1

I have spent a bit of time researching SPF, DKIM and DMARC mechanisms however If I understand correctly, these help the recipient to confirm whether the domain is legitimate but only if they have these mechanisms configured correctly and implemented.

In a scenario where the recipient does not have these particular mechanisms in place or misconfigured, could a spammer potentially use my email address to send the recipient spam?

So far it looks like your organization relies on the fact that you have configured SPF, DKIM and DMARC correctly as well as all recipients, to completely prevent your domain from being spoofed.

Or am I misunderstanding something here?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Chaplin
  • 13
  • 3

2 Answers2

1

SPF, DKIM and DMARC require both that these are setup by the legitimate sender and that these are verified by the recipient. In theory the combination of SPF+DMARC or DKIM+DMARC is sufficient at the sender side, where DKIM is the more robust regarding message forwarding. But if neither SPF nor DKIM is used by the sender and if no DMARC is setup by the sender and verified by the recipient (which implies verifying SPF/DKIM) then sender spoofing is possible.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

these help the recipient to confirm whether the domain is legitimate but only if they have these mechanisms configured correctly and implemented.

No.It helps the recipient to know if the email you received was send by an approved email server.

In a scenario where the recipient does not have these particular mechanisms in place or misconfigured, could a spammer potentially use my email address to send the recipient spam?

Absolutely.Email spoofing is perfectly possible as the core protocols do not have a mechanism for authentication.Although a spoofed email going to spam is another topic.

So far it looks like your organization relies on the fact that you have configured SPF, DKIM and DMARC correctly as well as all recipients, to completely prevent your domain from being spoofed.

Yes,both sides are important,sender having setup SPF,DMARC,DKIM and recipient checking them.

yeah_well
  • 3,699
  • 1
  • 13
  • 30