2

When setting up a DMARC policy for an organization, is it important at all to have SPF alignment?

I've gathered that:

  • Most email service providers support DKIM for a custom domain.
  • Not all email service providers support SPF for a custom domain. Typically these would have passing SPF records for their own domain, but this won't align with the from address.
  • With SPF it's easy to run into DNS lookup limits. With DKIM this isn't the case.
  • Some "Forwarded emails" such as via mailing lists often have failing SPF, but still passing DKIM. Others rewrite the From field completely to avoid DMARC issues.

Given the above, is there a good reason to have SPF alignment at all? Or is DKIM alignment + a DMARC policy always sufficient?

Note: I'm not suggesting not having an SPF policy at all for the custom domain. Just using the external service provider's domain for the Return-Path instead of the custom domain, and therefore not having SPF alignment.

So in this case we'd have:

From: someone@my-domain.net
Return-Path: something@service-provider.net (not aligned)
DKIM-Signature: d=my-domain.net (aligned)
Received from: IP belonging to service-provider.net, passing SPF for service-provider.net.
Ralf
  • 169
  • 7

1 Answers1

4

It's true that either DKIM or SPF alignment is sufficient with DMARC and that DKIM is more robust as it survives forwarding better. However, it's important to understand that despite working together and depending on each other, all three essentially protect different parts of the email authenticity:

  • SPF protects your domain used as the envelope sender
  • DKIM protects the contents (both signed headers and body) from tampering
  • DMARC (assisted with SPF, DKIM or both) protects your domain in the From header.

SPF is still useful:

  • If you don't have a restricting SPF policy, your domain can be abused as the envelope sender. It's pretty common to abuse different weaknesses from different domains within the same spam message: domains not protected with SPF are used for spoofing mail from domains protected by SPF alone.
  • SPF+DMARC alignment can be helpful with services not yet supporting DKIM that are still required to send email from your domain.
  • If you have SPF in place and already use DKIM+DMARC alignment, there's no reason to deliberately use unaligned domains as the envelope sender, unless there are restrictions from 3rd parties. Although not as common, occasionally DKIM fails, too, if the contents get modified e.g. due to some misconfiguration. An additional SPF+DMARC alignment may help such message survive.

Also, not every receiving MTA treat DMARC policies as described in the DMARC specification (non-standard, informational RFC 7489). Many, including Microsoft, are not respecting p=reject as supposed (per section 10.3) i.e. connection-stage rejecting or silently discarding the mail, but using the results as a part of a more complex spam scoring system. In such cases having both alignments may give your message a better reputation in their eyes.

Community
  • 1
Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • 1
    I was in the middle of writing pretty much exactly this, but you did it better and faster. – Michael Hampton Jul 07 '20 at 12:45
  • Hi, Michael! This time I happened to be slightly faster, but I know the feeling from reading many of your answers while still thinking of my own. Feel free to improve, if I have missed something! :) – Esa Jokinen Jul 07 '20 at 12:48
  • Thanks! This is great into that is hard to find online. – Ralf Jul 08 '20 at 14:13