1

Am I right to say that DMARC has no way to say "all emails must be signed". My understanding here is that I can specify that I want DKIM to be either lax or strict - which I understand to mean that, if the message happens to be signed (consider email sent from example@b.com):

  • Lax: it's ok for the DKIM DNS TXT record to belong to a subdomain (example@a.b.com)
  • Strict: the DKIM DNS TXT record must must belong to the exact sending domain (example@b.com)

However, there are also then emails which either have no DKIM signature at all and other emails which might contain example@b.com in the FROM header but have an SMTP envelope from like example@some-mail-sending-service.com and do have a DKIM signature which is valid for some-mail-sending-service.com but not for b.com.

In both cases above, am I right to say that these are both "PASSES" in a sense. The former example has no invalid DKIM so it's just OK and the latter is actually an aligned DKIM pass for the envelope from so is also considered OK?

If I have a DMARC policy like:

v=DMARC1;p=reject;rua=mailto:xyz;ruf=mailto:xyz;adkim=s;aspf=s;pct=100;fo=1;sp=reject

Am I right to say that a malicious party will not be rejected for reasons relating to DKIM if they either:

  1. Use no DKIM at all.
  2. Send from a mail server which does use DKIM with a valid signature and uses an SMTP envelope.

In both above cases the DKIM policy of DMARC alone would not cause this email to be blocked?

David
  • 179
  • 11

1 Answers1

1

I think you're mainly missing the 'alignment' which is required to get a DMARC compliant mail. This is what differentiates DMARC from the existing techniques.

Alignment means that DMARC requires you to setup authentication (SPF/DKIM) using the same* domain as the "From" domain. You mentioned alignment between the SPF domain (Envelope From) and the DKIM domain, however this does not apply.

So an attacker cannot get a mail to pass DMARC if they would:

  • use a 'From' header of your-company.com
  • sign the mail with a passing DKIM signature (d=attacker.com)
  • send with a passing Envelope From (/Return-Path) of attacker.com

*) Using the alignment mode you can specify if you'd like an exact match (Strict) or would like to allow a match of a subdomain (Relaxed)

Does this help you and answer your question?

Regards,

Michiel

DMARC Analyzer

DMARC Analyzer - Michiel
  • 136
  • 2
  • Hi Michiel, it's great to have an authoritative source like yourself helping out here. I actively use the https://dmarcanalyzer.com tool. My concern here is 2 fold, 1) what happens if a message isn't signed at all using DKIM - is this considered by your site specifically as a "DMARC compliant message). Secondly, regardless of strict or lax policy in DMARC for DKIM (which I think is to do with whether the domain key TXT record comes from `mysite.com` (strict match) or `sub.mysite.com` (lax match) what happens if the mail is signed by a different domain with a key which is valid for that domain – David Oct 12 '18 at 10:30
  • 1) If that message has a SPF pass result with an aligning domain, this message would be DMARC compliant. Otherwise it would not. 2) The DKIM domain is taken from the DKIM 'd=' parameter. This parameter also defines where ISPs should look for the key in question. `selector._domainkey.d-parameter-domain.tld`. If you use `strict`, these domains should have an exact match, if you use another domain the result will not 'align' and the message will not be DMARC compliant. If you use `relaxed`, the message _will_ be aligned when you use a(/another) subdomain of the main domain. Does this help? – DMARC Analyzer - Michiel Oct 15 '18 at 06:42