9

Is there a way to enforce DMARC to fail/reject mail that doesn't pass BOTH DKIM and SPF?

We have been narrowing the number that are failing, but there are some domains in our aggregate (rua) report that are passing just DKIM and we would rather that they fail our DMARC because we don't recognize them.

The domains that we do recognize are fully-aligned.

Our end goal is that unless it is fully aligned (both DKIM AND SPF), the message will be rejected

3 Answers3

7

Under the basic assumptions underpinning DMARC, nobody should be able to pass either a DKIM or SPF test as your domain, unless the mail is coming from a server you control. A pass for either of the two is enough to confirm this.

Thus there is no way to force DMARC to require both pass, and there should be no reason to do so.

If third parties are able to pass DKIM tests as you, and you did not authorise them, then you have a security problem, and this is what you need to fix.

First, make sure you haven't just made a mistake interpreting the reports you are seeing. Are they DKIM signed, but with a domain that's not yours? If so, there's nothing you need to do. But if emails not authorised by you are DKIM signed with your domain, this indicates you're doing something wrong.

Steps to take:

  • Generate a new DKIM key, start signing with it, and remove references to the old key from your DNS records (leaving the old DNS records will allow the old key to continue to be used).

  • Keep the private part of your DKIM key secure. By default, it should be hidden to all except root on your server. Keep it this way.

  • Make sure you are not signing mail that is coming in from untrusted sources. You should be only adding DKIM signatures to mail that originates with you and your users.

    If using OpenDKIM this is controlled by the InternalHosts option, and you should also make sure that you are not re-running OpenDKIM after passing mail through a local filter or proxy which would make it look like the mail originated internally.

thomasrutter
  • 2,437
  • 1
  • 25
  • 34
4

DMARC is working as designed; if at least one of SPF or DKIM passes (and is aligned), the message passes DMARC and is delivered. Most likely, the messages that are failing SPF but passing DKIM (signature valid and aligned) are messages that have been forwarded. (Forwarded messages will fail SPF, while a DKIM signature can survive forwarding.)

jnaab
  • 965
  • 6
  • 11
  • True. SPF is a very unreliable mechanism (due to widespread practice of forwarding), thus SPF is only a fallback to partially cover occassional DKIM failures. – kubanczyk Oct 08 '18 at 20:27
1

No, DMARC is designed to only require either DKIM + ADKIM or SPF + ASPF to pass.

There is no requirement to make it require both.

I find it hard to understand how DKIM passes the alignment test, if the d= key doesn't match the from then it will fail the ADKIM test.

Take a look on how the identifiers must match up here: DMARC Email Identifiers

Even if you didn't specify adkim in your DMARC record, it's defaulted to "Relaxed" which still wouldn't line up.

Henry
  • 910
  • 1
  • 5
  • 17