Score:1

Server

Should we enhance DMARC to allow aligned DKIM enforcement?

m7913d

10/29/23, 7:14 PM

Currently, DMARC only requires aligned DKIM or SPF.

However spoofing SPF is relatively simple for an experienced hacker:

You should only control a single IP address in the often large SPF range of e-mail service providers (Microsoft, Google, Mailchimp, ...). It may be even possible to legally do so if the list contains out of date IP addresses.
Or you can try to use a bug/hole in the sender verification performed by those service providers. At least some providers do not perform a very secure sender domain verification.

The essential problem with SPF is that it whitelists an IP that is shared by many clients of such a service providers.

At the other hand, the DKIM key is probably secured much better by those service providers and it is (often) linked to a single customer. Or at least, it should be much easier to secure a DKIM key than to ensure that a hacker could not send an e-mail from one of the allowed SPF IP addresses with a sender address chosen by the hacker.

So, wouldn't it be beneficial that DMARC is extended to allow specifying that DKIM should be aligned? Or does a successor of DMARC exists to enforce DKIM alignment?

Partially related questions:

DMARC Alignment: Enforce messages pass BOTH SPF and DKIM (It's not a duplicate as my question is whether it is a good DMARC design that we couldn't enforce DKIM).
Can DMARC's SPF alignment be spoofed? (About the possibility of spoofing aligned SPF: spoofing SPF is easier than spoofing DKIM).

174

2 + 6

spf

dkim

dmarc

anx

10/29/23, 7:28 PM

If you do not trust your service providers to not allow spoofed mail.. you got problems for which the solution lies well outside the scope of any "sprinkle some crypto over it" solution.

anx

10/29/23, 7:28 PM

Also, right now we seem to be losing the usefulness of DKIM because people won't start migrating off SHA1 (broken) or RSA (broken for reasonable key sizes), so I would be rather pessimistic about industry-wide buy-in for further complication of a mechanism whose results are then routinely *ignored* by the recipients anyway.

m7913d

10/29/23, 7:36 PM

@anx Is RSA broken? Even for (currently common) 2048 bit keys?

m7913d

10/29/23, 7:49 PM

@anx I indeed do not (fully) trust their infrastructure (should I fully trust those large well-established players?). It's just relatively easy to circumvent SPF than to circumvent DKIM. DKIM doesn't sound to me as "sprinkling some crypto". Why would it otherwise be common practice to salt and encrypt passwords or to use a VPN to access a Remote Desktop if those architecture are really fully trustworthy? The attack vector of DKIM just seems much smaller to me compared to SPF.

m7913d

10/29/23, 8:03 PM

@anx, see also this thread about spoofing aligned SPF: https://security.stackexchange.com/questions/264133/can-dmarcs-spf-alignment-be-spoofed.

anx

10/29/23, 8:23 PM

They key is, *you* as a competent admin will not run into trouble correctly inputting an appropriate, thus unwieldy key into a standards-hostile zone editing form. Many other users will. And *you* may be in a situation where a signature that can only be generated on your machines is a better indicator of authorized use than the credential theft detection of a larger provider. For many other companies, the location of the key would not make much of a difference to the common methods of abuse, and often multiple keys would have been shared with multiple 3rd party senders.

Score:2

Server

Esa Jokinen

12/17/23, 3:06 PM

Accepting either of the authentication mechanisms is well rooted in the key concepts of the DMARC specification (RFC 7489, 4.2). Changing it at this point would require major modifications to every implementation.

However, a domain could be protected in a way that only a passing & aligned DKIM would let the DMARC pass. Furthermore, this can be done in a way that does not allow just anyone use the domain as the envelope sender, unlike suggested in the answer from @anx.

This is possible with the strict alignment available for both DKIM- and SPF-Authenticated Identifiers.

In relaxed mode, the [SPF]-authenticated domain and RFC5322.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce Identifier Alignment.

Knowing this,

Disallow using the apex of the domain as an envelope sender.
```
example.com TXT "v=spf1 -all"
```
Pick a subdomain to be used for the envelope addresses, and allow SPF as required, e.g.,
```
mailer.example.com TXT "v=spf1 +ip4:192.0.2.100 -all"
```

Require strict SPF alignment mode with aspf=s, e.g.,

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; aspf=s; adkim=r;"

Set up a passing DKIM signing aligned with the From address, either in strict or in relaxed mode.

+ 7

m7913d

12/17/23, 5:32 PM

Nice work-around. If requiring both is indeed useful, it should be possible to add an extra option in a backwards compatible way, allowing the major implementation to alter its implementation (which shouldn't be that hard).

m7913d

12/17/23, 5:33 PM

Disadvantage is that this approach allows passing DMARC as an aligned SPF sender for the configured subdomain.

Esa Jokinen

12/17/23, 5:49 PM

On the other hand, that would be well visible for the receiver, if you use `serviceprovider.example.com` envelope domains.

anx

12/17/23, 5:50 PM

@m7913d Does it? If that subdomain is never to be used in the Sender header fields anyway, it can get its own DMARC policy.

Esa Jokinen

12/17/23, 5:57 PM

Unfortunately, there's no DMARC policy that would prevent using a passing alignment.

Esa Jokinen

12/17/23, 6:01 PM

If the service provider isn't permitted to use such subdomain in the From header and a malicious actor does so from an IP address on the `include`d policy, monitoring the reports will reveal it in a day. Such IP addresses can then be explicitly banned using the `-ip4` mechanism of SPF; that overrides any `include` mechanism.

Esa Jokinen

1/8/24, 11:09 AM

If you also want to prevent the mailer from using the SPF for DMARC alignment for the subdomain, but would like to protect the subdomain with SPF, you could use the `?` policy for the mailer's servers, e.g., `mailer.example.com TXT "v=spf1 ?ip4:192.0.2.100 -all"` this does not *pass* for the mailer, but still fails for the rest.

Score:2

Server

anx

10/29/23, 8:17 PM

wouldn't it be beneficial to allow specifying that DKIM should be aligned

This is already the default behaviour, if there is no way to achieve an aligned SPF match. What then remains of the DMARC alternatives is the requirement to get an aligned & valid DKIM signature.

In the simplest - though by no means ideal, see here form - you could just not opt in to SPF, or expressly opt out (v=spf1 ?all). You do not have to use SPF.

Note that this will impose some limitations on how you can authorize 3rd parties to send in your name. Some but not all senders will be able to sign, or relay to your machine holding a published key for signing.

+ 3

m7913d

10/29/23, 8:23 PM

The disadvantage of this approach is that not implementing SPF may negatively impact the SPAM score of your e-mail. Therefore, disabling SPF seems to me not a good solution.

anx

10/29/23, 8:28 PM

@m7913d My personal experience is that if recipients treat you badly purely from static checking-boxes analysis, they are going to treat you badly anyway. If you have any remotely significant outgoing volume, there are *so* much better metrics to judge you on a scale from s[cp]ammer to legitimate. You may not need to care about operators who rely exclusively on, by nature highly imprecise, spam filtering.

Esa Jokinen

12/17/23, 3:07 PM

It is possible to configure SPF and still make it unaligned with the From header, as explained in my [answer](https://serverfault.com/a/1118283/274176).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Should we enhance DMARC to allow aligned DKIM enforcement?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.