SPF is useful for verifying envelope sender addresses i.e. against forged senders (MAIL FROM
). It was designed for that, not againsts forged headers. DKIM is designed to protect the headers and the body against forging and tampering. The From:
header is always signed, other headers being optional.
DKIM can only protect mail that has been signed, but it doesn't provide a mechanism to prove that an unsigned message should have been signed. Now, it seems that both SPF and DKIM are powerless against spoofed address in the From:
header. DMARC alignment comes to rescue! DMARC can enforce DKIM by telling the receiver how they should handle unsigned messages. DKIM+DMARC together protects the From:
address.
Why is it still relevant to protect the MAIL FROM
address? Why not use DKIM+DMARC alone?
SPF still protects your domain from being used as the envelope sender. Why would someone buy a random domain and use it as the envelope sender while there are plenty of existing unprotected domains? Without an SPF record someone could use your domain for that phase while spoofing someone elses domain in the headers.
DMARC alignment requires only either SPF or DKIM to pass. You might have some applications or devises that needs to use your domain in the From
header, but aren't able to DKIM sign the messages. No worry if they pass the SPF test for the same domain. Likewise, you may have some 3rd party provider for sending newsletters on behalf of you, but allowing them on SPF level might be too extensive. Doesn't matter as long as they can DKIM sign the messages using an own selector.