1

Currently, DMARC only requires aligned DKIM or SPF.

However spoofing SPF is relatively simple for an experienced hacker:

  • You should only control a single IP address in the often large SPF range of e-mail service providers (Microsoft, Google, Mailchimp, ...). It may be even possible to legally do so if the list contains out of date IP addresses.
  • Or you can try to use a bug/hole in the sender verification performed by those service providers. At least some providers do not perform a very secure sender domain verification.

The essential problem with SPF is that it whitelists an IP that is shared by many clients of such a service providers.

At the other hand, the DKIM key is probably secured much better by those service providers and it is (often) linked to a single customer. Or at least, it should be much easier to secure a DKIM key than to ensure that a hacker could not send an e-mail from one of the allowed SPF IP addresses with a sender address chosen by the hacker.

So, wouldn't it be beneficial that DMARC is extended to allow specifying that DKIM should be aligned? Or does a successor of DMARC exists to enforce DKIM alignment?

Partially related questions:

6
  • 1
    If you do not trust your service providers to not allow spoofed mail.. you got problems for which the solution lies well outside the scope of any "sprinkle some crypto over it" solution.
    – anx
    Commented Oct 29, 2022 at 19:28
  • Also, right now we seem to be losing the usefulness of DKIM because people won't start migrating off SHA1 (broken) or RSA (broken for reasonable key sizes), so I would be rather pessimistic about industry-wide buy-in for further complication of a mechanism whose results are then routinely ignored by the recipients anyway.
    – anx
    Commented Oct 29, 2022 at 19:28
  • @anx Is RSA broken? Even for (currently common) 2048 bit keys?
    – m7913d
    Commented Oct 29, 2022 at 19:36
  • @anx I indeed do not (fully) trust their infrastructure (should I fully trust those large well-established players?). It's just relatively easy to circumvent SPF than to circumvent DKIM. DKIM doesn't sound to me as "sprinkling some crypto". Why would it otherwise be common practice to salt and encrypt passwords or to use a VPN to access a Remote Desktop if those architecture are really fully trustworthy? The attack vector of DKIM just seems much smaller to me compared to SPF.
    – m7913d
    Commented Oct 29, 2022 at 19:49
  • @anx, see also this thread about spoofing aligned SPF: security.stackexchange.com/questions/264133/….
    – m7913d
    Commented Oct 29, 2022 at 20:03

2 Answers 2

2

Accepting either of the authentication mechanisms is well rooted in the key concepts of the DMARC specification (RFC 7489, 4.2). Changing it at this point would require major modifications to every implementation.

However, a domain could be protected in a way that only a passing & aligned DKIM would let the DMARC pass. Furthermore, this can be done in a way that does not allow just anyone use the domain as the envelope sender, unlike suggested in the answer from @anx.

This is possible with the strict alignment available for both DKIM- and SPF-Authenticated Identifiers.

In relaxed mode, the [SPF]-authenticated domain and RFC5322.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce Identifier Alignment.

Knowing this,

  1. Disallow using the apex of the domain as an envelope sender.

    example.com TXT "v=spf1 -all"
    
  2. Pick a subdomain to be used for the envelope addresses, and allow SPF as required, e.g.,

    mailer.example.com TXT "v=spf1 +ip4:192.0.2.100 -all"
    
  3. Require strict SPF alignment mode with aspf=s, e.g.,

    _dmarc.example.com. IN TXT "v=DMARC1; p=reject; aspf=s; adkim=r;"
    
    
  4. Set up a passing DKIM signing aligned with the From address, either in strict or in relaxed mode.

7
  • Nice work-around. If requiring both is indeed useful, it should be possible to add an extra option in a backwards compatible way, allowing the major implementation to alter its implementation (which shouldn't be that hard).
    – m7913d
    Commented Dec 17, 2022 at 17:32
  • Disadvantage is that this approach allows passing DMARC as an aligned SPF sender for the configured subdomain.
    – m7913d
    Commented Dec 17, 2022 at 17:33
  • On the other hand, that would be well visible for the receiver, if you use serviceprovider.example.com envelope domains. Commented Dec 17, 2022 at 17:49
  • 1
    Unfortunately, there's no DMARC policy that would prevent using a passing alignment. Commented Dec 17, 2022 at 17:57
  • 1
    If the service provider isn't permitted to use such subdomain in the From header and a malicious actor does so from an IP address on the included policy, monitoring the reports will reveal it in a day. Such IP addresses can then be explicitly banned using the -ip4 mechanism of SPF; that overrides any include mechanism. Commented Dec 17, 2022 at 18:01
2

wouldn't it be beneficial to allow specifying that DKIM should be aligned

This is already the default behaviour, if there is no way to achieve an aligned SPF match. What then remains of the DMARC alternatives is the requirement to get an aligned & valid DKIM signature.

In the simplest - though by no means ideal, see here form - you could just not opt in to SPF, or expressly opt out (v=spf1 ?all). You do not have to use SPF.

Note that this will impose some limitations on how you can authorize 3rd parties to send in your name. Some but not all senders will be able to sign, or relay to your machine holding a published key for signing.

3
  • The disadvantage of this approach is that not implementing SPF may negatively impact the SPAM score of your e-mail. Therefore, disabling SPF seems to me not a good solution.
    – m7913d
    Commented Oct 29, 2022 at 20:23
  • 1
    @m7913d My personal experience is that if recipients treat you badly purely from static checking-boxes analysis, they are going to treat you badly anyway. If you have any remotely significant outgoing volume, there are so much better metrics to judge you on a scale from s[cp]ammer to legitimate. You may not need to care about operators who rely exclusively on, by nature highly imprecise, spam filtering.
    – anx
    Commented Oct 29, 2022 at 20:28
  • It is possible to configure SPF and still make it unaligned with the From header, as explained in my answer. Commented Dec 17, 2022 at 15:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .