1

I have SPF and DKIM setup and working for the email domain I administer. The next recommended step is to setup DMARC since SPF and DKIM are both in place.

What are the benefits of using DMARC if both SPF and DKIM are already functioning as expected?

poke
  • 1,079
  • 4
  • 11
  • 21
  • Be aware that DMARC violates the RFCs on well-behaved mailing lists. If you publish DMARC records for your domain, and check DMARC on incoming email, you will break your users' ability to subscribe to mailing lists. – MadHatter Mar 28 '16 at 10:19

2 Answers2

4

DMARC is how you define validation, disposition and reporting policies for your domain, and of more interest to you here, for messages that fail to pass SPF and DKIM (the two of them together).

Between DMARC, SPF and DKIM, it's DMARC that checks if the From: domain matches the any of the domains that passed SPF or DKIM. If there's no match, then the DMARC policy you selected is applied.

Without DMARC, an attacker than manipulate SPF to their advantage by using a MAIL FROM domain they control. This would then allow them to use your domain in the From: header. However to pass DMARC with SPF, they would have to use the same domain in MAIL FROM and in the From: header.

Similarly, attackers can choose to sign messages with whatever DKIM keys they wish. However to be able to pass DMARC with DKIM, they would have to sign with your From: domain DKIM keys.

Marco
  • 164
  • 7
1

There are a couple of parts to the answer here. First, with DMARC you will know for sure what your authentication rates are. Sure, one or two test messages may pass, but do all messages you send pass authentication? Also, are there any senders you don't know about? (For example, did someone in Marketing just sign up with ConstantContact because they heard an ad on the radio and not tell you? I see that happen all the time, and DMARC will expose it to you.)

Secondly, once you have validated with DMARC that you have discovered all possible senders of email and that authentication is at or near 100%, you can put a more restrictive policy in place such as p=reject, preventing anyone who is not you from using your domain to send spam or other abuse.

It's often quite illuminating putting a DMARC record in, in many many cases there are third parties you've never heard of abusing the domain you own for their own purposes.

cmeid
  • 386
  • 1
  • 3