2

I'm trying to wrap my head around how DMARC works and how to treat the resulting emails.

From what I have understood, DMARC works on three key features:

  1. SPF verification
  2. DKIM verification
  3. Domain alignment.

But I'm not sure about when to consider DMARC to fail/pass.

For instance, if DKIM and Domain alignment for DKIM are correct, but SPF Fails. Does DMARC is considered a pass or a fail?

Is DMARC considered a pass only when all three keys pass (SPF is good, DKIM is good and domain alignment for both SPF and DKIM is good)? Or is it only for either (SPF + domain alignment for SPF) OR (DKIM + domain alignment for DKIM)?

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437
Cyril N.
  • 38,875
  • 36
  • 142
  • 243
  • In short, DMARC will pass if either SPF *OR* DKIM checks *AND* be aligned with the domain in the `Header.From` field. – Reinto Aug 07 '19 at 16:32
  • In short, DMARC will pass if either SPF *OR* DKIM checks *AND* be aligned with the domain in the `Header.From` field. – Reinto Aug 07 '19 at 16:32

2 Answers2

0

I'll answer myself here, the RFC7489 states the following:

6.6.2.  Determine Handling Policy

   To arrive at a policy for an individual message, Mail Receivers MUST
   perform the following actions or their semantic equivalents.
   Steps 2-4 MAY be done in parallel, whereas steps 5 and 6 require
   input from previous steps.

   The steps are as follows:

   1.  Extract the RFC5322.From domain from the message (as above).

   2.  Query the DNS for a DMARC policy record.  Continue if one is
       found, or terminate DMARC evaluation otherwise.  See
       Section 6.6.3 for details.

   3.  Perform DKIM signature verification checks.  A single email could
       contain multiple DKIM signatures.  The results of this step are
       passed to the remainder of the algorithm and MUST include the
       value of the "d=" tag from each checked DKIM signature.

   4.  Perform SPF validation checks.  The results of this step are
       passed to the remainder of the algorithm and MUST include the
       domain name used to complete the SPF check.

   5.  Conduct Identifier Alignment checks.  With authentication checks
       and policy discovery performed, the Mail Receiver checks to see
       if Authenticated Identifiers fall into alignment as described in
       Section 3.  If one or more of the Authenticated Identifiers align
       with the RFC5322.From domain, the message is considered to pass
       the DMARC mechanism check.  All other conditions (authentication
       failures, identifier mismatches) are considered to be DMARC
       mechanism check failures.

   6.  Apply policy.  Emails that fail the DMARC mechanism check are
       disposed of in accordance with the discovered DMARC policy of the
       Domain Owner.  See Section 6.3 for details.
Community
  • 1
  • 1
Cyril N.
  • 38,875
  • 36
  • 142
  • 243
0

This is the formula for DMARC authentication:

DMARC auth pass = (SPF auth pass AND SPF identifier alignment) OR (DKIM auth pass AND DKIM identifier alignment)

Or put it differently:

DMARC auth failure = (SPF auth failure OR SPF identifier unalignment) AND (DKIM auth failure OR DKIM identifier unalignment)

This post covers this topic in detail: https://dmarcly.com/blog/how-to-implement-dmarc-dkim-spf-to-stop-email-spoofing-phishing-the-definitive-guide#dmarc-alignment-authentication-hardened

lgc_ustc
  • 1,524
  • 2
  • 20
  • 31