How do SPF and DKIM work together prevent spoofing?

Question

I'm trying to understand how SPF and DKIM can be used to prevent email spoofing. One of the things I find confusing is that the SSID/AUID of a DKIM signed message can be different from both the envelope From and header From.

For example: Say I receive an email via mailer.com with an envelope From: foo@bar.com, a header From: baz@noreply.com, and the DKIM headers specifying a SSID (d tag) of relay.com.

1. bar.com has a spf record including mailer.com so mailer.com checks out
2. relay.com has a DKIM record which verifies the signatures in the DKIM header, but...

How do I know relay.com can be trusted for emails from bar.com? Does bar.com need to include relay.com in their spf records?

Answer 1

SPF and DKIM don't work together to prevent spoofing. They both only provide information which then can be used in DMARC to prevent (some kind of) sender spoofing.

Notably SPF provides the information if the claimed SMTP envelope sender is allowed to send from the specific IP address based on a policy stored by the domain owner in the DNS. DKIM instead provides cryptographically protected information if the mail was delivered over the mail server responsible for a specific domain.

If either SPF or DKIM are successful and if the domain from these can be aligned with the domain given the the mail envelope From (which can be different from SMTP envelope), then one can be mostly sure that the mail comes from the specific domain.

Note that this does not check a specific sender, only the domain. It thus does not by itself prevent spoofing of one mail account in a specific domain from another in the same domain - one can only hope (but not verify) that this is handled inside the domain already.

And there are also various other kinds of spoofing or how existing techniques can be bypassed - see Weak Links in Authentication Chains: A Large-scale Analysis of Email Sender Spoofing Attacks from Usenix Security 2021.