feat(dmarc): RFC 7489 alignment + combined DKIM+DMARC verifier (PR 3 of email-recovery stack) (dfinity#3878)

## Summary

PR 3 of the email-recovery stack (`docs/ongoing/email-recovery.md` §6).
Stacks on top of dfinity#3877 (DKIM verifier). Lands a hand-rolled DMARC
alignment check and reshapes the verifier API: `dkim::verify_dkim`
becomes a DKIM-only primitive, and the new `dmarc::verify_email` is the
public top-level entry point that produces the combined
`EmailVerificationStatus`.

**Note:** This PR targets `main` but includes PRs 1+2's commits as its
base. Review the DMARC-specific changes by looking at commits on top of
`ec371aae3` (PR 2's tip). Once PRs 1+2 merge, this PR's diff shrinks to
just the DMARC additions.

## What's in this PR

### `src/internet_identity/src/dmarc/`

- **`types.rs`** — `DmarcOutcome` (Aligned / Misaligned / NoRecord /
Malformed), `DmarcPolicy` (None / Quarantine / Reject), `AlignmentMode`
(Strict / Relaxed), `DmarcRecord`, plus the combined
`EmailVerificationStatus` that carries both DKIM diagnostics and the
DMARC outcome on success.
- **`parse.rs`** (RFC 7489 §6.3) — DMARC TXT record parser. Enforces
`v=DMARC1` must be first, `p=` must be one of {none, quarantine,
reject}, `pct=` 0..=100, rejects duplicate tags, ignores unknown /
reporting tags. 12 unit tests.
- **`from_header.rs`** (RFC 5322 / RFC 7489 §3.1.1) — single-mailbox
From-header parser. Accepts bare addr-spec, name-addr, and
quoted-display-name forms; rejects zero/multiple From: headers,
address-lists, group syntax. Tolerates comma/colon inside quoted display
names. 16 unit tests.
- **`alignment.rs`** — strict (exact match) + relaxed (exact match OR
label-aligned subdomain in either direction). Stricter than
RFC-compliant relaxed alignment because we deliberately don't consult
the PSL — design doc §6.4 documents the trust + asymmetric-failure-mode
reasoning. The dot anchor on the subdomain check prevents
`evilexample.com` from aliasing `example.com`. 8 unit tests.
- **`verify.rs`** — orchestration. DKIM first; on failure, surface the
DKIM reason verbatim. On DKIM pass, parse From and check DMARC
alignment. Accepted iff Aligned, OR NoRecord with `dkim_domain ==
from_domain`. 8 unit tests.
- **`test_vectors.rs`** — 5 end-to-end tests reusing PR 2's synthetic
.eml fixtures.

### `src/internet_identity/src/dkim/types.rs` (rename + new variants)

- Renamed `EmailVerificationStatus` → `DkimVerifyResult` (DKIM-only).
The combined verdict moved to `dmarc::EmailVerificationStatus` so it can
carry the `DmarcOutcome`.
- Added `MalformedFromHeader(String)`, `DmarcMalformed(String)`,
`DmarcMisaligned` to `VerificationFailReason`.

### `src/internet_identity/src/dkim/mod.rs`

- Re-exports `verify` as `verify_dkim` so downstream callers (the dmarc
layer) don't have to deal with both a `dkim::verify` and `dmarc::verify`
in scope at the same time.

## Test plan

- [x] `cargo check -p internet_identity --target wasm32-unknown-unknown`
— clean.
- [x] `cargo test -p internet_identity --bin internet_identity dmarc` —
49 tests pass (12 parse + 16 from_header + 8 alignment + 8 verify + 5
e2e).
- [x] `cargo test -p internet_identity --bin internet_identity` — 365
tests pass total (was 313 with PR 2; +49 dmarc + 3 small reshape
adjustments).
- [x] `cargo clippy -p internet_identity --bin internet_identity --tests
-- -D warnings` — clean.
- [x] `cargo fmt --check` — clean (modulo pre-existing unrelated diffs).

## PR Stack
| # | PR | Description | Status |
|---|---|---|---|
| 0 | [dfinity#3836](dfinity#3836) |
Design doc | Open |
| 1 | [dfinity#3838](dfinity#3838) |
DNSSEC verifier scaffold | Open |
| 2 | [dfinity#3877](dfinity#3877) |
DKIM verifier (RFC 6376) | Open |
| 3 | [dfinity#3878](dfinity#3878) |
DMARC alignment (RFC 7489) | Open |
| 4 | [dfinity#3879](dfinity#3879) |
DoH fallback | Open |
| 5+6 | [dfinity#3880](dfinity#3880)
| Setup flow (storage + smtp_request) | Open |
| 7 | [dfinity#3881](dfinity#3881) |
Recovery flow (delegation) | Open |
| 8 | [dfinity#3882](dfinity#3882) |
Frontend + feature flag | Open |
| 9 | [dfinity#3883](dfinity#3883) |
Deploy/upgrade scripts: dnssec_config + doh_config | Open |
| 10 | [dfinity#3884](dfinity#3884) |
Email-recovery UX overhaul | Open |

---------

Co-authored-by: Arshavir Ter-Gabrielyan <arshavir.ter.gabrielyan@dfinity.org>
Co-authored-by: Claude <noreply@anthropic.com>

Author: 3 people

src/internet_identity/src/dkim/mod.rs

@@ -37,8 +37,11 @@ mod verify;
 
 #[allow(unused_imports)]
 pub use types::{
-    Algorithm, BodyCanon, DkimCheck, DkimCheckName, DkimCheckStatus, EmailVerificationStatus,
-    HeaderCanon, VerificationFailReason,
+    Algorithm, BodyCanon, DkimCheck, DkimCheckName, DkimCheckStatus, DkimVerifyResult, HeaderCanon,
+    VerificationFailReason,
 };
+// Re-exported as `verify_dkim` so downstream callers (the dmarc layer)
+// don't have to deal with both a `dkim::verify` and `dmarc::verify`
+// in scope at the same time.
 #[allow(unused_imports)]
-pub use verify::verify;
+pub use verify::verify as verify_dkim;

src/internet_identity/src/dkim/test_vectors.rs

@@ -14,7 +14,7 @@
 //! public key) live in `test_vectors/dkim/`. See that directory's
 //! README for the regeneration procedure.
 
-use super::types::{EmailVerificationStatus, VerificationFailReason};
+use super::types::{DkimVerifyResult, VerificationFailReason};
 use super::verify::verify;
 use internet_identity_interface::internet_identity::types::smtp::{
     SmtpAddress, SmtpEnvelope, SmtpHeader, SmtpMessage, SmtpRequest,
@@ -177,7 +177,7 @@ fn verifies_synthetic_rsa_relaxed_relaxed() {
     let req = parse_eml(SYNTH_RSA_RELAXED_RELAXED);
     let result = verify(&req, SYNTH_RSA_TXT, frozen_now());
     match result {
-        EmailVerificationStatus::Verified { dkim_domain, .. } => {
+        DkimVerifyResult::Verified { dkim_domain, .. } => {
             assert_eq!(dkim_domain, "test.example.com");
         }
         other => panic!("expected Verified, got {:?}", other),
@@ -189,7 +189,7 @@ fn verifies_synthetic_rsa_relaxed_simple_body() {
     let req = parse_eml(SYNTH_RSA_RELAXED_SIMPLE);
     let result = verify(&req, SYNTH_RSA_TXT, frozen_now());
     match result {
-        EmailVerificationStatus::Verified { dkim_domain, .. } => {
+        DkimVerifyResult::Verified { dkim_domain, .. } => {
             assert_eq!(dkim_domain, "test.example.com");
         }
         other => panic!("expected Verified, got {:?}", other),
@@ -201,7 +201,7 @@ fn rejects_simple_simple_canonicalization() {
     let req = parse_eml(SYNTH_RSA_SIMPLE_SIMPLE);
     let result = verify(&req, SYNTH_RSA_TXT, frozen_now());
     match result {
-        EmailVerificationStatus::Unverified { reason, .. } => {
+        DkimVerifyResult::Unverified { reason, .. } => {
             assert_eq!(reason, VerificationFailReason::UnsupportedCanonicalization);
         }
         other => panic!(
@@ -223,7 +223,7 @@ fn rejects_flipped_body_byte() {
     message.body = ByteBuf::from(body);
     let result = verify(&req, SYNTH_RSA_TXT, frozen_now());
     match result {
-        EmailVerificationStatus::Unverified { reason, .. } => {
+        DkimVerifyResult::Unverified { reason, .. } => {
             assert_eq!(reason, VerificationFailReason::BodyHashMismatch);
         }
         other => panic!("expected BodyHashMismatch, got {:?}", other),
@@ -257,7 +257,7 @@ fn rejects_flipped_signature_byte() {
     assert!(
         matches!(
             result,
-            EmailVerificationStatus::Unverified {
+            DkimVerifyResult::Unverified {
                 reason: VerificationFailReason::SignatureInvalid
                     | VerificationFailReason::SignatureMalformed(_)
                     | VerificationFailReason::BodyHashMismatch,
@@ -279,7 +279,7 @@ fn rejects_wrong_public_key() {
     assert!(
         matches!(
             result,
-            EmailVerificationStatus::Unverified {
+            DkimVerifyResult::Unverified {
                 reason: VerificationFailReason::SignatureInvalid
                     | VerificationFailReason::DnsRecordMalformed(_),
                 ..
@@ -302,7 +302,7 @@ fn no_dkim_signature_header() {
     let result = verify(&req, SYNTH_RSA_TXT, frozen_now());
     assert!(matches!(
         result,
-        EmailVerificationStatus::Unverified {
+        DkimVerifyResult::Unverified {
             reason: VerificationFailReason::NoSignature,
             ..
         }

src/internet_identity/src/dkim/types.rs

@@ -1,7 +1,7 @@
 //! Type definitions for the DKIM verifier.
 //!
 //! Mirrors the result-shape design from `docs/ongoing/email-recovery.md`
-//! §6.6: a [`EmailVerificationStatus`] is the verifier's externally
+//! §6.6: a [`DkimVerifyResult`] is the verifier's externally
 //! visible verdict, carrying a per-step breakdown so the UI can show
 //! *why* a signature failed when one did.
 
@@ -110,19 +110,30 @@ pub enum VerificationFailReason {
     /// DNS record's `t=y` testing flag is set; the verifier treats every
     /// signature from such a record as inconclusive.
     TestingMode,
+    /// `From:` header missing, malformed, or carrying more than one
+    /// mailbox (RFC 7489 §3.1.1 requires exactly one). The string
+    /// carries a parser diagnostic.
+    MalformedFromHeader(String),
+    /// DMARC TXT record was supplied but couldn't be parsed.
+    DmarcMalformed(String),
+    /// DKIM signed `d=` doesn't align with the From-header domain
+    /// under the published `adkim=` mode (or, when no DMARC record
+    /// exists, doesn't equal it exactly).
+    DmarcMisaligned,
 }
 
-/// Overall verifier verdict.
+/// DKIM-only verdict, the result of [`super::verify::verify`].
 ///
 /// Per RFC 6376 §5.5 / design §5.5, an email may carry multiple
 /// `DKIM-Signature` headers (e.g. original sender + mailing list
-/// forwarder). The verifier accepts the email as soon as *any one*
-/// signature passes; it returns `Verified` together with the `d=` of the
-/// signature that won. If all signatures fail, it returns `Unverified`
-/// with a single best-fit reason and the per-check breakdown for every
-/// signature it tried.
+/// forwarder). The DKIM verifier accepts the email as soon as *any
+/// one* signature passes the cryptographic check.
+///
+/// The combined DKIM + DMARC verdict (what callers actually want) is
+/// [`crate::dmarc::EmailVerificationStatus`], returned by
+/// `dmarc::verify_email`.
 #[derive(Clone, Debug, Eq, PartialEq)]
-pub enum EmailVerificationStatus {
+pub enum DkimVerifyResult {
     /// At least one signature passed.
     Verified {
         /// The `d=` of the signature that verified.
@@ -141,8 +152,8 @@ pub enum EmailVerificationStatus {
     },
 }
 
-impl EmailVerificationStatus {
+impl DkimVerifyResult {
     pub fn is_verified(&self) -> bool {
-        matches!(self, EmailVerificationStatus::Verified { .. })
+        matches!(self, DkimVerifyResult::Verified { .. })
     }
 }

src/internet_identity/src/dkim/verify.rs

@@ -1,14 +1,14 @@
 //! DKIM verification entry point — orchestrates parsing, canonicalisation,
 //! body hash, and signature verification per RFC 6376 §6.1.
 //!
-//! Caller-facing API:
+//! Caller-facing API (re-exported as `crate::dkim::verify_dkim`):
 //!
 //! ```ignore
-//! pub fn verify(
+//! pub fn verify_dkim(
 //!     email: &SmtpRequest,
 //!     dkim_txt: &str,
 //!     now_secs: u64,
-//! ) -> EmailVerificationStatus
+//! ) -> DkimVerifyResult
 //! ```
 //!
 //! `dkim_txt` is the (already-trusted) content of the DKIM TXT record
@@ -37,7 +37,7 @@ use super::dns_record::parse_dkim_txt;
 use super::parse::{parse_dkim_signature, DkimSignature};
 use super::signature::{body_hash_sha256, verify_signature, VerifyOutcome};
 use super::types::{
-    DkimCheck, DkimCheckName, DkimCheckStatus, EmailVerificationStatus, HeaderCanon,
+    DkimCheck, DkimCheckName, DkimCheckStatus, DkimVerifyResult, HeaderCanon,
     VerificationFailReason,
 };
 use internet_identity_interface::internet_identity::types::smtp::{SmtpHeader, SmtpRequest};
@@ -47,7 +47,7 @@ const DKIM_SIGNATURE_HEADER: &str = "DKIM-Signature";
 /// Verify an `SmtpRequest` against an already-trusted DKIM TXT record.
 ///
 /// `now_secs` is Unix seconds — passed in so unit tests can pin time.
-pub fn verify(email: &SmtpRequest, dkim_txt: &str, now_secs: u64) -> EmailVerificationStatus {
+pub fn verify(email: &SmtpRequest, dkim_txt: &str, now_secs: u64) -> DkimVerifyResult {
     let message = match email.message.as_ref() {
         Some(m) => m,
         None => {
@@ -79,11 +79,15 @@ pub fn verify(email: &SmtpRequest, dkim_txt: &str, now_secs: u64) -> EmailVerifi
 
     for dkim_header in &dkim_headers {
         match try_verify_signature(email, message, dkim_header, dkim_txt, now_secs) {
-            Ok((dkim_domain, mut checks)) => {
-                all_checks.append(&mut checks);
-                return EmailVerificationStatus::Verified {
+            Ok((dkim_domain, checks)) => {
+                // Per `DkimVerifyResult::Verified.checks` ("checks for
+                // the winning signature"), surface only the successful
+                // attempt's per-step trail — not the accumulated trail
+                // of every failed signature before it. Callers (and the
+                // DMARC layer) reason about the winning signature only.
+                return DkimVerifyResult::Verified {
                     dkim_domain,
-                    checks: all_checks,
+                    checks,
                 };
             }
             Err((reason, mut checks)) => {
@@ -97,8 +101,8 @@ pub fn verify(email: &SmtpRequest, dkim_txt: &str, now_secs: u64) -> EmailVerifi
 }
 
 #[allow(non_snake_case)]
-fn Unverified(reason: VerificationFailReason, checks: Vec<DkimCheck>) -> EmailVerificationStatus {
-    EmailVerificationStatus::Unverified { reason, checks }
+fn Unverified(reason: VerificationFailReason, checks: Vec<DkimCheck>) -> DkimVerifyResult {
+    DkimVerifyResult::Unverified { reason, checks }
 }
 
 /// Try to verify one specific DKIM-Signature header. Returns the `d=`
@@ -622,7 +626,7 @@ mod tests {
         };
         let result = verify(&req, "v=DKIM1; p=YWJj", 1_700_000_000);
         match result {
-            EmailVerificationStatus::Unverified { reason, .. } => {
+            DkimVerifyResult::Unverified { reason, .. } => {
                 assert_eq!(reason, VerificationFailReason::NoSignature);
             }
             other => panic!("expected Unverified(NoSignature), got {:?}", other),
@@ -669,7 +673,7 @@ mod tests {
         };
         let result = verify(&req, "v=DKIM1; p=YWJj", 1_700_000_000);
         match result {
-            EmailVerificationStatus::Unverified { reason, .. } => {
+            DkimVerifyResult::Unverified { reason, .. } => {
                 assert_eq!(reason, VerificationFailReason::UnsupportedCanonicalization);
             }
             other => panic!(
@@ -717,7 +721,7 @@ mod tests {
         };
         let result = verify(&req, "v=DKIM1; p=YWJj", 1_700_000_000);
         match result {
-            EmailVerificationStatus::Unverified { reason, .. } => {
+            DkimVerifyResult::Unverified { reason, .. } => {
                 assert_eq!(reason, VerificationFailReason::SignatureExpired);
             }
             other => panic!("expected Unverified(SignatureExpired), got {:?}", other),
@@ -763,7 +767,7 @@ mod tests {
         };
         let result = verify(&req, "v=DKIM1; p=YWJj", 1_700_000_000);
         match result {
-            EmailVerificationStatus::Unverified { reason, .. } => {
+            DkimVerifyResult::Unverified { reason, .. } => {
                 assert_eq!(reason, VerificationFailReason::AuidMisaligned);
             }
             other => panic!("expected Unverified(AuidMisaligned), got {:?}", other),

src/internet_identity/src/dmarc/alignment.rs

@@ -0,0 +1,132 @@
+//! Domain alignment check for DMARC.
+//!
+//! Per design doc §6.3 we accept two cases:
+//!
+//! - **Strict** (`adkim=s`): the DKIM `d=` must equal the From-header
+//!   domain byte-for-byte after ASCII-lowercasing.
+//! - **Relaxed** (`adkim=r`): the two domains must equal *or* one must
+//!   be a strict subdomain of the other (label-aligned suffix).
+//!
+//! This is *stricter* than RFC-7489-compliant relaxed alignment, which
+//! uses the Public Suffix List to compute the "organizational domain"
+//! and accepts e.g. `gmail.com` ↔ `googlemail.com` if both are listed
+//! as the same org. We deliberately don't consult the PSL — design
+//! doc §6.4 documents the trust + asymmetric-failure-mode reasoning.
+//! In exchange we fail closed on multi-domain orgs (we reject
+//! `googlemail.com` + `From: gmail.com` mail), which is the safe
+//! direction for an account-recovery surface.
+//!
+//! Both inputs are expected to already be ASCII-lowercased.
+
+use super::types::AlignmentMode;
+
+/// Returns true iff the DKIM `d=` aligns with the From-header domain
+/// under `mode`.
+pub fn aligns(dkim_domain: &str, from_domain: &str, mode: AlignmentMode) -> bool {
+    if dkim_domain == from_domain {
+        return true;
+    }
+    if matches!(mode, AlignmentMode::Strict) {
+        return false;
+    }
+    is_subdomain_of(dkim_domain, from_domain) || is_subdomain_of(from_domain, dkim_domain)
+}
+
+/// Returns true iff `child` is a strict subdomain of `parent` — i.e.
+/// `child == "<labels>." + parent`. We anchor on the dot so a suffix
+/// match like `evilexample.com` ↔ `example.com` does **not** align.
+fn is_subdomain_of(child: &str, parent: &str) -> bool {
+    if child.len() <= parent.len() {
+        return false;
+    }
+    if !child.ends_with(parent) {
+        return false;
+    }
+    let dot_pos = child.len() - parent.len() - 1;
+    child.as_bytes()[dot_pos] == b'.'
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn strict_exact_match() {
+        assert!(aligns("example.com", "example.com", AlignmentMode::Strict));
+    }
+
+    #[test]
+    fn strict_subdomain_does_not_align() {
+        assert!(!aligns(
+            "mail.example.com",
+            "example.com",
+            AlignmentMode::Strict
+        ));
+        assert!(!aligns(
+            "example.com",
+            "mail.example.com",
+            AlignmentMode::Strict
+        ));
+    }
+
+    #[test]
+    fn relaxed_exact_match() {
+        assert!(aligns("example.com", "example.com", AlignmentMode::Relaxed));
+    }
+
+    #[test]
+    fn relaxed_dkim_subdomain_of_from() {
+        assert!(aligns(
+            "mail.example.com",
+            "example.com",
+            AlignmentMode::Relaxed
+        ));
+    }
+
+    #[test]
+    fn relaxed_from_subdomain_of_dkim() {
+        // The opposite direction (sending service signs as the
+        // registered domain on behalf of a sub-domain of itself) is
+        // valid per spec. We accept both directions in relaxed mode.
+        assert!(aligns(
+            "example.com",
+            "mail.example.com",
+            AlignmentMode::Relaxed
+        ));
+    }
+
+    #[test]
+    fn relaxed_evil_suffix_does_not_align() {
+        // The whole point of the dot anchor: a suffix match without a
+        // label boundary must NOT align.
+        assert!(!aligns(
+            "evilexample.com",
+            "example.com",
+            AlignmentMode::Relaxed
+        ));
+        assert!(!aligns(
+            "example.com",
+            "evilexample.com",
+            AlignmentMode::Relaxed
+        ));
+    }
+
+    #[test]
+    fn relaxed_unrelated_does_not_align() {
+        assert!(!aligns(
+            "gmail.com",
+            "googlemail.com",
+            AlignmentMode::Relaxed
+        ));
+        assert!(!aligns("example.com", "evil.com", AlignmentMode::Relaxed));
+    }
+
+    #[test]
+    fn relaxed_deep_subdomain_aligns() {
+        assert!(aligns(
+            "deep.nested.example.com",
+            "example.com",
+            AlignmentMode::Relaxed
+        ));
+    }
+}