Score:0

Server

DKIM E-Mail verification - prevent receivers from accepting unsigned emails?

Guss

1/8/24, 9:19 AM

I have set up SPF, DKIM and DMARC in my domain (to the best that I can figure out), but I still can send spoofed emails - without a DKIM signature - and they are accepted (at least when I test with GMail - I assume they will be the most strict about such things⁽²⁾). When I spoof my domain from a non-SPF approved SMTP server, GMail does quarantine it, but as we use public SMTP senders for our work (such as Mailgun and friends⁽¹⁾) SPF can't be the last line of defense - which is what DKIM is supposed to be, to my understanding.

I have set up my DKIM keys correctly, and signed e-mail is getting verified properly (I checked the email headers when received by GMail and it looks fine), and I have set up DMARC as follows:

$ dig txt _dmarc.mydomain.com
;;...
;; ANSWER SECTION:
_dmarc.mydomain.com. 300 IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected];"

But then sending a spoofed (i.e. unsigned) email through DNSExit (for completion, using a free account that is not my company's DNSExit account, not that it matters) - GMail accepts it as coming from my domain and does not quarantine it, nor label it with any kind of warning.

Here's the relevant header from the received email on GMail:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of [email protected] designates x.x.x.x as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mydomain.com

So it doesn't appear that GMail even checked DKIM?

I've read somewhere (though not at any of the DKIM setup instructions I've seen at mail service providers) - notable in this serverfault question that you need to use a "domain policy record" in the top level _domainkey record for your domain, but that does nothing - and as noted in this serverfault answer it was obsoleted(?)

I would really like for public (complying) mailbox servers to stop accepting non-DKIM-signed emails that are supposedly sent from my domain - how can I do that?

_{(1) public SMTP senders that require authentication but don't always verify domain ownership properly (or at all, I'm looking at you - DNSExit).}

_{(2) I later tested with outlook.com, and there it apparently does quarantine my spoofed email, with this header added: Authentication-Results: spf=permerror (sender IP is X.X.X.X) smtp.mailfrom=mydomain.com; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine heaader.from=mydomain.com;compauth=fail reason=000. Why is GMail not the bastion of security?}

352

1 + 8

dkim

authorization

dmarc

Esa Jokinen

1/8/24, 10:57 AM

This is unfortunate! Likewise, [Microsoft doesn't respect `p=reject`](https://security.stackexchange.com/questions/226270/enforcing-dmarc-policy-reject-on-an-office-365-tenant).

Reinto

1/8/24, 1:04 PM

@EsaJokinen This is not unfortunate (regarding Gmail), but as designed. When you pass SPF checks in alignment with your domain, you pass DMARC as well. Microsoft, indeed, quarantines messages (if quarantine feature enabled, otherwise delivered to Junk) instead of rejecting when you set your policy to `p=reject`. You can, however, reject those messages with custom rules in Exchange Online. In Outlook.com these messages are flagged but end up in the Junk folder.

Esa Jokinen

1/8/24, 2:42 PM

In this question, both SPF & DKIM failed. Therefore, DMARC failed too, but the message wasn't quarantened. That is not by design (of DMARC).

Guss

1/8/24, 2:49 PM

I've updated my question to include the GMail's `ARC-Authentication-Results` header, which seem to indicate the DKIM wasn't even tested.

Reinto

1/8/24, 3:47 PM

@EsaJokinen Perhaps the OP updated the post after you commented... But he says that Gmail does quarantine for "non-SPF approved SMTP server".

Reinto

1/8/24, 3:47 PM

@Guss The ARC (Authenticated Received Chain) results only matter in a context of forwarding, where you can choose to trust the forwarding party on analysing the original Authentication. These can be present as well for MS internal servers forwarding from one tenant/datacenter to the other.

Esa Jokinen

1/8/24, 3:57 PM

Indeed, the question has more details now. My assumptions were based on the outlook.com results with `spf=permerror` & `dkim=none` => `dmarc=fail`.

Guss

1/9/24, 9:34 AM

@EsaJokinen, apologies - I should have shown the GMail auth results header. The Outlook SPF error is because I had 11 DNS lookups in SPF - which was fine for GMail so I didn't notice.

Score:4

Server

Reinto

1/8/24, 1:00 PM

DMARC

Unfortunately, you seem to be assuming that DMARC requires both SPF and DKIM to pass (or require DKIM to pass in any scenario), to pass DMARC checks. It doesn't, it requires either a pass on SFP - OR - a pass on DKIM, in alignment with your sending domain (in the From header). Gmail seems to be behaving exactly as supposed, in regards to DMARC policy enforcement. This evaluation should be clear from the Authentication-Results header in the accepted Gmail message.

SPF

If you don't or can't trust public SMTP services, although they do require you to prove domain ownership, you could omit their services IP ranges (via include or otherwise) from your domain's SPF record. Or, use the neutral mechanism (?) in front of the include to neither signal a pass, nor a fail.

DomainKeys vs DKIM

The top-level _domainkey record you describe is part of the predecessor technology of DKIM, called 'DomainKeys'. DKIM doesn't rely on this policy record any longer. And there are, to my knowledge, no ESPs left that rely on this technology.

Outlook.com

Outlook.com quarantined your message (sent to Junk folder?), not based on the absence of a DKIM signature, but instead on the failure to evaluate your SPF record (PermError)- AND - the absence of an aligned DKIM signature. This usually indicates a syntax error in your DNS record.

+ 8

Guss

1/8/24, 2:19 PM

Re: outlook.com - Indeed there was a problem with my SPF (more than 10 DNS lookups). After fixing it, a new message had this header: `Authentication-Results: spf=pass (sender IP is x.x.x.x) smtp.mailfrom=mydomain.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=mydomain.com;compauth=pass reason=100`, but still landed in the junk box - maybe because Outlook has already seen several messages with the same From landing in junk? I'm more confused now.

Guss

1/8/24, 2:24 PM

Re: DKIM - so basically, if I understand what you are saying, there's no way to force DKIM signature on not-SPF-failing servers? Meaning that I need to make sure my SPF only authorizes services that verify domain ownership?

Guss

1/8/24, 3:01 PM

Or, as per the updated question (Gmail appears to not test DKIM at all), the other option is not publish SPF at all?

Reinto

1/8/24, 3:36 PM

Outlook: Indeed, many factors contribute to the SPAM rating. Reputation of domain and sending host / IP are definitely part of the equation. Requiring DKIM: You can add the `?` in front of your Mailgun-like services includes, to have those neither Pass, nor Fail SPF. This will not result in DMARC pass result, but may incur a slightly elevated SPAM rating depending on the ESP receiving the email. Gmail: Google most certainly does test DKIM. If you click the 3 dots in an opened email and choose "show original, you'll find that the Authentication-Results header also includes DKIM-test results."

Reinto

1/8/24, 3:41 PM

For Outlook.com, the `X-Microsoft-Antispam-Mailbox-Delivery` will tell you a bit more on why your message was rated as SPAM, Bulk or Phish. Although, it takes a bit of searching to find what each abbreviations means...

Guss

1/9/24, 9:17 AM

Regarding the GMail DKIM check - with SPF passing, the `ARC-Authentication-Results` header doesn't include any DKIM check so I understood that to mean what you said: "it requires either a pass on SFP - OR - a pass on DKIM" - it passed SPF so doesn't check DKIM. After changing the SPF to use `?` - as per your suggestion, GMail now says: `i=1; mx.google.com; spf=neutral (google.com: x.x.x.x is neither permitted nor denied by domain of [email protected]) [email protected]; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=mydomain.com`. I think this is the solution.

Guss

1/9/24, 9:21 AM

To summarize, the solution for me is: a passing SPF may be sufficient for an ESP, so if you want to enforce DKIM, set DMARC properly, and in SPF list as passing only SMTP relays you trust explicitly (w/o DKIM) and list as neutral SMTP servers you trust only when they use your DKIM keys. Everything else should be handled by `~all` or `-all`.

Reinto

1/10/24, 10:43 AM

Most - if not all - ESPs always perform all checks, regardless of passing or failing other checks. And, they will list the findings in the Authentication-Results header. Good that you found a solution that works for you.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: DKIM E-Mail verification - prevent receivers from accepting unsigned emails?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.