DKIM E-Mail verification - prevent receivers from accepting unsigned emails?

Question

I have set up SPF, DKIM and DMARC in my domain (to the best that I can figure out), but I still can send spoofed emails - without a DKIM signature - and they are accepted (at least when I test with GMail - I assume they will be the most strict about such things⁽²⁾). When I spoof my domain from a non-SPF approved SMTP server, GMail does quarantine it, but as we use public SMTP senders for our work (such as Mailgun and friends⁽¹⁾) SPF can't be the last line of defense - which is what DKIM is supposed to be, to my understanding.

I have set up my DKIM keys correctly, and signed e-mail is getting verified properly (I checked the email headers when received by GMail and it looks fine), and I have set up DMARC as follows:

$ dig txt _dmarc.mydomain.com
;;...
;; ANSWER SECTION:
_dmarc.mydomain.com. 300 IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected];"

But then sending a spoofed (i.e. unsigned) email through DNSExit (for completion, using a free account that is not my company's DNSExit account, not that it matters) - GMail accepts it as coming from my domain and does not quarantine it, nor label it with any kind of warning.

Here's the relevant header from the received email on GMail:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of [email protected] designates x.x.x.x as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mydomain.com

So it doesn't appear that GMail even checked DKIM?

I've read somewhere (though not at any of the DKIM setup instructions I've seen at mail service providers) - notable in this serverfault question that you need to use a "domain policy record" in the top level _domainkey record for your domain, but that does nothing - and as noted in this serverfault answer it was obsoleted(?)

I would really like for public (complying) mailbox servers to stop accepting non-DKIM-signed emails that are supposedly sent from my domain - how can I do that?

---

_{(1) public SMTP senders that require authentication but don't always verify domain ownership properly (or at all, I'm looking at you - DNSExit).}

_{(2) I later tested with outlook.com, and there it apparently does quarantine my spoofed email, with this header added: Authentication-Results: spf=permerror (sender IP is X.X.X.X) smtp.mailfrom=mydomain.com; dkim=none (message not signed) header.d=none;dmarc=fail action=quarantine heaader.from=mydomain.com;compauth=fail reason=000. Why is GMail not the bastion of security?}

Answer 1

DMARC

Unfortunately, you seem to be assuming that DMARC requires both SPF and DKIM to pass (or require DKIM to pass in any scenario), to pass DMARC checks. It doesn't, it requires either a pass on SFP - OR - a pass on DKIM, in alignment with your sending domain (in the From header). Gmail seems to be behaving exactly as supposed, in regards to DMARC policy enforcement. This evaluation should be clear from the Authentication-Results header in the accepted Gmail message.

SPF

If you don't or can't trust public SMTP services, although they do require you to prove domain ownership, you could omit their services IP ranges (via include or otherwise) from your domain's SPF record. Or, use the neutral mechanism (?) in front of the include to neither signal a pass, nor a fail.

DomainKeys vs DKIM

The top-level _domainkey record you describe is part of the predecessor technology of DKIM, called 'DomainKeys'. DKIM doesn't rely on this policy record any longer. And there are, to my knowledge, no ESPs left that rely on this technology.

Outlook.com

Outlook.com quarantined your message (sent to Junk folder?), not based on the absence of a DKIM signature, but instead on the failure to evaluate your SPF record (PermError)- AND - the absence of an aligned DKIM signature. This usually indicates a syntax error in your DNS record.