RFC Errata
RFC 7489, "Domain-based Message Authentication, Reporting, and Conformance (DMARC)", March 2015
Note: This RFC has been updated by RFC 8553, RFC 8616
Source of RFC: INDEPENDENT
Errata ID: 5773
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Freddie Leeman
Date Reported: 2019-07-03
Section Appendix C says:
<!-- The DMARC policy that applied to the messages in
this report. -->
<xs:complexType name="PolicyPublishedType">
<xs:all>
<!-- The domain at which the DMARC record was found. -->
<xs:element name="domain" type="xs:string"/>
<!-- The DKIM alignment mode. -->
<xs:element name="adkim" type="AlignmentType"
minOccurs="0"/>
<!-- The SPF alignment mode. -->
<xs:element name="aspf" type="AlignmentType"
minOccurs="0"/>
<!-- The policy to apply to messages from the domain. -->
<xs:element name="p" type="DispositionType"/>
<!-- The policy to apply to messages from subdomains. -->
<xs:element name="sp" type="DispositionType"/>
<!-- The percent of messages to which policy applies. -->
<xs:element name="pct" type="xs:integer"/>
<!-- Failure reporting options in effect. -->
<xs:element name="fo" type="xs:string"/>
</xs:all>
</xs:complexType>
It should say:
<!-- The DMARC policy that applied to the messages in
this report. -->
<xs:complexType name="PolicyPublishedType">
<xs:all>
<!-- The domain at which the DMARC record was found. -->
<xs:element name="domain" type="xs:string"/>
<!-- The DKIM alignment mode. -->
<xs:element name="adkim" type="AlignmentType"/>
<!-- The SPF alignment mode. -->
<xs:element name="aspf" type="AlignmentType"/>
<!-- The policy to apply to messages from the domain. -->
<xs:element name="p" type="DispositionType"/>
<!-- The policy to apply to messages from subdomains. -->
<xs:element name="sp" type="DispositionType"/>
<!-- The percent of messages to which policy applies. -->
<xs:element name="pct" type="xs:integer"/>
<!-- Failure reporting options. -->
<xs:element name="fo" type="xs:string" />
</xs:all>
</xs:complexType>
Notes:
The name "PolicyPublishedType" suggests that the elements within it represent the domain's published policy. But the comment from element "fo" describes itself as "Failure reporting options IN EFFECT".
A lot of organizations do not send failure (forensic) reports and do not publish the "fo" element in their aggregate reports (Google, Yahoo!, Zoho) . This is reasonable since the description says "in effect". But the field also has a (default) MinOccurs of 1 because MinOccurs is not defined. So by omitting the element, the reports from these organizations are in violation of the guidelines.
Should an aggregate report have a mandatory "fo" element, even if the organization doesn't do failure (forensic) reporting? If so, than the comment "<!-- Failure reporting options in effect. -->" should be "<!-- Failure reporting options. -->". And if not, than the minOccurs="0" should be added to the "fo" element to allow it to be optional.
Even if DMARC policy options are OPTIONAL and not specified, the messages are processed by the receiver with the default values. This is also the case for adkim and aspf, which also have a minOccurs of 0.
So i would suggest the following:
The PolicyPublishedType describe the policy that is applied tot the messages in the reports. Elements that are not defined by the domain's DMARC policy should be filled with the default values, as they would also be processed that way. So when adkim is not configured in the policy, the report should state value "r" as this is the default value. Same applies to aspf ("r"), sp (same as "p"), pct (100) and fo (0). Even if an organization doesn't send out failure reports it MUST mention the "fo" value from the domain's policy, or, when not specified, the default value of 0.