1

DKIM and SPF are mentioned as powerful mitigations for having your domain abused for phishing. But when I send a mail like this:

Return-Path: <me@mydomain.example.com>
From: Citibank security team <security@citi.com>
Reply-To: Noreply <noreply@citi.com>
Subject: Unauthorized attempt on your account

  • With Enveloppe From <me@mydomain.example.com>

  • With a valid DKIM signature for mydomain.example.com

  • Sent from a host that is authorized to send according to the SPF policy for mydomain.example.com

It is my understanding that the mail will be shown as if it actually was sent from Citibank. The mailserver logs may show something about an unaligned DKIM-signature, and a DMARC-report may be sent to Citibank eventually, but it doesn't at all prevent a scam-mail from being delivered.

Why does the specification check the From: address so loosely, while that is the only identifier a user would see directly in their mail client?

jornane
  • 415
  • 2
  • 14
  • All these protocols are close to useless against fishing. If you can recognize a domain name, you are safe. If you can't, nothing based on DNS would ever protect you. – curiousguy Dec 16 '18 at 21:47

1 Answers1

2

.. and a DMARC-report may be sent to Citibank eventually, but it doesn't at all prevent a scam-mail from being delivered.

citi.com has a DMARC record with an explicit reject policy:

$ dig txt _dmarc.citi.com
...
_dmarc.citi.com. ...  TXT     "v=DMARC1; p=reject; ...."

This means if the receiving mail server implements DMARC it will reject the mail since no aligned SPF or DKIM will be found. If no such checks are done at the recipients side the mail will not be rejected.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Aha, I missed that DMARC checks alignment as well, it's not only `DKIM || SPF`. https://dmarcian.com/how-can-spfdkim-pass-and-yet-dmarc-fail/ – jornane Dec 06 '18 at 13:19