Am I right to say that DMARC has no way to say "all emails must be signed". My understanding here is that I can specify that I want DKIM to be either lax or strict – which I understand to mean that, if the message happens to be signed (consider email sent from example@b.com
):
- Lax: it's ok for the DKIM DNS TXT record to belong to a subdomain (
example@a.b.com
) - Strict: the DKIM DNS TXT record must must belong to the exact sending
domain (example@b.com
)
However, there are also then emails which either have no DKIM signature at all and other emails which might contain example@b.com
in the FROM
header but have an SMTP envelope from like example@some-mail-sending-service.com
and do have a DKIM signature which is valid for some-mail-sending-service.com
but not for b.com
.
In both cases above, am I right to say that these are both "PASSES" in a sense. The former example has no invalid DKIM so it's just OK and the latter is actually an aligned DKIM pass for the envelope from so is also considered OK?
If I have a DMARC policy like:
v=DMARC1;p=reject;rua=mailto:xyz;ruf=mailto:xyz;adkim=s;aspf=s;pct=100;fo=1;sp=reject
Am I right to say that a malicious party will not be rejected for reasons relating to DKIM if they either:
- Use no DKIM at all.
- Send from a mail server which does use DKIM with a valid signature and uses an SMTP envelope.
In both above cases the DKIM policy of DMARC alone would not cause this email to be blocked?
Best Answer
I think you're mainly missing the 'alignment' which is required to get a DMARC compliant mail. This is what differentiates DMARC from the existing techniques.
Alignment means that DMARC requires you to setup authentication (SPF/DKIM) using the same* domain as the "From" domain. You mentioned alignment between the SPF domain (Envelope From) and the DKIM domain, however this does not apply.
So an attacker cannot get a mail to pass DMARC if they would:
*) Using the alignment mode you can specify if you'd like an exact match (Strict) or would like to allow a match of a subdomain (Relaxed)
Does this help you and answer your question?
Regards,
Michiel
DMARC Analyzer