3

With DMARC I can set the policy to rejct mail. But isn’t it the same I can do with -all from within a SPF?

Same goes for quarantine and a softfail ~all.

Beside the reporting where is the benefit using DMARC on top of SPF?

Gordo2019
  • 33
  • 2

4 Answers4

5

SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.

DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.

These are not redundant, but complementary.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 1
    [By RFC](https://tools.ietf.org/html/rfc7208#section-2.6.4), `-all` should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs `From:` header). – shodanshok Feb 23 '19 at 21:26
  • @shodanshok You need to read section 8 of that RFC. – Michael Hampton Feb 23 '19 at 21:41
  • 1
    From 8.4: *A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy.* So yes, an SMTP server can choose how to treat a matching fail (I used *should* for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the `From:` header. – shodanshok Feb 23 '19 at 22:33
  • @shodanshok – **It is dangerous to block based on SPF failures.** There are far too many SPF records that are not properly configured. You should only block with DMARC (which triggers when neither SPF passes nor DKIM verifies with [alignment](https://en.wikipedia.org/wiki/DMARC#Alignment) to the From header domain). SPF failures can be used in a probabilistic anti-spam system like SpamAssassin, but only with a weak weight. – Adam Katz May 29 '20 at 14:32
4

With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.

SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.

Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks! – Gordo2019 Feb 24 '19 at 09:03
  • It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration. – Esa Jokinen Feb 24 '19 at 09:13
  • I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly. – Gordo2019 Feb 24 '19 at 09:43
1

TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.

Here is a scenario, that passes your SPF's -all protection.

Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 {myserversIP} -all TXT SPF record in b.com's DNS, and additionally install mail server on {myserversIP} host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email to someone by putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:

  1. Extracts domain from Return-Path: bounce@b.com
  2. Performs DNS lookup of b.com's SPF record, and gets v=spf1 {myserversip} -all
  3. Verifies sender's ip(aka my host's IP) against SPF IPs
  4. Marks email as authenticated and valid
  5. Congratulations. I have just send an email pretending to be you

So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:

  1. Checks From and Return-Path domains' alignment (b.com against a.com)
  2. Marks email as unauthenticated as the alignment failed
  3. Congratulations. DMARC prevented email spoofing.

That's it. Hope my answer make sense.

PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.

Engineer
  • 131
  • 4
0

There are 2 from addresses in email: the envelope from address and the header from address. SPF has a security hole in that it only authenticates the envelope from address while leaving the header from address unauthenticated.

Therefore, one is still able to spoof the header from address if only SPF is deployed.

DMARC introduces identifier alignment (IA) to patch this security hole. Identifier alignment requires that the domain in the header from address "aligns" with that in the envelope from address.

DMARC's identifier alignment adds another layer of security to block attempts to spoof header from address in email.

For more info on identifier alignemtn, refer to: DMARC identifier alignment

shoorlyne
  • 55
  • 4