DMARC Policy – Bypassing DKIM Requirements in DMARC

dkimdmarc

Am I right to say that DMARC has no way to say "all emails must be signed". My understanding here is that I can specify that I want DKIM to be either lax or strict – which I understand to mean that, if the message happens to be signed (consider email sent from example@b.com):

  • Lax: it's ok for the DKIM DNS TXT record to belong to a subdomain (example@a.b.com)
  • Strict: the DKIM DNS TXT record must must belong to the exact sending
    domain (example@b.com)

However, there are also then emails which either have no DKIM signature at all and other emails which might contain example@b.com in the FROM header but have an SMTP envelope from like example@some-mail-sending-service.com and do have a DKIM signature which is valid for some-mail-sending-service.com but not for b.com.

In both cases above, am I right to say that these are both "PASSES" in a sense. The former example has no invalid DKIM so it's just OK and the latter is actually an aligned DKIM pass for the envelope from so is also considered OK?

If I have a DMARC policy like:

v=DMARC1;p=reject;rua=mailto:xyz;ruf=mailto:xyz;adkim=s;aspf=s;pct=100;fo=1;sp=reject

Am I right to say that a malicious party will not be rejected for reasons relating to DKIM if they either:

  1. Use no DKIM at all.
  2. Send from a mail server which does use DKIM with a valid signature and uses an SMTP envelope.

In both above cases the DKIM policy of DMARC alone would not cause this email to be blocked?

Best Answer

I think you're mainly missing the 'alignment' which is required to get a DMARC compliant mail. This is what differentiates DMARC from the existing techniques.

Alignment means that DMARC requires you to setup authentication (SPF/DKIM) using the same* domain as the "From" domain. You mentioned alignment between the SPF domain (Envelope From) and the DKIM domain, however this does not apply.

So an attacker cannot get a mail to pass DMARC if they would:

  • use a 'From' header of your-company.com
  • sign the mail with a passing DKIM signature (d=attacker.com)
  • send with a passing Envelope From (/Return-Path) of attacker.com

*) Using the alignment mode you can specify if you'd like an exact match (Strict) or would like to allow a match of a subdomain (Relaxed)

Does this help you and answer your question?

Regards,

Michiel

DMARC Analyzer

Related Topic