3

DMARC produces "pass" result if and only if at least one of SPF and DKIM checks pass. It has been noted that DKIM provides stronger protection of the two (if implemented properly). But, in order to require namely DKIM passing by a DMARC policy, one needs to "disable" SPF (either by not publishing SPF records or by publishing an SPF record which disallows everything).

I do not understand the reason for such design of DMARC: there are two checks (SPF and DKIM), but there is no way to enforce a particular one of the two by the policy. It requires changing the other check itself.

What could be the reason for the DMARC specification to have no flags for specifically requiring either of (SPF, DKIM) to pass?

Community
  • 1
Konstantin Shemyak
  • 639
  • 5
  • 12

2 Answers2

1

I did not find anything about this but I'm guessing that the arguments went the following way:

  1. Both SPF and DKIM might break (forwarding, message transformation).
  2. To increase robustness a domain should probably implement both anyway and hopefully only one will break then.
  3. There are ways these mechanisms can accidentally fail, but there is no way for an attacker to deliberately make them falsely succeed.
  4. Thus in the interest of robustness require only that at least one of these succeeds.

I very much doubt argument number 3 though. For a scenario where SPF might be tricked into returning Pass see this mailing list thread which actually contains a proposal to have something more strict than just SPF or DKIM. For ways to abuse DKIM by an attacker see this article (disclaimer: own research).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

To ignore SPF you can set the fo:d on your dmarc record and it will only report when dkim fails setting the spf record to softfail ~all is not a bad idea either

EnviableOne
  • 157
  • 8