3

E-mail forwarding can break SPF, but it should not break DKIM. I want to make a DMARC policy that will evaluate to "pass" when either DKIM or SPF passes, and "fail" when neither DKIM or SPF passes. Is this possible? If so, how is this done?

I'm trying to wrap my head around the result of a DMARC policy evaluation where exactly one of SPF and DKIM fails and one succeeds. I've read RFC7489 and I've found these two quotes:

DMARC evaluation can only yield a "pass" result after one of the underlying authentication mechanisms passes for an aligned identifier.

 

Final disposition of a message is always a matter of local policy. An operator that wishes to favor DMARC policy over SPF policy, for example, will disregard the SPF policy, since enacting an SPF-determined rejection prevents evaluation of DKIM; DKIM might otherwise pass, satisfying the DMARC evaluation. There is a trade-off to doing so, namely acceptance and processing of the entire message body in exchange for the enhanced protection DMARC provides.

Emphasis mine.

From these quotes, it's not clear what should happen when DKIM succeeds and SPF fails; the evaluation might pass is not something I can base a decision on.

Community
  • 1
jornane
  • 415
  • 2
  • 14
  • Regarding email-fowarding breaking SPF: you might be interested in [ARC](http://arc-spec.org/) (Authenticated Received Chain), which is specifically devised to address that problem. – Adam Katz Oct 19 '17 at 18:59
  • I know about ARC, but it’s outside my control whether or not that’s used, that’s up to the person forwarding my mail. – jornane Dec 09 '17 at 23:49

2 Answers2

3

from my uderstanding of the RFC this should be default behaviour. if you have set the fo field in the dmarc record it will modify this.

Recievers are permitted to process the message as they see fit, and may reject a message on an spf fail (with a reject mechanism "-"), but provding the standard is implemented in full and DKIM passes, with the default fo setting of 0, the message will pass authentication.

If the SPF record is set to softfail this should allow the DKIM to be processed and DMARC polcies to superceed the SPF result in most cases.

EnviableOne
  • 157
  • 8
  • 1
    Could you elaborate on why a softfail SPF policy should allow DKIM to supersede SPF? – jornane Dec 09 '17 at 23:51
  • Softfail is the solution. – sitilge Jan 17 '18 at 23:31
  • Generally on a hard spf fail this will result in an automatic drop and DKIM will not be assessed, as softfail is not a hardfail, then this allows the processing to continue, but as its not a pass, this will inform the DMARC policy assessment so a DKIM pass and SPF fail would be recorded. – EnviableOne Feb 23 '18 at 10:00
  • This is incorrect. While `fo` field in DMARC instructs participating receivers to send forensic reports based on failed SPF and/or DKIM, it does _not_ affect the policy (`p`) itself. – Adam Katz Mar 15 '18 at 18:04
1

Only one aligned DKIM/SPF pass is necessary for DMARC to pass:

  • If DKIM verifies with alignment, DMARC passes – no policy is triggered (regardless of SPF)
  • If SPF passes with alignment, DMARC passes – no policy is triggered (regardless of DKIM)

DMARC passes when either SPF or DKIM is verified and aligned.
DMARC can neither explicitly require SPF, nor explicitly require DKIM, nor both.

An aligned DKIM signature implies the sending relay was authorized, so requiring both seems unnecessary. If you want to require always passing DKIM, either do not publish SPF or (preferably) tell SPF to disallow everything (e.g. v=spf1 ~all). If you want to require always passing SPF, either don't use DKIM or else make sure it is not aligned.

Email forwarding will break SPF (due to routing through other relays) and can also break DKIM (due to e.g. mailing list edits to the subject and body) unless you (and your recipients!) use Authenticated Received Chain (ARC).

Adam Katz
  • 9,718
  • 2
  • 22
  • 44