1

I set SPF, DKIM and DMARC for my email server. I build my own mail server on my personal computer.

Then I disable signing DKIM signature and send an email to Gmail. Gmail shows SPF pass and DMARC pass and tell me it's a normal/good email.

So my question is, can I in some ways change my DMARC value in dns record so as to tell Gmail (others) to reject or quarantine my email if DKIM signature is not provided?

Aagin, I know:

  • sender IP doesn't match, SPF failed
  • DKIM signature is provided but invalid, DKIM failed

I want:

  • DKIM signature is not provided, DKIM failed or DMARC failed. (Anyway, I want the receiver to mark that email is bad/fake/spam one.)

The reason why I want this is because:

If my ISP impersonate me, it can send emails on my behalf. Since it can pass SPF check.

If DKIM signature can be set to a must requirement, then my ISP can't do that, because only I have the private key of DKIM signature. (Assuming the DNS record is not spoofed on the receiver side).

related: How to prevent ISP impersonating me to send email?

Rick
  • 229
  • 1
  • 4
  • 14
  • I don't believe that DMARC allows any other mode than "either SPF or DKIM must pass". As a historical note, [ADSP](https://tools.ietf.org/html/rfc5617#section-4.2.1) (Author Domain Signing Practices) provided this type of policy functionality, but it was **abandoned because of limited usage**. I am not aware of any current means of specifying the type of policy that you ask for. – Håkan Lindqvist Apr 26 '20 at 18:03
  • @HåkanLindqvist Thanks. I checked ADSP and set a DNS record for my domain. Let me check if Gmail would use that record when I send an email without DKIM signature. So basically, there's no way to protect me from that kind of threat? [How to prevent ISP impersonating me to send email?](https://security.stackexchange.com/questions/230570/how-to-prevent-isp-impersonating-me-to-send-email) – Rick Apr 27 '20 at 01:02
  • You said you have your own e-mail server, presumable with its own globally unique IP address. In that case, even though it's hosted by your ISP, it's hard for them to impersonate you. You can configure your SPF record that it must originate from your IP. Your provider would have to take away your IP address and send e-mail; a very conspicuous act to be sure. – Halfgaar Apr 27 '20 at 08:45
  • @Halfgaar Hmmmm, I don't think that would be difficult and necessary to take away my IP to do that. Instead, that might be very easy. Think about an easiest example: because sending emails, as a client, there can be multiple connections to server. My ISP can simply forge some SMTP packets and send it to Gmail via plain text or TLS connection. This model is just like that I can open 2 local terminals sending email from command line, without affecting each other, neither would affect my normal internet traffic. – Rick Apr 27 '20 at 09:17
  • 1
    Actually yes, they could configure their routers to briefly divert SMTP traffic away to something with the same address. However, if that's the kind of attacks you're protecting against, you may want to look at e-mail encryption and signing with S/MIME or GPG/GPG. – Halfgaar Apr 27 '20 at 09:55

1 Answers1

2

Set SPF record v=spf1 ?all and DMARC record v=DMARC1;p=reject;. That way SPF check will always return NEUTRAL regardless of the sender IP, so the only emails that will pass DMARC check and be delivered are the ones signed with valid DKIM key, as DMARC PASS requires either SPF or DKIM to pass.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
user3216973
  • 21
  • 2