2

I understand how SPF is involved with DMARC alignment, but one thing I can't get clear: is the SPF policy (-all or ~all) used in DMARC? Or does DMARC merely use the IP ranges?

The issue is, that as we all know, SPF breaks forwarding. DKIM is a lot better when it comes to forwarding. So, now that I have DKIM+DMARC implemented, can I relax my SPF policy because DMARC will take care of checking SPF alignment?

Lexib0y
  • 227
  • 3
  • 14
Halfgaar
  • 7,921
  • 5
  • 42
  • 81

2 Answers2

3

DMARC actually evaluates your SPF result, looking for a PASS, as well as alignment between the smtp.mailfrom domain and the header.from domain. As long as SPF does not produce a pass, (whether you have ?all, ~all or -all mechanism at the end), DMARC will not consider the SPF result a PASS. The same holds true for DKIM. The header.d domain should align with the header.from domain and the result should be PASS.

However, and to answer your question partly, some servers will interpret an SPF hard fail (-all) as a reason to reject your emails, even though it passes DMARC on DKIM.

On the other hand, not all receiving servers check on DMARC. So an SPF soft fail (~all)will not cause an email to be rejected on it's own (generally speaking). At the same time SPF is not the greatest tool for protecting against spoofing, since SPF is checked on the smtp.mailfrom domain instead of the header.from domain, and only the latter is visible to the recipient (in most client software). And thus the alignment requirement in DMARC.

In terms of what is better for forwarding: it depends. Some forwarders will rewrite the Return-Path (a.k.a. snmtp.mailfrom), which will fix SPF, but break DMARC alignment. Others will, for example, add a piece of text to the subject field which in turn will break the DKIM signature (if the subject was one of the signed headers). It's not so clear-cut. Authenticated Received Chain (ARC) is a protocol that is helpful in this respect, be it still in development.

My advice would be to use SPF with a soft fail mechanism and use DMARC with a reject policy. Also, use SPF and DKIM complimentary for optimal results.

My opinion: You're publishing a clear directive in DMARC. It is up to the recipient to implement corresponding checks. In fact, a receiving server can be configured to completely ignore both SPF (hard) fail and DMARC reject policies. That's not the senders responsibility, but the recipients prerogative.

Community
  • 1
Reinto
  • 649
  • 4
  • 9
2

It just checks if the IP/Host is in the SPF record , the overall logic is:

If the sending IP address is contained in the SPF record = SPF PASS
If the sending IP address is not contained in the SPF record = SPF FAIL

(see sites like http://knowledge.ondmarc.com/learn-about-dmarc/all-you-need-to-know-about-spf-dkim-and-dmarc where the above logic is quoted from).

The policies of DMARC and SPF are independent. I would not change SPF policies because there is a DMARC policy. You should consider that not all mail servers use DMARC but do use SPF. So the SPF policy should make sense on its own.

Lexib0y
  • 227
  • 3
  • 14
  • His question is, "...can I relax my SPF policy...?" You don't answer that question. – Rob Dec 02 '18 at 13:11
  • He asks: Or does DMARC merely use the IP ranges? – Lexib0y Dec 02 '18 at 13:12
  • Yes, his question is a little broad but your answer is only a partial. I would have posted it as a comment. – Rob Dec 02 '18 at 13:15
  • The second part question has an answer that is largely opinion based. There is no golden answer. But I see your point. – Lexib0y Dec 02 '18 at 13:21
  • 1
    OK, so the policies are independent. That's mostly what I need to know. Whether or not I want to support people forwarding mail, is another question, for me. – Halfgaar Dec 02 '18 at 20:51
  • 1
    Agreed. If you want to be strict at all with DMARC it is best to only block when both SPF and DKIM are false. In any other case it is quite certain you will have a lot false positives and bring misery to many users. – Lexib0y Dec 02 '18 at 21:12