I have set up SPF, DKIM and DMARC in my domain (to the best that I can figure out), but I still can send spoofed emails - without a DKIM signature - and they are accepted (at least when I test with GMail - I assume they will be the most strict about such things(2)). When I spoof my domain from a non-SPF approved SMTP server, GMail does quarantine it, but as we use public SMTP senders for our work (such as Mailgun and friends(1)) SPF can't be the last line of defense - which is what DKIM is supposed to be, to my understanding.
I have set up my DKIM keys correctly, and signed e-mail is getting verified properly (I checked the email headers when received by GMail and it looks fine), and I have set up DMARC as follows:
$ dig txt _dmarc.mydomain.com
;;...
;; ANSWER SECTION:
_dmarc.mydomain.com. 300 IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected];"
But then sending a spoofed (i.e. unsigned) email through DNSExit (for completion, using a free account that is not my company's DNSExit account, not that it matters) - GMail accepts it as coming from my domain and does not quarantine it, nor label it with any kind of warning.
Here's the relevant header from the received email on GMail:
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of [email protected] designates x.x.x.x as permitted sender) [email protected];
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mydomain.com
So it doesn't appear that GMail even checked DKIM?
I've read somewhere (though not at any of the DKIM setup instructions I've seen at mail service providers) - notable in this serverfault question that you need to use a "domain policy record" in the top level _domainkey
record for your domain, but that does nothing - and as noted in this serverfault answer it was obsoleted(?)
I would really like for public (complying) mailbox servers to stop accepting non-DKIM-signed emails that are supposedly sent from my domain - how can I do that?
(1) public SMTP senders that require authentication but don't always verify domain ownership properly (or at all, I'm looking at you - DNSExit).
(2) I later tested with outlook.com, and there it apparently does quarantine my spoofed email, with this header added: Authentication-Results: spf=permerror (sender IP is X.X.X.X) smtp.mailfrom=mydomain.com; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine heaader.from=mydomain.com;compauth=fail reason=000
. Why is GMail not the bastion of security?
p=reject
.p=reject
. You can, however, reject those messages with custom rules in Exchange Online. In Outlook.com these messages are flagged but end up in the Junk folder.ARC-Authentication-Results
header, which seem to indicate the DKIM wasn't even tested.