5

I have SPF and DKIM. I'm planning on adding DMARC to tell receivers to expect SPF and/or DKIM. I've read that it's best to set DMARC up with both SPF and DKIM, but I don't understand exactly when having it for both would be better than having it just for DKIM. Is there some scenario where having DMARC for SPF and DKIM would classify emails better than just having DMARC for DKIM? How common is that scenario?

Qaz
  • 185
  • 6
  • 1
    First thing that comes to mind is replay attacks and modifying headers not covered by DKIM. – AndrolGenhald Oct 10 '17 at 21:16
  • @AndrolGenhald: modifying headers is in theory covered by DKIM, i.e. the signature encompasses both the body and selected header fields. But, it is usually shoddy implemented and thus open to spoofing. See [Breaking DKIM - on Purpose and by Chance](http://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html) for more details. But SPF definitely does not protect against modifying headers. – Steffen Ullrich Oct 11 '17 at 04:14
  • @SteffenUllrich I only have experience with OpenDKIM which Debian configures to oversign From by default. It sounds like if From isn't oversigned an attacker could append a From header that wouldn't be verified in the hopes that the victim's email client would display theirs instead of the original. SPF wouldn't directly protect against that, but it's another layer of protection that would prevent the attacker from sending the spoofed email from just any IP address, making it potentially much more difficult. – AndrolGenhald Oct 11 '17 at 13:05
  • @AndrolGenhald: Oversigning From is not enough. You should also oversign Subject, Content-Type, Content-Transfer-Encoding etc. See my research I've linked to for details. – Steffen Ullrich Oct 11 '17 at 14:39

1 Answers1

5

I don't think there is a simple answer for your question. Both SPF and DKIM are by their own useful in fighting spam but they miss the alignment between the claimed sender in the mail header compared to the SMTP envelope (SPF) or the signature (DKIM). Only DMARC provided this important alignment and adds a policy how do deal with failures on top.

But, by allowing either DKIM or SPF to provide the necessary alignment DMARC it is sufficient to successfully spoof one of these. This means either to successfully misuse an overly broad SPF policy or to make use of the usually shoddy implemented DKIM signatures to change the content of the mail while keeping the signature intact. Thus, by requiring only one of SPF or DKIM to succeed DMARC lets the attacker focus on the weaker problem.

Therefore, one recommendation could be to implement one mechanism properly and strict and don't implement the other one at all and this way taking the choice of the weaker target from the attacker. In this case I would favor to implement DKIM, but implement it properly: sign all relevant mail headers (there are many), oversign all of these to protect against header duplication and also make sure that the signed mail is 7 bit clean. For more on this see Breaking DKIM - on Purpose and by Chance (disclaimer: this is my own research).

The advantage of implementing only DKIM is that one can focus the resources of doing this thing right. Apart from that it provides the stronger protection if properly implemented. But, their is also a big disadvantage of not doing SPF: SPF is far more widely implemented than DKIM or DMARC and thus the chance is only higher that an anti-spam solutions implements only SPF but not DMARC and/or DKIM. While the numbers vary a lot from different sources, in the mails I had access to about 40% were covered by SPF but only about 9% had a DKIM signature and about 6% a DMARC policy.

In summary: the best thing is probably to have both strong DKIM signatures and small and strict SPF policies. Doing this properly is not as simple as it might look like. With a more limited set of resources it might be thus preferred to get one of these right (recommended: DKIM) and skip the other one completely so that an attacker does not have the choice to pick the weaker problem.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • From [my comment](https://security.stackexchange.com/questions/225714/do-we-need-spf-when-we-have-dkim?noredirect=1#comment461476_225714): So are you saying that clients that haven't implemented DKIM are the only reason to implement SPF, and there are no benefits for clients that support DKIM & DMARC? – SWdV Feb 11 '20 at 18:11
  • 1
    @SWdV: First, SPF is not implemented in mail clients but in mail servers since it needs to know the sending servers IP address. Similar DKIM and DMARC checks are usually also implemented at mail servers although DMARC in a client might also make use of the Received-SPF header added by the mail server. And the problem are not only the systems that check DKIM but that many domains don't even have a DKIM record, i.e. it is a lot a sender side problem. But, if DKIM would have been __properly__ implemented __everywhere__ there would be no real benefit for SPF. – Steffen Ullrich Feb 11 '20 at 18:36
  • OK thanks! I indeed meant MTAs. Replay is in theory still a problem though right? Although impact should be limited if you sign the Date header. – SWdV Feb 11 '20 at 18:48
  • 1
    @SWdV: Since it is sufficient that either DKIM or SPF succeed a failed SPF does not actually prevent spoofing and most mail servers don't block hard on failed SPF. So __unmodified__ replay is not actually prevented by using SPF. It can actually be prevented by having an expiration on the DKIM signature which is actually included in the standard although only recommended and not required so it is not actually used in most DKIM signatures I see. – Steffen Ullrich Feb 11 '20 at 20:16