret
this header field unless specifically instructed to do so by the user
or administrator. That is, this interpretation should not be "on by
default". Naturally then, users or administrators should not
activate such a feature unless they are certain the header field will
be added by the border MTA that accepts the mail that is ultimately
read by the MUA, and instances of the header field appearing to be
from within the ADMD but actually added by foreign MTAs will be
removed before delivery.
Furthermore, MUAs and downstream filters SHOULD NOT interpret this
header field unless the authentication identifier it bears appears to
be one used within its own ADMD as configured by the user or
administrator.
MUAs and downstream filters MUST ignore any result reported using a
"result" not specified in the result code registry, or a "ptype" not
listed in the corresponding registry for such values as defined in
<a href="#section-6">Section 6</a>. Moreover, such agents MUST ignore a result indicated for
any "method" they do not specifically support.
<span class="grey">Kucherawy Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
An MUA SHOULD NOT reveal these results to end users unless the
results are accompanied by, at a minimum, some associated reputation
data about the authenticated origin identifiers within the message.
For example, an attacker could register examp1e.com (note the digit
"one") and send signed mail to intended victims; a verifier would
detect that the signature was valid and report a "pass" even though
it's clear the DNS domain name was intended to mislead. See
<a href="#section-7.2">Section 7.2</a> for further discussion.
As stated in <a href="#section-2.1">Section 2.1</a>, this header field SHOULD be treated as
though it were a trace header field as defined in Section 3.6.7 of
[<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>], and hence MUST NOT be reordered and MUST be prepended to the
message, so that there is generally some indication upon delivery of
where in the chain of handling MTAs the message authentication was
done.
MUAs SHOULD ignore instances of this header field discovered within
message/rfc822 [<a href="#ref-MIME" title=""Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies"">MIME</a>] attachments.
Further discussion of this can be found in <a href="#section-7">Section 7</a> below.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Local Policy Enforcement</span>
If a site's local policy is to consider a non-recoverable failure
result (e.g., "fail" for DKIM, "hardfail" for SPF) for any particular
authentication method as justification to reject the message
completely, the border MTA SHOULD issue an [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] rejection response
to the message rather than adding this header field with the failure
result and allowing it to proceed toward delivery. This is more
desirable than allowing the message to reach an internal host's MTA
or spam filter, thus possibly generating a local rejection such as a
[<a href="#ref-DSN" title=""An Extensible Message Format for Delivery Status Notifications"">DSN</a>] to a forged originator.
The same MAY also be done for local policy decisions overriding the
results of the authentication methods (e.g., the "policy" result
codes described in <a href="#section-2.4">Section 2.4</a>).
Such rejections at the SMTP protocol level are not possible if local
policy is enforced at the MUA and not the MTA. Unfortunately, this
may be a common scenario.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Removing the Header Field</span>
For security reasons, any MTA conforming to this specification MUST
delete any discovered instance of this header field that claims to
have been added within its trust boundary and that did not come from
another trusted MTA. For example, an MTA (border or otherwise) for
example.com receiving a message MUST delete any instance of this
<span class="grey">Kucherawy Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
header field bearing an authentication identifier indicating the
header field was added within example.com prior to adding its own
header fields. This may mean each MTA will have to be equipped with
a list of internal MTAs known to be compliant (and hence
trustworthy).
For simplicity and maximum security, a border MTA MAY remove all
instances of this header field on mail crossing into its trust
boundary. However, this may conflict with the desire to access
authentication results performed by trusted external service
providers. It may also invalidate signed messages whose signatures
cover external instances of this header field. A more robust border
MTA could allow a specific list of authenticating MTAs whose
information should be let in, removing all others.
As stated in <a href="#section-1.2">Section 1.2</a>, a formal definition of "trust boundary" is
deliberately not made here. It is entirely possible that a border
MTA for example.com might explicitly trust authentication results
asserted by upstream host example.net even though they exist in
completely disjoint administrative boundaries. In that case, the
border MTA MAY elect not to delete those results; moreover, the
upstream host doing some authentication work could apply a signing
technology such as [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] on its own results to assure downstream
hosts of their authenticity. An example of this is provided in
<a href="#appendix-B">Appendix B</a>.
Similarly, in the case of messages signed using [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] or other
message signing methods that sign header fields, this may invalidate
one or more signatures on the message if they covered the header
field to be removed at the time of signing. This behavior can be
desirable since there's little value in validating the signature on a
message with forged headers. However, signing agents MAY therefore
elect to omit these header fields from signing to avoid this
situation.
An MTA SHOULD remove any instance of this header field bearing a
version (express or implied) that it does not support. However, an
MTA MUST remove such a header if the [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] connection relaying the
message is not from a trusted internal MTA.
<span class="grey">Kucherawy Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. IANA Considerations</span>
IANA has registered a new header field and created two new tables as
described below.
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. The Authentication-Results Header Field</span>
Per [<a href="#ref-IANA-HEADERS" title=""Registration Procedures for Message Header Fields"">IANA-HEADERS</a>], the "Authentication-Results" header field has
been added to the IANA Permanent Message Header Field Registry. The
following is the registration template:
Header field name: Authentication-Results
Applicable protocol: mail ([<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>])
Status: Standard
Author/Change controller: IETF
Specification document(s): <a href="./rfc5451">RFC 5451</a>
Related information:
Requesting review of any proposed changes and additions to
this field is recommended.
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Email Authentication Method Name Registry</span>
Names of message authentication methods supported by this
specification must be registered with IANA, with the exception of
experimental names as described in <a href="#section-2.5.2">Section 2.5.2</a>.
New entries are assigned only for values that have been documented in
a published RFC that has had IETF Review, per [<a href="#ref-IANA-CONSIDERATIONS" title="">IANA-CONSIDERATIONS</a>].
Each method must register a name, the specification that defines it,
one or more "ptype" values appropriate for use with that method,
which "property" value(s) should be reported by that method, and a
description of the "value" to be used with each.
<span class="grey">Kucherawy Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
The initial set of entries in this registry is as follows:
+------------+----------+--------+----------------+--------------------+
| Method | Defined | ptype | property | value |
+------------+----------+--------+----------------+--------------------+
| auth | <a href="./rfc4954">RFC4954</a> | smtp | auth | AUTH parameter of |
| | | | | the SMTP MAIL |
| | | | | command |
+------------+----------+--------+----------------+--------------------+
| dkim | <a href="./rfc4871">RFC4871</a> | header | d | value of |
| | | | | signature "d" tag |
| | | +----------------+--------------------+
| | | | i | value of |
| | | | | signature "i" tag |
+------------+----------+--------+----------------+--------------------+
| domainkeys | <a href="./rfc4870">RFC4870</a> | header | d | value of |
| | | | | signature "d" tag |
| | | +----------------+--------------------+
| | | | from | value of From |
| | | | | header field after |
| | | | | removing comments |
| | | | | and local-part if |
| | | | | not authenticated |
| | | +----------------+--------------------+
| | | | sender | value of Sender |
| | | | | header field after |
| | | | | removing comments |
| | | | | and local-part if |
| | | | | not authenticated |
+------------+----------+--------+----------------+--------------------+
| iprev | this | policy | iprev | client IP address |
| | document | | | |
+------------+----------+--------+----------------+--------------------+
| sender-id | <a href="./rfc4406">RFC4406</a> | header | name of header | value of header |
| | | | field used by | field used by PRA |
| | | | the Purported | after removing |
| | | | Responsible | comments and parts |
| | | | Address (PRA) | not authenticated |
+------------+----------+--------+----------------+--------------------+
| spf | <a href="./rfc4408">RFC4408</a> | smtp | mailfrom | envelope sender |
| | | | | after removing |
| | | | | parts not |
| | | | | authenticated |
| | +--------+----------------+--------------------+
| | | smtp | helo | HELO/EHLO value |
+------------+----------+--------+----------------+--------------------+
<span class="grey">Kucherawy Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Email Authentication Result Name Registry</span>
Names of message authentication result codes supported by this
specification must be registered with IANA, with the exception of
experimental codes as described in <a href="#section-2.4.5">Section 2.4.5</a>.
New entries are assigned only for result codes that have been
documented in a published RFC that has had IETF Review, per
[<a href="#ref-IANA-CONSIDERATIONS" title="">IANA-CONSIDERATIONS</a>]. Each code must register a name, the document
that establishes the registration, the authentication method(s) that
uses it, and either a definition of the semantics of its use or a
reference to the place where those semantics are defined.
The initial set of entries in this registry is as follows:
+-----------+----------+----------------+------------------------------+
| Code | Defined | Auth Method(s) | Meaning |
+-----------+----------+----------------+------------------------------+
| none | this | dkim | <a href="#section-2.4.1">section 2.4.1</a> |
| | document | domainkeys | |
| | +----------------+------------------------------+
| | | spf | <a href="#section-2.4.2">section 2.4.2</a> |
| | | sender-id | |
| | +----------------+------------------------------+
| | | auth | <a href="#section-2.4.4">section 2.4.4</a> |
+-----------+----------+----------------+------------------------------+
| pass | this | dkim | <a href="#section-2.4.1">section 2.4.1</a> |
| | document | domainkeys | |
| | +----------------+------------------------------+
| | | spf | <a href="#section-2.4.2">section 2.4.2</a> |
| | | sender-id | |
| | +----------------+------------------------------+
| | | iprev | <a href="#section-2.4.3">section 2.4.3</a> |
| | +----------------+------------------------------+
| | | auth | <a href="#section-2.4.4">section 2.4.4</a> |
+-----------+----------+----------------+------------------------------+
| fail | this | dkim | <a href="#section-2.4.1">section 2.4.1</a> |
| | document | domainkeys | |
| | +----------------+------------------------------+
| | | iprev | <a href="#section-2.4.3">section 2.4.3</a> |
| | +----------------+------------------------------+
| | | auth | <a href="#section-2.4.4">section 2.4.4</a> |
+-----------+----------+----------------+------------------------------+
<span class="grey">Kucherawy Standards Track [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
| policy | this | dkim | <a href="#section-2.4.1">section 2.4.1</a> |
| | document | domainkeys | |
| | +----------------+------------------------------+
| | | spf | <a href="#section-2.4.2">section 2.4.2</a> |
| | | sender-id | |
+-----------+----------+----------------+------------------------------+
| neutral | this | dkim | <a href="#section-2.4.1">section 2.4.1</a> |
| | document | domainkeys | |
| | +----------------+------------------------------+
| | | spf | <a href="#section-2.4.2">section 2.4.2</a> |
| | | sender-id | |
+-----------+----------+----------------+------------------------------+
| temperror | this | dkim | <a href="#section-2.4.1">section 2.4.1</a> |
| | document | domainkeys | |
| | +----------------+------------------------------+
| | | spf | <a href="#section-2.4.2">section 2.4.2</a> |
| | | sender-id | |
| | +----------------+------------------------------+
| | | iprev | <a href="#section-2.4.3">section 2.4.3</a> |
| | +----------------+------------------------------+
| | | auth | <a href="#section-2.4.4">section 2.4.4</a> |
+-----------+----------+----------------+------------------------------+
| permerror | this | dkim | <a href="#section-2.4.1">section 2.4.1</a> |
| | document | domainkeys | |
| | +----------------+------------------------------+
| | | spf | <a href="#section-2.4.2">section 2.4.2</a> |
| | | sender-id | |
| | +----------------+------------------------------+
| | | iprev | <a href="#section-2.4.3">section 2.4.3</a> |
| | +----------------+------------------------------+
| | | auth | <a href="#section-2.4.4">section 2.4.4</a> |
+-----------+----------+----------------+------------------------------+
| hardfail | this | spf | <a href="#section-2.4.2">section 2.4.2</a> |
| | document | sender-id | |
+-----------+----------+----------------+------------------------------+
| softfail | this | spf | <a href="#section-2.4.2">section 2.4.2</a> |
| | document | sender-id | |
+-----------+----------+----------------+------------------------------+
<span class="grey">Kucherawy Standards Track [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Security Considerations</span>
The following security considerations apply when adding or processing
the "Authentication-Results" header field:
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Forged Header Fields</span>
An MUA or filter that accesses a mailbox whose mail is handled by a
non-conformant MTA, and understands Authentication-Results header
fields, could potentially make false conclusions based on forged
header fields. A malicious user or agent could forge a header field
using the DNS domain of a receiving ADMD as the authserv-id token in
the value of the header field, and with the rest of the value claim
that the message was properly authenticated. The non-conformant MTA
would fail to strip the forged header field, and the MUA could
inappropriately trust it.
It is for this reason an MUA should not have processing of the
"Authentication-Results" header field enabled by default; instead it
should be ignored, at least for the purposes of enacting filtering
decisions, unless specifically enabled by the user or administrator
after verifying that the border MTA is compliant. It is acceptable
to have an MUA aware of this specification, but have an explicit list
of hostnames whose "Authentication-Results" header fields are
trustworthy; however, this list should initially be empty.
Proposed alternate solutions to this problem are nascent:
1. Possibly the simplest is a digital signature protecting the
header field, such as using [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>], that can be verified by an
MUA by using a posted public key. Although one of the main
purposes of this memo is to relieve the burden of doing message
authentication work at the MUA, this only requires that the MUA
learn a single authentication scheme even if a number of them are
in use at the border MTA. Note that [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] requires that the
From header field be signed, although in this application, the
signing agent (a trusted MTA) likely cannot authenticate that
value, so the fact that it is signed should be ignored.
2. Another would be a means to interrogate the MTA that added the
header field to see if it is actually providing any message
authentication services and saw the message in question, but this
isn't especially palatable given the work required to craft and
implement such a scheme.
3. Yet another might be a method to interrogate the internal MTAs
that apparently handled the message (based on Received: header
<span class="grey">Kucherawy Standards Track [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
fields) to determine whether any of them conform to <a href="#section-5">Section 5</a> of
this memo. This, too, has potentially high barriers-to-entry.
4. Extensions to [<a href="#ref-IMAP" title=""INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1"">IMAP</a>], [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>], and [<a href="#ref-POP3" title=""Post Office Protocol - Version 3"">POP3</a>] could be defined to
allow an MUA or filtering agent to acquire the "authserv-id" in
use within an ADMD, thus allowing it to identify which
Authentication-Results header fields it can trust.
5. On the presumption that internal MTAs are fully compliant with
Section 3.6 of [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>], and the compliant internal MTAs are using
their own host names or the ADMD's DNS domain name as the
"authserv-id" token, the header field proposed here should always
appear above a Received: header added by a trusted MTA. This can
be used as a test for header field validity.
Support for some of these is planned for future work.
In any case, a mechanism needs to exist for an MUA or filter to
verify that the host that appears to have added the header field (a)
actually did so, and (b) is legitimately adding that header field for
this delivery. Given the variety of messaging environments deployed
today, consensus appears to be that specifying a particular mechanism
for doing so is not appropriate for this memo.
Mitigation of the forged header field attack can also be accomplished
by moving the authentication results data into meta-data associated
with the message. In particular, an [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] extension could be
established which is used to communicate authentication results from
the border MTA to intermediate and delivery MTAs; the latter of these
could arrange to store the authentication results as meta-data
retrieved and rendered along with the message by an [<a href="#ref-IMAP" title=""INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1"">IMAP</a>] client
aware of a similar extension in that protocol. The delivery MTA
would be told to trust data via this extension only from MTAs it
trusts, and border MTAs would not accept data via this extension from
any source. There is no vector in such an arrangement for forgery of
authentication data by an outside agent.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Misleading Results</span>
Until some form of service for querying the reputation of a sending
agent is widely deployed, the existence of this header field
indicating a "pass" does not render the message trustworthy. It is
possible for an arriving piece of spam or other undesirable mail to
pass checks by several of the methods enumerated above (e.g., a piece
of spam signed using [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] by the originator of the spam, which
might be a spammer or a compromised system). In particular, this
issue is not resolved by forged header field removal discussed above.
<span class="grey">Kucherawy Standards Track [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
Hence, MUAs and downstream filters must take some care with use of
this header even after possibly malicious headers are scrubbed.
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. Header Field Position</span>
Despite the requirements of [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>], header fields can sometimes be
reordered enroute by intermediate MTAs. The goal of requiring header
field addition only at the top of a message is an acknowledgement
that some MTAs do reorder header fields, but most do not. Thus, in
the general case, there will be some indication of which MTAs (if
any) handled the message after the addition of the header field
defined here.
<span class="h3"><a class="selflink" id="section-7.4" href="#section-7.4">7.4</a>. Reverse IP Query Denial-of-Service Attacks</span>
Section 5.5 of [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] describes a DNS-based denial-of-service attack
for verifiers that attempt DNS-based identity verification of
arriving client connections. A verifier wishing to do this check and
report this information SHOULD take care not to go to unbounded
lengths to resolve "A" and "PTR" queries. MUAs or other filters
making use of an "iprev" result specified by this memo SHOULD be
aware of the algorithm used by the verifier reporting the result and
thus be aware of its limitations.
<span class="h3"><a class="selflink" id="section-7.5" href="#section-7.5">7.5</a>. Mitigation of Backscatter</span>
Failing to follow the instructions of <a href="#section-4.2">Section 4.2</a> can result in a
denial-of-service attack caused by the generation of [<a href="#ref-DSN" title=""An Extensible Message Format for Delivery Status Notifications"">DSN</a>] messages
(or equivalent) to addresses that did not send the messages being
rejected.
<span class="h3"><a class="selflink" id="section-7.6" href="#section-7.6">7.6</a>. Internal MTA Lists</span>
<a href="#section-5">Section 5</a> describes a procedure for scrubbing headers that may
contain forged authentication results about a message. A compliant
installation will have to include, at each MTA, a list of other MTAs
known to be compliant and trustworthy. Failing to keep this list
current as internal infrastructure changes may expose an ADMD to
attack.
<span class="h3"><a class="selflink" id="section-7.7" href="#section-7.7">7.7</a>. Attacks against Authentication Methods</span>
If an attack becomes known against an authentication method, clearly
then the agent verifying that method can be fooled into thinking an
inauthentic message is authentic, and thus the value of this header
field can be misleading. It follows that any attack against the
authentication methods supported by this document (and later
amendments to it) is also a security consideration here.
<span class="grey">Kucherawy Standards Track [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h3"><a class="selflink" id="section-7.8" href="#section-7.8">7.8</a>. Intentionally Malformed Header Fields</span>
It is possible for an attacker to add an Authentication-Results
header field that is extraordinarily large or otherwise malformed in
an attempt to discover or exploit weaknesses in header field parsing
code. Implementors must thoroughly verify all such header fields
received from MTAs and be robust against intentionally as well as
unintentionally malformed header fields.
<span class="h3"><a class="selflink" id="section-7.9" href="#section-7.9">7.9</a>. Compromised Internal Hosts</span>
An internal MUA or MTA that has been compromised could generate mail
with a forged From header field and a forged Authentication-Results
header field that endorses it. Although it is clearly a larger
concern to have compromised internal machines than it is to prove the
value of this header field, this risk can be mitigated by arranging
that internal MTAs will remove this header field if it claims to have
been added by a trusted border MTA (as described above), yet the
[<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] connection is not coming from an internal machine known to be
running an authorized MTA. However, in such a configuration,
legitimate MTAs will have to add this header field when legitimate
internal-only messages are generated. This is also covered in
<a href="#section-5">Section 5</a>.
<span class="h3"><a class="selflink" id="section-7.10" href="#section-7.10">7.10</a>. Encapsulated Instances</span>
[<a id="ref-MIME">MIME</a>] messages may contain attachments of type "message/rfc822",
which contain other [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>] messages. Such an encapsulated message
may also contain an Authentication-Results header field. Although
the processing of these is outside of the intended scope of this
document (see <a href="#section-1.3">Section 1.3</a>), some early guidance to MUA developers is
appropriate here.
Since MTAs are unlikely to strip Authentication-Results header fields
after mailbox delivery, MUAs are advised in <a href="#section-4.1">Section 4.1</a> to ignore
such instances within [<a href="#ref-MIME" title=""Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies"">MIME</a>] attachments. Moreover, when extracting
a message digest to separate mail store messages or other media, such
header fields should be removed so that they will never be
interpreted improperly by MUAs that might later consume them.
<span class="h3"><a class="selflink" id="section-7.11" href="#section-7.11">7.11</a>. Reverse Mapping</span>
Although <a href="#section-3">Section 3</a> of this memo includes explicit support for the
"iprev" method, its value as an authentication mechanism is limited.
Implementors of both this proposal and agents that use the data it
relays are encouraged to become familiar with the issues raised by
[<a href="#ref-DNSOP-REVERSE" title=""Considerations for the use of DNS Reverse Mapping"">DNSOP-REVERSE</a>] when deciding whether or not to include support for
"iprev".
<span class="grey">Kucherawy Standards Track [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-ABNF">ABNF</a>] Crocker, D. and P. Overell, "Augmented BNF for
Syntax Specifications: ABNF", STD 68,
<a href="./rfc5234">RFC 5234</a>, January 2008.
[<a id="ref-IANA-HEADERS">IANA-HEADERS</a>] Klyne, G., Nottingham, M., and J. Mogul,
"Registration Procedures for Message Header
Fields", <a href="https://www.rfc-editor.org/bcp/bcp90">BCP 90</a>, <a href="./rfc3864">RFC 3864</a>, September 2004.
[<a id="ref-KEYWORDS">KEYWORDS</a>] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>,
<a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-MAIL">MAIL</a>] Resnick, P., Ed., "Internet Message Format",
<a href="./rfc5322">RFC 5322</a>, October 2008.
[<a id="ref-MIME">MIME</a>] Freed, N. and N. Borenstein, "Multipurpose
Internet Mail Extensions (MIME) Part One:
Format of Internet Message Bodies", <a href="./rfc2045">RFC 2045</a>,
November 1996.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-AUTH">AUTH</a>] Siemborski, R. and A. Melnikov, "SMTP Service
Extension for Authentication", <a href="./rfc4954">RFC 4954</a>,
July 2007.
[<a id="ref-DKIM">DKIM</a>] Allman, E., Callas, J., Delany, M., Libbey,
M., Fenton, J., and M. Thomas, "DomainKeys
Identified Mail (DKIM) Signatures", <a href="./rfc4871">RFC 4871</a>,
May 2007.
[<a id="ref-DNS">DNS</a>] Mockapetris, P., "Domain names -
implementation and specification", STD 13,
<a href="./rfc1035">RFC 1035</a>, November 1987.
[<a id="ref-DNS-IP6">DNS-IP6</a>] Thomson, S., Huitema, C., Ksinant, V., and M.
Souissi, "DNS Extensions to Support IP Version
6", <a href="./rfc3596">RFC 3596</a>, October 2003.
[<a id="ref-DNSOP-REVERSE">DNSOP-REVERSE</a>] Senie, D. and A. Sullivan, "Considerations for
the use of DNS Reverse Mapping", Work
in Progress, March 2008.
<span class="grey">Kucherawy Standards Track [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
[<a id="ref-DOMAINKEYS">DOMAINKEYS</a>] Delany, M., "Domain-Based Email Authentication
Using Public Keys Advertised in the DNS
(DomainKeys)", <a href="./rfc4870">RFC 4870</a>, May 2007.
[<a id="ref-DSN">DSN</a>] Moore, K. and G. Vaudreuil, "An Extensible
Message Format for Delivery Status
Notifications", <a href="./rfc3464">RFC 3464</a>, January 2003.
[<a id="ref-EMAIL-ARCH">EMAIL-ARCH</a>] Crocker, D., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22Internet+Mail+Architecture%22'>"Internet Mail Architecture"</a>,
Work in Progress, October 2008.
[<a id="ref-IANA-CONSIDERATIONS">IANA-CONSIDERATIONS</a>] Narten, T. and H. Alvestrand, "Guidelines for
Writing an IANA Considerations Section in
RFCs", <a href="https://www.rfc-editor.org/bcp/bcp26">BCP 26</a>, <a href="./rfc5226">RFC 5226</a>, May 2008.
[<a id="ref-IMAP">IMAP</a>] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL
- VERSION 4rev1", <a href="./rfc3501">RFC 3501</a>, March 2003.
[<a id="ref-POP3">POP3</a>] Myers, J. and M. Rose, "Post Office Protocol -
Version 3", STD 53, <a href="./rfc1939">RFC 1939</a>, May 1996.
[<a id="ref-SECURITY">SECURITY</a>] Rescorla, E. and B. Korver, "Guidelines for
Writing RFC Text on Security Considerations",
<a href="https://www.rfc-editor.org/bcp/bcp72">BCP 72</a>, <a href="./rfc3552">RFC 3552</a>, July 2003.
[<a id="ref-SENDERID">SENDERID</a>] Lyon, J. and M. Wong, "Sender ID:
Authenticating E-Mail", <a href="./rfc4406">RFC 4406</a>, April 2006.
[<a id="ref-SMTP">SMTP</a>] Klensin, J., "Simple Mail Transfer Protocol",
<a href="./rfc5321">RFC 5321</a>, October 2008.
[<a id="ref-SPF">SPF</a>] Wong, M. and W. Schlitt, "Sender Policy
Framework (SPF) for Authorizing Use of Domains
in E-Mail, Version 1", <a href="./rfc4408">RFC 4408</a>, April 2006.
<span class="grey">Kucherawy Standards Track [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Legacy MUAs</span>
Implementors of this proposal should be aware that many MUAs are
unlikely to be retrofitted to support the new header field and its
semantics. In the interests of convenience and quicker adoption, a
delivery MTA might want to consider adding things that are processed
by existing MUAs in addition to the Authentication-Results header
field. One suggestion is to include a Priority header field, on
messages that don't already have such a header field, containing a
value that reflects the strength of the authentication that was
accomplished, e.g., "low" for weak or no authentication, "normal" or
"high" for good or strong authentication.
Some modern MUAs can already filter based on the content of this
header field. However, there is keen interest in having MUAs make
some kind of graphical representation of this header field's meaning
to end users. Until this capability is added, other interim means of
conveying authentication results may be necessary while this proposal
and its successors are adopted.
<span class="grey">Kucherawy Standards Track [Page 32]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-33" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h2"><a class="selflink" id="appendix-B" href="#appendix-B">Appendix B</a>. Authentication-Results Examples</span>
This section presents some examples of the use of this header field
to indicate authentication results.
<span class="h3"><a class="selflink" id="appendix-B.1" href="#appendix-B.1">B.1</a>. Trivial Case; Header Field Not Present</span>
The trivial case:
Received: from mail-router.example.com
(mail-router.example.com [192.0.2.1])
by server.example.org (8.11.6/8.11.6)
with ESMTP id g1G0r1kA003489;
Fri, Feb 15 2002 17:19:07 -0800
From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Message-Id: <12345.abc@example.com>
Subject: here's a sample
Hello! Goodbye!
Example 1: Trivial case
The "Authentication-Results" header field is completely absent. The
MUA may make no conclusion about the validity of the message. This
could be the case because the message authentication services were
not available at the time of delivery, or no service is provided, or
the MTA is not in compliance with this specification.
<span class="grey">Kucherawy Standards Track [Page 33]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-34" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h3"><a class="selflink" id="appendix-B.2" href="#appendix-B.2">B.2</a>. Nearly Trivial Case; Service Provided, But No Authentication Done</span>
A message that was delivered by an MTA that conforms to this
specification but provides no actual message authentication service:
Authentication-Results: example.org; none
Received: from mail-router.example.com
(mail-router.example.com [192.0.2.1])
by server.example.org (8.11.6/8.11.6)
with ESMTP id g1G0r1kA003489;
Fri, Feb 15 2002 17:19:07 -0800
From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.org
Message-Id: <12345.abc@example.com>
Subject: here's a sample
Hello! Goodbye!
Example 2: Header present but no authentication done
The "Authentication-Results" header field is present, showing that
the delivering MTA conforms to this specification. It used its DNS
domain name as the authserv-id. The presence of "none" (and the
absence of any method and result tokens) indicates that no message
authentication was done.
<span class="grey">Kucherawy Standards Track [Page 34]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-35" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h3"><a class="selflink" id="appendix-B.3" href="#appendix-B.3">B.3</a>. Service Provided, Authentication Done</span>
A message that was delivered by an MTA that conforms to this
specification and applied some message authentication:
Authentication-Results: example.com;
spf=pass smtp.mailfrom=example.net
Received: from dialup-1-2-3-4.example.net
(dialup-1-2-3-4.example.net [192.0.2.200])
by mail-router.example.com (8.11.6/8.11.6)
with ESMTP id g1G0r1kA003489;
Fri, Feb 15 2002 17:19:07 -0800
From: sender@example.net
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.com
Message-Id: <12345.abc@example.net>
Subject: here's a sample
Hello! Goodbye!
Example 3: Header reporting results
The "Authentication-Results" header field is present, indicating that
the border MTA conforms to this specification. The authserv-id is
once again the DNS domain name. Furthermore, the message was
authenticated by that MTA via the method specified in [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>]. Note
that since that method cannot authenticate the local-part, it has
been omitted from the result's value. The MUA could extract and
relay this extra information if desired.
<span class="grey">Kucherawy Standards Track [Page 35]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-36" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h3"><a class="selflink" id="appendix-B.4" href="#appendix-B.4">B.4</a>. Service Provided, Several Authentications Done, Single MTA</span>
A message that was relayed inbound via a single MTA that conforms to
this specification and applied three different message authentication
checks:
Authentication-Results: example.com;
auth=pass (cram-md5) smtp.auth=sender@example.com;
spf=pass smtp.mailfrom=example.com
Authentication-Results: example.com;
sender-id=pass header.from=example.com
Received: from dialup-1-2-3-4.example.net (8.11.6/8.11.6)
(dialup-1-2-3-4.example.net [192.0.2.200])
by mail-router.example.com (8.11.6/8.11.6)
with ESMTP id g1G0r1kA003489;
Fri, Feb 15 2002 17:19:07 -0800
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.net
From: sender@example.com
Message-Id: <12345.abc@example.com>
Subject: here's a sample
Hello! Goodbye!
Example 4: Headers reporting results from one MTA
The "Authentication-Results" header field is present, indicating the
delivering MTA conforms to this specification. Once again, the
receiving DNS domain name is used as the authserv-id. Furthermore,
the sender authenticated herself/himself to the MTA via a method
specified in [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>], and both [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] and [<a href="#ref-SENDERID" title=""Sender ID: Authenticating E-Mail"">SENDERID</a>] checks were done
and passed. The MUA could extract and relay this extra information
if desired.
Two "Authentication-Results" header fields are not required since the
same host did all of the checking. The authenticating agent could
have consolidated all the results into one header field.
This example illustrates a scenario in which a remote user on a
dialup connection (example.net) sends mail to a border MTA
(example.com) using SMTP authentication to prove identity. The
dialup provider has been explicitly authorized to relay mail as
"example.com" resulting in passes by the SPF and SenderID checks.
<span class="grey">Kucherawy Standards Track [Page 36]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-37" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h3"><a class="selflink" id="appendix-B.5" href="#appendix-B.5">B.5</a>. Service Provided, Several Authentications Done, Different MTAs</span>
A message that was relayed inbound by two different MTAs that conform
to this specification and applied multiple message authentication
checks:
Authentication-Results: example.com;
sender-id=hardfail header.from=example.com;
dkim=pass (good signature) header.i=sender@example.com
Received: from mail-router.example.com
(mail-router.example.com [192.0.2.1])
by auth-checker.example.com (8.11.6/8.11.6)
with ESMTP id i7PK0sH7021929;
Fri, Feb 15 2002 17:19:22 -0800
Authentication-Results: example.com;
auth=pass (cram-md5) smtp.auth=sender@example.com;
spf=hardfail smtp.mailfrom=example.com
Received: from dialup-1-2-3-4.example.net
(dialup-1-2-3-4.example.net [192.0.2.200])
by mail-router.example.com (8.11.6/8.11.6)
with ESMTP id g1G0r1kA003489;
Fri, Feb 15 2002 17:19:07 -0800
DKIM-Signature: v=1; a=rsa-sha256; s=gatsby; d=example.com;
i=sender@example.com; t=1188964191; c=simple/simple;
h=From:Date:To:Message-Id:Subject;
bh=sEuZGD/pSr7ANysbY3jtdaQ3Xv9xPQtS0m70;
b=EToRSuvUfQVP3Bkz ... rTB0t0gYnBVCM=
From: sender@example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: receiver@example.com
Message-Id: <12345.abc@example.com>
Subject: here's a sample
Hello! Goodbye!
Example 5: Headers reporting results from multiple MTAs
The "Authentication-Results" header field is present, indicating
conformance to this specification. Once again, the authserv-id used
is the recipient's DNS domain name. The header field is present
twice because two different MTAs in the chain of delivery did
authentication tests. The first, "mail-router.example.com" reports
that [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>] and [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] were both used, and [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>] passed but [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>]
failed. In the [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>] case, additional data is provided in the
comment field, which the MUA can choose to render if desired.
<span class="grey">Kucherawy Standards Track [Page 37]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-38" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
The second MTA, "auth-checker.example.com", reports that it did a
[<a href="#ref-SENDERID" title=""Sender ID: Authenticating E-Mail"">SENDERID</a>] test (which failed) and a [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] test (which passed).
Again, additional data about one of the tests is provided as a
comment, which the MUA may choose to render.
Since different hosts did the two sets of authentication checks, the
header fields cannot be consolidated in this example.
This example illustrates more typical transmission of mail into
"example.com" from a user on a dialup connection "example.net". The
user appears to be legitimate as he/she had a valid password allowing
authentication at the border MTA using [<a href="#ref-AUTH" title=""SMTP Service Extension for Authentication"">AUTH</a>]. The [<a href="#ref-SPF" title=""Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1"">SPF</a>] and
[<a href="#ref-SENDERID" title=""Sender ID: Authenticating E-Mail"">SENDERID</a>] tests failed since "example.com" has not granted
"example.net" authority to relay mail on its behalf. However, the
[<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] test passed because the sending user had a private key
matching one of "example.com"'s published public keys and used it to
sign the message.
<span class="grey">Kucherawy Standards Track [Page 38]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-39" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h3"><a class="selflink" id="appendix-B.6" href="#appendix-B.6">B.6</a>. Service Provided, Multi-Tiered Authentication Done</span>
A message that had authentication done at various stages, one of
which was outside the receiving ADMD:
Authentication-Results: example.com;
dkim=pass (good signature) header.i=@mail-router.example.net;
dkim=fail (bad signature) header.i=@newyork.example.com
Received: from mail-router.example.net
(mail-router.example.net [192.0.2.250])
by chicago.example.com (8.11.6/8.11.6)
for <recipient@chicago.example.com>
with ESMTP id i7PK0sH7021929;
Fri, Feb 15 2002 17:19:22 -0800
DKIM-Signature: v=1; a=rsa-sha256; s=furble;
d=mail-router.example.net; t=1188964198; c=relaxed/simple;
h=From:Date:To:Message-Id:Subject:Authentication-Results;
bh=ftA9J6GtX8OpwUECzHnCkRzKw1uk6FNiLfJl5Nmv49E=;
b=oINEO8hgn/gnunsg ... 9n9ODSNFSDij3=
Authentication-Results: example.net;
dkim=pass (good signature) header.i=@newyork.example.com
Received: from smtp.newyork.example.com
(smtp.newyork.example.com [192.0.2.220])
by mail-router.example.net (8.11.6/8.11.6)
with ESMTP id g1G0r1kA003489;
Fri, Feb 15 2002 17:19:07 -0800
DKIM-Signature: v=1; a=rsa-sha256; s=gatsby; d=newyork.example.com;
t=1188964191; c=simple/simple;
h=From:Date:To:Message-Id:Subject;
bh=sEu28nfs9fuZGD/pSr7ANysbY3jtdaQ3Xv9xPQtS0m7=;
b=EToRSuvUfQVP3Bkz ... rTB0t0gYnBVCM=
From: sender@newyork.example.com
Date: Fri, Feb 15 2002 16:54:30 -0800
To: meetings@example.net
Message-Id: <12345.abc@newyork.example.com>
Subject: here's a sample
Example 6: Headers reporting results from multiple MTAs in different
ADMDs
In this example we see multi-tiered authentication with an extended
trust boundary.
The message was sent from someone at example.com's New York office
(newyork.example.com) to a mailing list managed at an intermediary.
The message was signed at the origin using [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>].
<span class="grey">Kucherawy Standards Track [Page 39]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-40" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
The message was sent to a mailing list service provider called
example.net, which is used by example.com. There,
meetings@example.net is expanded to a long list of recipients, one of
that is at the Chicago office. In this example, we will assume that
the trust boundary for chicago.example.com includes the mailing list
server at example.net.
The mailing list server there first authenticated the message and
affixed an Authentication-Results header field indicating such using
its DNS domain name for the authserv-id. It then altered the message
by affixing some footer text to the body, including some
administrivia such as unsubscription instructions. Finally, the
mailing list server affixes a second [<a href="#ref-DKIM" title=""DomainKeys Identified Mail (DKIM) Signatures"">DKIM</a>] signature and begins
distribution of the message.
The border MTA for chicago.example.com explicitly trusts results from
mail-router.example.net so that header field is not removed. It
performs evaluation of both signatures and determines that the first
(most recent) is a "pass" but, because of the aforementioned
modifications, the second is a "fail". However, the first signature
included the Authentication-Results header added at mail-
router.example.net that validated the second signature. Thus,
indirectly, it can be determined that the authentications claimed by
both signatures are indeed valid.
<span class="grey">Kucherawy Standards Track [Page 40]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-41" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
<span class="h2"><a class="selflink" id="appendix-C" href="#appendix-C">Appendix C</a>. Operational Considerations about Message Authentication</span>
This proposal is predicated on the idea that authentication (and
presumably in the future, reputation) work is typically done by
border MTAs rather than MUAs or intermediate MTAs; the latter merely
make use of the results determined by the former. Certainly this is
not mandatory for participation in electronic mail or message
authentication, but the work of this proposal and its deployment to
date is based on that model. The assumption satisfies several common
ADMD requirements:
1. Service operators prefer to resolve the handling of problem
messages as close to the border of the ADMD as possible. This
enables, for example, rejections of messages at the SMTP level
rather than generating a DSN internally. Thus, doing any of the
authentication or reputation work exclusively at the MUA or
intermediate MTA renders this desire unattainable.
2. Border MTAs are more likely to have direct access to external
sources of authentication or reputation information since modern
MUAs are more likely to be heavily firewalled. Thus, some MUAs
might not even be able to complete the task of performing
authentication or reputation evaluations without complex proxy
configurations or similar burdens.
3. MUAs rely upon the upstream MTAs within their trust boundaries to
make correct (as much as that is possible) evaluations about the
message's envelope, header and content. Thus, MUAs don't need to
know how to do the work that upstream MTAs do; they only need the
results of that work.
4. Evaluations about the quality of a message, from simple token
matching (e.g., a list of preferred DNS domains) to cryptanalysis
(e.g., public/private key work), are at least a little bit
expensive and thus should be minimized. To that end, performing
those tests at the border MTA is far preferred to doing that work
at each MUA that handles a message. If an ADMD's environment
adheres to common messaging protocols, a reputation query or an
authentication check performed by a border MTA would return the
same result as the same query performed by an MUA. By contrast,
in an environment where the MUA does the work, a message arriving
for multiple recipients would thus cause authentication or
reputation evaluation to be done more than once for the same
message (i.e., at each MUA) causing needless amplification of
resource use and creating a possible denial-of-service attack
vector.
<span class="grey">Kucherawy Standards Track [Page 41]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-42" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
5. Minimizing change is good. As new authentication and reputation
methods emerge, the list of methods supported by this header
field would presumably be extended. If MUAs simply consume the
contents of this header field rather than actually attempting to
do authentication and/or reputation work, then MUAs only need to
learn to parse this header field once; emergence of new methods
requires only a configuration change at the MUAs and software
changes at the MTAs (which are presumably fewer in number). When
choosing to implement these functions in MTAs vs MUAs, the issues
of individual flexibility, infrastructure inertia and scale of
effort must be considered. It is typically easier to change a
single MUA than an MTA because the modification affects fewer
users and can be pursued with less care. However, changing many
MUAs is more effort than changing a smaller number of MTAs.
6. For decisions affecting message delivery and display, assessment
based on authentication and reputation is best performed close to
the time of message transit, as a message makes its journey
toward a user's inbox, not afterwards. DKIM keys and IP address
reputations, etc., can change over time or even become invalid,
and users can take a long time to read a message once delivered.
The value of this work thus degrades, perhaps quickly, once the
delivery process has completed. This seriously diminishes the
value of this work when done other than at MTAs.
Many operational choices are possible within an ADMD, including the
venue for performing authentication and/or reputation assessment.
The current specification does not dictate any of those choices.
Rather, it facilitates those cases in which information produced by
one stage of analysis needs to be transported with the message to the
next stage.
<span class="grey">Kucherawy Standards Track [Page 42]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-43" ></span>
<span class="grey"><a href="./rfc5451">RFC 5451</a> Authentication-Results Header Field April 2009</span>
Acknowledgements
The author wishes to acknowledge the following for their review and
constructive criticism of this proposal: Eric Allman, Mark Delany,
Victor Duchovni, Frank Ellermann, Jim Fenton, Philip Guenther, Tony
Hansen, Paul Hoffman, Scott Kitterman, Eliot Lear, John Levine, Miles
Libbey, Charles Lindsey, Alexey Melnikov, Douglas Otis, Juan Altmayer
Pizzorno, Michael Thomas, and Kazu Yamamoto.
Special thanks to Dave Crocker and S. Moonesamy for their logistical
support, and feedback on and contributions to the numerous proposed
edits throughout the lifetime of this work.
Author's Address
Murray S. Kucherawy
Sendmail, Inc.
6475 Christie Ave., Suite 350
Emeryville, CA 94608
US
Phone: +1 510 594 5400
EMail: msk+ietf@sendmail.com
Kucherawy Standards Track [Page 43]
</pre>
|
