3

I want to understand the SPF/DKIM/DMARC Stack for authenticating e-mails.

I understand that SPF works on the SMTP "mail from"/ envelope-from.

But even on stackoverflow itself, I find contradictory information about if DKIM works on the envelope-from or the actual SMTP Payload/Email/Header-From.

Gavin Jackson
  • 1,907
  • 1
  • 22
  • 28
Tobi
  • 1,175
  • 1
  • 19
  • 44

1 Answers1

4

Short answer...

SPF validates the envelope against a sending IP address, DKIM validates a message payload, DMARC ties the two together and indicates a desired treatment when either fails.


Longer answer...

DKIM is applied to an authored message at the sending server, using private keys, and is then verified by a receiving server using public keys via DNS.

The DKIM spec allows signers to choose which header fields they sign, but the From: field must always be signed, along with a specified length (which may be zero) of the body, and so may at the authors whim include body and / or attachments at the end of the message payload.

DKIM is independent of SMTP routing in that it operates on the RFC 5322 message — ie the transported mail's header and body — not the SMTP envelope defined in RFC 5321. So the DKIM signature survives basic relaying across multiple MTAs.

DKIM allows the signer to convey which email content it considers legitimate, in a strict or relaxed fashion. In this way a signer can warrant some key content whilst allowing an element of trivial rewriting of whitespace and header wrapping. It does not directly prevent or disclose attempted abuse, but can be used forensically by a receiving server to validate content to the degree allowed by the signer.


SPF is published in DNS, and is tested by a receiving server.

The SPF spec allows a domain's DNS to warrant which sending IPs, and other mechanisms which resolve to IPs, are allowed / forbidden to be the sending source of emails for the domain. It is only tested against the SMTP envelope defined in RFC 5321, using either the MAIL FROM or HELO values.


DMARC is a policy published in DNS for a domain, and is verified by the receiving server.

It allows the sending domain to monitor abuse via reports from compliant receiving servers, and to indicate how any SPF or DKIM failures should be treated. Furthermore it can be used to align the domains found in both SPF and DKIM, and is used to identify abuse when both SPF and DKIM pass, but each uses different domains.

Gavin Jackson
  • 1,907
  • 1
  • 22
  • 28
  • 1
    In the email's `DKIM-Signature:` header you specify the signing domain using the `d=` property. This value also determines where to find the public key in the DNS. You did not answer at all if this domain should/must correspond to the domain in the `From:` header or other parts of the email communication. – pabouk - Ukraine stay strong Nov 28 '19 at 09:57
  • @pabouk: the OP didn't ask that, but there's no connection between anything in the mail and `d=`. You can sign an outgoing mail using the private key for *any* domain, so long as you know the private key for that domain, and direct the recipient to the public key using `d=`. This is common - Google or MS might use their own private key for signing messages that come from "your own domain", for example. – EML Feb 11 '22 at 16:36
  • 3
    @EML I am really confused. The OP explicitly asked _if DKIM works on the envelope-from or the actual SMTP Payload/Email/Header-From._ At the time I wrote my comment I was learning about details of SPF, DKIM and DMARC. Now I can confirm that when you use DKIM+DMARC then the domain from the email header `From:` is being tested for either loose or strict alignment with the `d=` property of the `DKIM-Signature:` header. DKIM itself does not check that. See for example: https://mxtoolbox.com/dmarc/dkim/dkim-alignment – pabouk - Ukraine stay strong Feb 13 '22 at 20:46
  • 1
    Not sure that I understand your comment, but your confusion might be in your statement that 'the domain from the email header... is being tested'. The value of the `From:` field is not 'tested' in any way, except to *find out if it has changed since it was signed*. It can be *signed* with the private key of 'foo.com', for example, but might include the header `From: me@bar.com`. If someone intercepts the mail and changes this to `From: donald@duck.com` then the hash will change and DKIM should/will report a fail. – EML Feb 15 '22 at 12:35
  • 1
    @EML Certainly my English is awkward most of the time :) Anyway I strongly recommend you reading about DMARC alignment as it is really important part of the SPF/DKIM/DMARC trinity you are missing: https://en.wikipedia.org/wiki/DMARC#Alignment – pabouk - Ukraine stay strong Feb 15 '22 at 19:27
  • @pabouk: I'm not missing anything. You are describing *DMARC* alignment. DKIM, which you initially asked about, does *not* require alignment. If you want to use DMARC, you can simply publish a `p=none` policy, which is exactly what Google does: try sending a mail from gmail to gmail. – EML Feb 15 '22 at 20:17
  • @EML I am not the OP. The OP asked about all three: SPF, DKIM and DMARC. (not me :) I just noted that Gavin Jackson forgot to answer what OP asked about. – pabouk - Ukraine stay strong Feb 16 '22 at 08:23
  • @EML DKIM itself doesn't require alignment for email to be sent out, but need to be aligned for DMARC alignment. SPF use the mail from/return path directly, but it's different for DKIM. By reading the last 2 paragraphs of OP, I believe there's a misconception about DKIM and he/she might think that DKIM (work the same like SPN and) take the domain in either "Mail from"/"Header from". In fact, a DKIM can sign d=abc.com but send email out with "Header from" of xyz.com, but in this case it will fail the DMARC. Believe this is the part pabouk mentioned it didn't answer. Hope this is useful for all. – nlks Dec 07 '22 at 06:34