Currently, DMARC only requires aligned DKIM or SPF.
However spoofing SPF is relatively simple for an experienced hacker:
- You should only control a single IP address in the often large SPF range of e-mail service providers (Microsoft, Google, Mailchimp, ...). It may be even possible to legally do so if the list contains out of date IP addresses.
- Or you can try to use a bug/hole in the sender verification performed by those service providers. At least some providers do not perform a very secure sender domain verification.
The essential problem with SPF is that it whitelists an IP that is shared by many clients of such a service providers.
At the other hand, the DKIM key is probably secured much better by those service providers and it is (often) linked to a single customer. Or at least, it should be much easier to secure a DKIM key than to ensure that a hacker could not send an e-mail from one of the allowed SPF IP addresses with a sender address chosen by the hacker.
So, wouldn't it be beneficial that DMARC is extended to allow specifying that DKIM should be aligned? Or does a successor of DMARC exists to enforce DKIM alignment?
Partially related questions:
- DMARC Alignment: Enforce messages pass BOTH SPF and DKIM (It's not a duplicate as my question is whether it is a good DMARC design that we couldn't enforce DKIM).
- Can DMARC's SPF alignment be spoofed? (About the possibility of spoofing aligned SPF: spoofing SPF is easier than spoofing DKIM).