0

I have set up SPF, DKIM and DMARC in my domain (to the best that I can figure out), but I still can send spoofed emails - without a DKIM signature - and they are accepted (at least when I test with GMail - I assume they will be the most strict about such things(2)). When I spoof my domain from a non-SPF approved SMTP server, GMail does quarantine it, but as we use public SMTP senders for our work (such as Mailgun and friends(1)) SPF can't be the last line of defense - which is what DKIM is supposed to be, to my understanding.

I have set up my DKIM keys correctly, and signed e-mail is getting verified properly (I checked the email headers when received by GMail and it looks fine), and I have set up DMARC as follows:

$ dig txt _dmarc.mydomain.com
;;...
;; ANSWER SECTION:
_dmarc.mydomain.com. 300 IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected];"

But then sending a spoofed (i.e. unsigned) email through DNSExit (for completion, using a free account that is not my company's DNSExit account, not that it matters) - GMail accepts it as coming from my domain and does not quarantine it, nor label it with any kind of warning.

Here's the relevant header from the received email on GMail:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of [email protected] designates x.x.x.x as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mydomain.com

So it doesn't appear that GMail even checked DKIM?

I've read somewhere (though not at any of the DKIM setup instructions I've seen at mail service providers) - notable in this serverfault question that you need to use a "domain policy record" in the top level _domainkey record for your domain, but that does nothing - and as noted in this serverfault answer it was obsoleted(?)

I would really like for public (complying) mailbox servers to stop accepting non-DKIM-signed emails that are supposedly sent from my domain - how can I do that?


(1) public SMTP senders that require authentication but don't always verify domain ownership properly (or at all, I'm looking at you - DNSExit).

(2) I later tested with outlook.com, and there it apparently does quarantine my spoofed email, with this header added: Authentication-Results: spf=permerror (sender IP is X.X.X.X) smtp.mailfrom=mydomain.com; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine heaader.from=mydomain.com;compauth=fail reason=000. Why is GMail not the bastion of security?

8
  • 1
    This is unfortunate! Likewise, Microsoft doesn't respect p=reject. Commented Jan 8, 2023 at 10:57
  • @EsaJokinen This is not unfortunate (regarding Gmail), but as designed. When you pass SPF checks in alignment with your domain, you pass DMARC as well. Microsoft, indeed, quarantines messages (if quarantine feature enabled, otherwise delivered to Junk) instead of rejecting when you set your policy to p=reject. You can, however, reject those messages with custom rules in Exchange Online. In Outlook.com these messages are flagged but end up in the Junk folder.
    – Reinto
    Commented Jan 8, 2023 at 13:04
  • In this question, both SPF & DKIM failed. Therefore, DMARC failed too, but the message wasn't quarantened. That is not by design (of DMARC). Commented Jan 8, 2023 at 14:42
  • I've updated my question to include the GMail's ARC-Authentication-Results header, which seem to indicate the DKIM wasn't even tested.
    – Guss
    Commented Jan 8, 2023 at 14:49
  • @EsaJokinen Perhaps the OP updated the post after you commented... But he says that Gmail does quarantine for "non-SPF approved SMTP server".
    – Reinto
    Commented Jan 8, 2023 at 15:47

1 Answer 1

4

DMARC

Unfortunately, you seem to be assuming that DMARC requires both SPF and DKIM to pass (or require DKIM to pass in any scenario), to pass DMARC checks. It doesn't, it requires either a pass on SFP - OR - a pass on DKIM, in alignment with your sending domain (in the From header). Gmail seems to be behaving exactly as supposed, in regards to DMARC policy enforcement. This evaluation should be clear from the Authentication-Results header in the accepted Gmail message.

SPF

If you don't or can't trust public SMTP services, although they do require you to prove domain ownership, you could omit their services IP ranges (via include or otherwise) from your domain's SPF record. Or, use the neutral mechanism (?) in front of the include to neither signal a pass, nor a fail.

DomainKeys vs DKIM

The top-level _domainkey record you describe is part of the predecessor technology of DKIM, called 'DomainKeys'. DKIM doesn't rely on this policy record any longer. And there are, to my knowledge, no ESPs left that rely on this technology.

Outlook.com

Outlook.com quarantined your message (sent to Junk folder?), not based on the absence of a DKIM signature, but instead on the failure to evaluate your SPF record (PermError)- AND - the absence of an aligned DKIM signature. This usually indicates a syntax error in your DNS record.

8
  • Re: outlook.com - Indeed there was a problem with my SPF (more than 10 DNS lookups). After fixing it, a new message had this header: Authentication-Results: spf=pass (sender IP is x.x.x.x) smtp.mailfrom=mydomain.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=mydomain.com;compauth=pass reason=100, but still landed in the junk box - maybe because Outlook has already seen several messages with the same From landing in junk? I'm more confused now.
    – Guss
    Commented Jan 8, 2023 at 14:19
  • Re: DKIM - so basically, if I understand what you are saying, there's no way to force DKIM signature on not-SPF-failing servers? Meaning that I need to make sure my SPF only authorizes services that verify domain ownership?
    – Guss
    Commented Jan 8, 2023 at 14:24
  • Or, as per the updated question (Gmail appears to not test DKIM at all), the other option is not publish SPF at all?
    – Guss
    Commented Jan 8, 2023 at 15:01
  • 1
    Outlook: Indeed, many factors contribute to the SPAM rating. Reputation of domain and sending host / IP are definitely part of the equation. Requiring DKIM: You can add the ? in front of your Mailgun-like services includes, to have those neither Pass, nor Fail SPF. This will not result in DMARC pass result, but may incur a slightly elevated SPAM rating depending on the ESP receiving the email. Gmail: Google most certainly does test DKIM. If you click the 3 dots in an opened email and choose "show original, you'll find that the Authentication-Results header also includes DKIM-test results."
    – Reinto
    Commented Jan 8, 2023 at 15:36
  • 1
    Regarding the GMail DKIM check - with SPF passing, the ARC-Authentication-Results header doesn't include any DKIM check so I understood that to mean what you said: "it requires either a pass on SFP - OR - a pass on DKIM" - it passed SPF so doesn't check DKIM. After changing the SPF to use ? - as per your suggestion, GMail now says: i=1; mx.google.com; spf=neutral (google.com: x.x.x.x is neither permitted nor denied by domain of [email protected]) [email protected]; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=mydomain.com. I think this is the solution.
    – Guss
    Commented Jan 9, 2023 at 9:17

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .