Why do I need DMARC on top of SPF and DKIM?

Question

If SPF is verifying against a set of IP records if the incoming email from a domain was sent from an authorized host piggybacking on the DNS and DKIM does touch the signature of the email and calculate another one based on DNS public key record and if signatures matches, the mail is flagged as authentic from the expected domain providing authenticity and integrity of the email, why do I need to implement DMARC as well?

Can you help me understand which additional risk I should consider or address with DMARC?

As far as I can see, the from header can't be spoofed and PASS by SPF and DKIM at the same time.

*"... the from header can't be spoofed and PASS by SPF and DKIM at the same time"* - The From header isn't even considered in case of SPF. Only the MAIL FROM information from the SMTP dialog is used, not the From field in the mail header. — Steffen Ullrich, Apr 23 '21 at 10:54
the point while domain can't be spoofed and SPF records are managed by domain owner, why adding DMARC as overhead while the email from fake_address@my_domain can't be sent to a legit_user@my_domain? — Asian Flavor, Apr 23 '21 at 11:42
@AsianFlavor: Again, SPF does not check the From field in the mail header, while DMARC does. Since checking the From field is expected to detect spoofing one need to have DMARC. — Steffen Ullrich, Apr 23 '21 at 14:18
@SteffenUllrich With SPF, the email can't originate from other mail server except the ones that I set so. Or do I miss something in SPF configuration? — Asian Flavor, Apr 23 '21 at 15:26
@AsianFlavor: Somebody can send an email from their own domain as SMTP MAIL FROM, with their own SPF record passing. But in the mail header they can use your domain in the From field. SPF does not protect against this, only DMARC does. In this case DMARC would fail since the domain of the mail header From and the domain where the SPF passes (SMTP MAIL FROM) do not align. — Steffen Ullrich, Apr 23 '21 at 15:35

Why do I need DMARC on top of SPF and DKIM?

0 Answers0