Consider DMARC record:
v=DMARC1;p=reject;rua=mailto:xyz;ruf=mailto:xyz;adkim=s;aspf=s;pct=100;fo=1;sp=reject
Also consider domain example.com with a TXT record:
v=spf1 include:_spf.google.com -all
Now imagine a third party sends an email using FROM test@example.com by either uses an SMTP envelope with a FROM test@mail-sender.com or a return-path of test@mail-sender.com.
My understanding is that now the recipient SMTP server will validate SPF using the TXT record at mail-sender.com.
If this SPF record for mail-sender.com either:
- Does not exist
- Is syntactically invalid
- Permits any IP to send
My understanding is that the SPF TXT record for example.com is totally ignored and the DMARC record which "rejects" and is in strict SPF alignment mode would not prevent these messages from being delivered successfully (I think these are considered a non aligned SPF pass).
Essentially, am I right to say that there is no such thing in SPF & DMARC to say "only emails from IP's explicitly listed in the TXT record of example.com are allowed to send on behalf of my domain".
Best Answer
I think you're mainly missing the 'alignment' which is required to get a DMARC compliant mail. This is what differentiates DMARC from the existing techniques.
Alignment means that DMARC requires you to setup authentication (SPF/DKIM) using the same* domain as the "From" domain. You mentioned alignment between the SPF domain (Envelope From) and the DKIM domain, however this does not apply.
In your example the messages would not be DMARC compliant as there is no alignment on the @example.com 'From' domain and the @mail-sender.com 'Return-Path' domain. This example would generate an SPF "Pass", however a DMARC "Fail".
The statement about SPF & DMARC is exactly what DMARC is about: making sure the authentication is actually done using the 'From' domain in question instead of a @mail-sender.com domain.
Does this help you?
Regards,
Michiel
DMARC Analyzer