2

DMARC is used to tell receivers of e-mail what to do if SPF or DKIM fails in mails send from your domain. As far as I know this pretty much sums up DMARC, if this is not correct please correct me.

My question: The situation is this, mydomain.org has DMARC policy none (p=none). The mailserver of somedomain.org has it's own policy to reject all e-mails that fail het SPF check So if the mailserver of somedomain.org receives an e-mail that fails the SPF check it would just reject it. But is it so that when an e-mail from mydomain.org is received at somedomain.org and fails the SPF check will the mailserver reject the e-mail as per local policy or take the DMARC policy and actually just deliver the e-mail?

In essence the question is, isn't a DMARC p=none policy not even less safe than no DMARC at all?

Kind regards,

Wealot
  • 879
  • 2
  • 12
  • 25

2 Answers2

4

TL;DR: A DMARC policy of none does not mean that the mail should be accepted. It only means that it should not be rejected/quarantined based on a failed DMARC check. It can still be rejected based on SPF Fail.

DMARC is used to tell receivers of e-mail what to do if SPF or DKIM fails in mails send from your domain.

DMARC does not define what happens if SPF or DKIM fail. It does not care about failed checks at all. It only cares about the successful and identifier aligned checks (i.e. domain from check must match From in mail header). DMARC passes if at least one of the identifier aligned DKIM signatures or SPF checks passes and fails otherwise. DMARC can define that the mail should be rejected or quarantined based if the DMARC check fails.

A DMARC policy of "none" does not mean that the mail should be kept - it only says that no decision will be done based on the DMARC status. From RFC 7489 section 6.3:

none: The Domain Owner requests no specific action be taken regarding delivery of messages.

And the example in section B.2.1 says more clearly that p=none should not be treated as a "pass" but as "don't change existing behavior":

Receivers should not alter how they treat these messages because of this DMARC policy record ("p=none")

Thus p=none does not mean to accept the mail but that one should not reject/quarantine the mail and instead can rely on other policies. And SPF defines its own policy. A Fail means that the mail was not sent from a source IP which is allowed for sending. From RFC 4408 section 2.5.4:

2.5.4. Fail

A "Fail" result is an explicit statement that the client is not
authorized to use the domain in the given identity. The checking
software can choose to mark the mail based on this or to reject the
mail outright.

Apart from that MTA are neither required to implement SPF nor DMARC and they can implement SPF without implementing DMARC and thus reject a mail solely based on an SPF Fail.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I do not think you are correct. The RFC clearly states: A Mail Receiver implementing the DMARC mechanism SHOULD make a best-effort attempt to adhere to the Domain Owner's published DMARC policy when a message fails the DMARC test. That would mean that if the DMARC test (which consists of SPF, DKIM and from header checks) fails the receiver should do what the DMARC policy (p) says. So quarantaine, reject or NONE. I think we're getting into a more terminology discussion about what "no specific action to be taken" means (as per RFC from DMARC) – Wealot Oct 25 '17 at 09:13
  • And I believe the From check is purely a check if the domain is a valid domain, I am not sure if there is an actuall check if the sender of this mail is allowed to send from this domain (that is SPF) – Wealot Oct 25 '17 at 09:16
  • 1
    @Wealot: First, the receiver is not required to implement DMARC at all but can rely on SPF only. Based on this I read the spirit of DMARC `none` not as to override an existing SPF Fail to let the mail pass but to make no decision based on the DMARC status. DMARC does not define a positive policy, it only defines negative (quarantine, reject) and none (i.e. no decision). – Steffen Ullrich Oct 25 '17 at 09:17
  • @Wealot: *And I believe the From check is purely a check if the domain is a valid domain..* - the identity alignment check is the essential part of DMARC to detect sender spoofing. It is not only a check if the domain is valid but it also defines which SPF and DKIM checks are used in the decision, i.e. only the identity aligned ones. – Steffen Ullrich Oct 25 '17 at 09:19
  • Ok fair enough, I get your point. I think this is not made precisely clear in the RFC, although it does state that the receiver should:" ....disposed of in accordance with the discovered DMARC....." when DMARC gives a fail. It might end up being a decision of the receiver in the end.... – Wealot Oct 25 '17 at 09:21
  • About your last comment, yes you are absolutely right. But I still don't entirely understand how this contributes to anti spoofing. I can just write the from header as example.com just as the MAIL FROM. It would validate even if I am not allowed to send mails. But that's another discussion, I'll just believe you on your word that it is handy to have :D – Wealot Oct 25 '17 at 09:24
  • @Wealot: for detecting spoof of sender domain in mail from you have SPF. – Steffen Ullrich Oct 25 '17 at 09:27
  • Oooh ok nevermind I just did not make that connection. It is now very clear to me thank you – Wealot Oct 25 '17 at 09:27
1

Mail servers should use what you put in your DMARC record. In your example, you are telling the mail server that you, as the domain owner, are happy for it to be ignored, but you are asserting that you have made that decision with the DMARC record.

Some mail servers could decide what to do, but I believe this would be against the spirit of DMARC.

With DMARC you would, if configured, also receive stats based on the results even with DMARC p=none.

schroeder
  • 123,438
  • 55
  • 284
  • 319
ISMSDEV
  • 3,272
  • 12
  • 22