26

I'm sorry for the vague title. I don't fully understand why SPF and DKIM should be used together.

First: SPF can pass where it should fail if the sender or DNS is "spoofed" and it can fail where it should pass if some advanced setup of proxies and forwarders are involved.

DKIM can pass where it should fail, either because of an error/weakness in the cryptography (we rule this out, hence the simplified point), or because the DNS query is spoofed.

Since the cryptography error is ruled out, the difference (as I see it) is that DKIM can be used in setups where SPF would fail. I can't come up with any examples where one would benefit from using both. If the setup allows for SPF, then DIKM should not add any extra validation.

Can anyone give me an example of the benefit of using both?

deleted user 42
  • 363
  • 1
  • 3
  • 6

3 Answers3

26

This was answered some time ago, but I think the accepted answer lacks the point of why both must be used together to be effective.

SPF checks the IP of the last SMTP server hop against an authorized list. DKIM validates the mail was initially sent by a given domain, and warrantees its integrity.

Valid DKIM signed messages can be used as spam or phishing by being resent with no modification. SPF does not check message integrity.

Imagine a scenario where you receive a valid DKIM signed email (from your bank, a friend, whatever), and you find a good way to exploit this mail without modification: then you can just resend this mail thousands of times to different people. As there is no modification of the mail, the DKIM signature will still be valid and the message will pass as legitimate.

Anyway, SPF checks the origin (real IP/DNS of SMTP server) of the mail, so SPF will prevent the forwarding of the mail as you cannot resend a valid mail through a well configured SMTP server, and mail coming from other IPs will be rejected, effectively preventing the resending of "valid" DKIM messages as spam.

Pedro
  • 361
  • 3
  • 2
  • Would you please give some of examples of how the mail can be exploited without modification? – user3413723 Jan 03 '17 at 23:49
  • 1
    Any email starting with the a generic "Dear customer", "Dear user", or "Dear . This is why it is important that legitimate emails for you always contain at least 1 piece of your personal information, like part of your post/zip code, or your full name. (That makes them more authentic and non-reusable.) – Adambean May 22 '17 at 14:53
  • 1
    But if the header fields have been signed, including the recipients, then surely this removes the possibility of a replay attack against new recipients? i.e. Adding signatures `h=from:to;` (*from* being required in [RFC 6376](https://tools.ietf.org/html/rfc6376#page-38), *to* being optional) should only allow for replay attacks on the same recipient. Which is bad, but not as bad as what this answer is suggesting. – Richard Dunn Aug 20 '19 at 08:58
16

SPF has many more rankings than Pass/Fail. Using these in heuristically scoring spam makes the process easier and more accurate. Failing on account of "advanced setups" indicates the mail admin didn't know what he was doing in setting up the SPF record. There's no setup that SPF can't account for correctly.

Cryptography doesn't work in absolutes, ever. The only crypto allowed in DKIM usually takes significant resources to break. Most people consider this safe enough. Everyone should evaluate their own situations. Again, DKIM has more rankings than just Pass/Fail.

One example where one would benefit from using both: sending to two different parties where one checks SPF and the other checks DKIM. Another example, sending to a party with content that would normally rank highly in spam test, but that is offset by both DKIM and SPF, allowing the mail to be delivered.

Neither are required in most cases, though individual mail administrators set their own rules. Both help to address different facets of SPAM: SPF being who is relaying e-mail and DKIM being the integrity of e-mail and authenticity of origin.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • Ok, I follow your points (especially that some may simply use only one of the two - how did I not see that!). So SPF and DKIM might have different settings and rankings, but overall, they are to faces to the same coin. To your last point: A mail from an authorized relay (SPF) should be trusted just as much a valid DKIM signature.. After all, the owner of the domain have approved of both. I just tested my mail with only SPF, and while my university and gmail seams to accept it, hotmail regards it as spam - maybe because they rely on DIKM. Thanks for your comment Chris! – deleted user 42 Jul 15 '13 at 17:15
  • Hotmail uses SenderID (SPF 2.0 so to say), DKIM, SenderScore, PBLs, and their own filtering technology. They're a bit secretive about the exact formula. – Chris S Jul 15 '13 at 17:29
4

Here are some reasons you should always publish both SPF and DKIM.

  1. Some mailbox providers only support one or the other and some support both but weight one more than the other.

  2. DKIM protects email from being altered in transit, SPF does not.

I'd add DMARC to the list, too. What's the downside to always publishing full email auth?

Neil Anuskiewicz
  • 431
  • 1
  • 3
  • 15