Score:8

Does SPF provide benefits along with DKIM+DMARC?

nl flag

I have a domain I send emails from via Mailchimp and Google. I've set up DKIM for both of them and added a DMARC record too (for testing atm). I collect reports for DMARC failures and the overwhelming majority of these reports are for SPF fails.

In my understanding, SPF is an allowlist of IPs/hosts that can send emails, and DKIM is a key that the sender must use to sign the emails. To me, it seems like DKIM is better for spoofing protection.

Everywhere I search I only see that SPF is essential for email protection, but I can't see why in my case. Since DKIM is setup, only Mailchimp and Google can send emails, and DMARC will make recipient rejects emails from anywhere else. Restricting IP addresses does not seem to add anything to this mix.

Is it OK to disable SPF with +all in this case? What is the scenario where I'm less protected if I do that?

us flag
See https://serverfault.com/q/1024324
cn flag
Not a direct answer, but in my experience, your mail is far more likely to land in a spam box if there is no SPF record at all, compared to one that matches the IP correctly. I've never tried `+all` though. I'm not talking about spoof protection here, I'm talking about actually getting your legitimate emails accepted into people's inboxes.
Score:11
ng flag

SPF, DKIM, and DMARC all work together to increase trust of your domain and delivery of your email to inboxes. But, the important thing to remember is that the recipient email system is free to handle your e-mails in any way they want. So, it is not guaranteed that any one or more of these mechanisms are implemented properly.

The biggest thing about SPF and DKIM alone, is that it does nothing to insure that the from header is authenticated. This is the e-mail address that your recipient sees in their mail client. So, they are not effective for determining if what the end user sees is authentic.

For SPF, it only checks the domain specified in the return-path header (aka Envelope From) in the SMTP message. This isn't an address the end-user sees.

For DKIM, it only cares about the domain specified in the d= parameter in the dkim-signature header. Again, the end-user does not see this.

DMARC fixes this. DMARC requires "alignment" to be correct on either SPF or DKIM.

  • For SPF to be in "alignment" the domain in the from header must match the domain in the return-path header. This is rarely possible when sending e-mail through third party bulk mail providers because the return-path is where bounces, and complaints go that the provider tracks and is often an email address managed by the third party. This is why you see SPF failures in your DMARC reports.
  • For DKIM, the domain specified in the d= field in the dkim-signature header must match the domain in the from header. This can be accomplished by making sure the third party sender (i.e. Mailchimp) is properly configured for DKIM signing and you have added the appropriate DNS records to your domain.

This "alignment" check ensures that what the end-user sees in their e-mail client is authenticated by either SPF or DKIM. If a passing SPF record or DKIM record is in alignment with the from header (what the end user sees), the message passes DMARC. Otherwise, it fails DMARC.

Note that these protocols are only scrutinizing the “domain name” portion of the email address. The portion after the @ sign. None of these check the validity of the username portion. The portion before the @ sign.

So, you can see that both SPF and DKIM are necessary for DMARC to be fully functional. All 3 are necessary for proper mail flow. And, not all recipient email systems implement the standards in the same way or correctly.

A huge frustration for systems administrators is that a ton of senders still have not configured these 3 standards properly when sending e-mail. And, sadly, rarely are the above basic principles properly explained anywhere.

Score:4
cn flag

Yes, as not all server check the DKIM/DMARC sadly on reception, but SPF checking is more integrated/deployed currently.

An example is On-Prem Exchange's server. SPF record can be checked with the AntiSpam ruleset, with the Edge Transport Role in later version, but the DKIM/DMARC need a third party integration to enable it.

Removing your SPF record in such state can make you open to spoofed email to organisations that are in such a scenario.

nl flag
Thanks, I didn't know that DKIM is not universally supported!
Score:2
cn flag

While only authorized servers can sign with DKIM, there is nothing in the DKIM standard that can inform a receiving server that messages from your domain MUST be signed with DKIM. From a mail standards perspective, a receiving server cannot discern authorized sending servers from unauthorized sending servers.

The eventual problem that will arise is for receiving servers that do not use DMARC tests your domain will have a high probability of being blacklisted as spammers discover it is trivial to spoof.

Ben Voigt avatar
pl flag
Wouldn't it be nice if the SPF record in DNS could be set to "+dkim -all" ? Or "+host +dkim -all" (to allow a handful of hosts to send unsigned messages and require DKIM otherwise)
Hagen von Eitzen avatar
cn flag
@BenVoigt Certainly someone would try to implement "-dkim"
Ben Voigt avatar
pl flag
@HagenvonEitzen: And so they should. If one knows that one's mail server does not add DKIM signatures to outgoing mail, then any message that carries one is known to be spoofed. Naturally "+dkim" should mean that "messages with a valid DKIM aligned with the sender email address pass" while "-dkim" should mean that "messages purporting to carry DKIM, whether or not valid, whether or not aligned, should fail" Then it might even be useful to have "+dkim -dkim +ip -all" in order to reject invalid/unaligned DKIM even if it relayed through the whitelisted server.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.