Am I right to say that DMARC has no way to say "all emails must be signed". My understanding here is that I can specify that I want DKIM to be either lax or strict - which I understand to mean that, if the message happens to be signed (consider email sent from example@b.com
):
- Lax: it's ok for the DKIM DNS TXT record to belong to a subdomain (
example@a.b.com
) - Strict: the DKIM DNS TXT record must must belong to the exact sending
domain (
example@b.com
)
However, there are also then emails which either have no DKIM signature at all and other emails which might contain example@b.com
in the FROM
header but have an SMTP envelope from like example@some-mail-sending-service.com
and do have a DKIM signature which is valid for some-mail-sending-service.com
but not for b.com
.
In both cases above, am I right to say that these are both "PASSES" in a sense. The former example has no invalid DKIM so it's just OK and the latter is actually an aligned DKIM pass for the envelope from so is also considered OK?
If I have a DMARC policy like:
v=DMARC1;p=reject;rua=mailto:xyz;ruf=mailto:xyz;adkim=s;aspf=s;pct=100;fo=1;sp=reject
Am I right to say that a malicious party will not be rejected for reasons relating to DKIM if they either:
- Use no DKIM at all.
- Send from a mail server which does use DKIM with a valid signature and uses an SMTP envelope.
In both above cases the DKIM policy of DMARC alone would not cause this email to be blocked?