2

Messages sent by my domain will always be DKIM-signed and any that are not should be immediately discarded by recipients. But strict SPF enforcement leads to problems where internal mail-forwarding rules and other sorts of implementation details cause spurious breakages. What is an appropriate constellation of SPF, DKIM, and DMARC records to cause receiving systems to treat DKIM failures as absolute "stop delivery, it's spam for sure", but SPF as just a hint?

Glyph
  • 241
  • 1
  • 9

1 Answers1

6

It's by design that DMARC passes if either DKIM or SPF is aligned i.e. matching with the From header. It's known that DKIM alignment survives forwarding, whereas SPF alignment doesn't: a service forwarding the mail should put the mail in another envelope i.e. use a MAIl FROM (Return-Path) address of its own, which will break the alignment despite the SPF passed on its own.

Regarding the configuration:

  • Sign every mail with DKIM, have the DKIM records in place and keep the DKIM signature aligned with the From header. There's no such thing as hard/soft DKIM failure, as DKIM test is just comparing the signature with the published public key from DNS.
  • If there's no signature, DKIM alone doesn't have any capability to tell whether there should be one or not. That's where you need DMARC: you can enforce the DKIM by having a p=reject in your DMARC policy.
  • Having the previous setup in place, SPF becomes less relevant regarding protecting the From header. It would be ok to have e.g. ~all to prevent hard failures on SPF, leaving your envelope domain partly unprotected. As DMARC requires SPF to pass and to be aligned, it will fail on SPF softfail, but it doesn't matter as long as it's aligned through DKIM.

If you want to be absolutely strict with DKIM, keep in mind that an aligned & passing SPF alone will make the DMARC pass, too. If you want to make the DMARC always fail without DKIM, you could use a different domain as an envelope sender and have a v=spf1 -all SPF policy to prevent using this domain as an envelope sender altogether. However, that's not a typical configuration and might look worse on some spam filters.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • That's enlightening. We sign with DKIM, have DMARC with p=reject, and SPF `~all`. Which seems to lead to the situation where anyone can send an unsigned email purportedly FROM our domain. It soft-fails because of the `~all`, meaning that it is delivered based on the receiving server's policies for softfail. Microsoft 365 seems to be happy to deliver the spoofed mail as if from our domain: "Received-SPF: SoftFail (protection.outlook.com: domain of transitioning ourdomain.com discourages use of 192.125.1.17 as permitted sender." Nervous to try `-all` as I don't know what will break. – Mark Berry May 25 '21 at 02:36