Why use DMARC when SPF -all can do the job? The 2019 Stack Overflow Developer Survey Results Are InDMARC failed, but SPF passSPF, DKIM and DMARC header orderCan I use DMARC if SPF failsSPF, DKIM and DMARC all set but dmarc-reports keep saying the oppositeDMARC report: SPF fails with mx-domain as spf-domain in auth_resultHow to setup SPF and DMARC for satellite hosts?DMARC failing on Mailgun when forwarding occursSPF and DMARC - is spf policy used?Does an SPF SoftFail trigger DMARC rejectDMARC <policy_evaluated> SPF fails when using PostSRSD
Is Cinnamon a desktop environment or a window manager? (Or both?)
Variable with quotation marks "$()"
How can I define good in a religion that claims no moral authority?
How did passengers keep warm on sail ships?
Correct punctuation for showing a character's confusion
How to fill page vertically?
How to add class in ko template in magento2
How to notate time signature switching consistently every measure
Word to describe a time interval
Why is this recursive code so slow?
How to read αἱμύλιος or when to aspirate
What does もの mean in this sentence?
Accepted by European university, rejected by all American ones I applied to? Possible reasons?
How to type a long/em dash `—`
different output for groups and groups USERNAME after adding a username to a group
The following signatures were invalid: EXPKEYSIG 1397BC53640DB551
Will it cause any balance problems to have PCs level up and gain the benefits of a long rest mid-fight?
Keeping a retro style to sci-fi spaceships?
What am I suppose to use instead of Unity Resources if I have to load and unload sprites at runtime?
What force causes entropy to increase?
Hello, Goodbye, Adios, Aloha
Can a flute soloist sit?
How do you keep chess fun when your opponent constantly beats you?
How can I have a shield and a way of attacking at distance at the same time?
Why use DMARC when SPF -all can do the job?
The 2019 Stack Overflow Developer Survey Results Are InDMARC failed, but SPF passSPF, DKIM and DMARC header orderCan I use DMARC if SPF failsSPF, DKIM and DMARC all set but dmarc-reports keep saying the oppositeDMARC report: SPF fails with mx-domain as spf-domain in auth_resultHow to setup SPF and DMARC for satellite hosts?DMARC failing on Mailgun when forwarding occursSPF and DMARC - is spf policy used?Does an SPF SoftFail trigger DMARC rejectDMARC <policy_evaluated> SPF fails when using PostSRSD
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
With DMARC I can set the policy to rejct mail.
But isn’t it the same I can do with -all from within a SPF?
Same goes for quarantine and a softfail ~all.
Beside the reporting where is the benefit using DMARC on top of SPF?
email-server dmarc
asked Feb 23 at 19:03
Gordo2019Gordo2019
132
add a comment |
With DMARC I can set the policy to rejct mail.
But isn’t it the same I can do with -all from within a SPF?
Same goes for quarantine and a softfail ~all.
Beside the reporting where is the benefit using DMARC on top of SPF?
email-server dmarc
asked Feb 23 at 19:03
Gordo2019Gordo2019
132
add a comment |
With DMARC I can set the policy to rejct mail.
But isn’t it the same I can do with -all from within a SPF?
Same goes for quarantine and a softfail ~all.
Beside the reporting where is the benefit using DMARC on top of SPF?
email-server dmarc
asked Feb 23 at 19:03
Gordo2019Gordo2019
132
With DMARC I can set the policy to rejct mail.
But isn’t it the same I can do with -all from within a SPF?
Same goes for quarantine and a softfail ~all.
Beside the reporting where is the benefit using DMARC on top of SPF?
email-server dmarc
email-server dmarc
asked Feb 23 at 19:03
Gordo2019Gordo2019
132
asked Feb 23 at 19:03
Gordo2019Gordo2019
132
asked Feb 23 at 19:03
Gordo2019Gordo2019
132
asked Feb 23 at 19:03
Gordo2019Gordo2019
132
asked Feb 23 at 19:03
Gordo2019Gordo2019
132
132
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.
SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.
Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.
answered Feb 23 at 21:10
Esa JokinenEsa Jokinen
23.7k23359
I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!
– Gordo2019
Feb 24 at 9:03
It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.
– Esa Jokinen
Feb 24 at 9:13
I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.
– Gordo2019
Feb 24 at 9:43
add a comment |
SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.
DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.
These are not redundant, but complementary.
answered Feb 23 at 19:20
Michael Hampton♦Michael Hampton
175k27320648
By RFC,-allshould means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vsFrom:header).
– shodanshok
Feb 23 at 21:26
@shodanshok You need to read section 8 of that RFC.
– Michael Hampton♦
Feb 23 at 21:41
From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for theFrom:header.
– shodanshok
Feb 23 at 22:33
add a comment |
TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.
Here is a scenario, that passes your SPF's -all protection.
Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:
- Extracts domain from
Return-Path: bounce@b.com - Performs DNS lookup of
b.com's SPF record, and getsv=spf1 myserversip -all - Verifies sender's ip(aka my host's IP) against SPF IPs
- Marks email as authenticated and valid
- Congratulations. I have just send an email pretending to be you
So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:
- Checks
FromandReturn-Pathdomains' alignment (b.comagainsta.com) - Marks email as unauthenticated as alignment failed
- Congratulations. DMARC prevented email spoofing.
That's it. Hope my answer make sense.
PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.
answered 1 min ago
EngineerEngineer
1213
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f955445%2fwhy-use-dmarc-when-spf-all-can-do-the-job%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.
SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.
Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.
answered Feb 23 at 21:10
Esa JokinenEsa Jokinen
23.7k23359
I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!
– Gordo2019
Feb 24 at 9:03
It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.
– Esa Jokinen
Feb 24 at 9:13
I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.
– Gordo2019
Feb 24 at 9:43
add a comment |
With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.
SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.
Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.
answered Feb 23 at 21:10
Esa JokinenEsa Jokinen
23.7k23359
I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!
– Gordo2019
Feb 24 at 9:03
It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.
– Esa Jokinen
Feb 24 at 9:13
I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.
– Gordo2019
Feb 24 at 9:43
add a comment |
With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.
SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.
Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.
answered Feb 23 at 21:10
Esa JokinenEsa Jokinen
23.7k23359
With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.
SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.
Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.
answered Feb 23 at 21:10
Esa JokinenEsa Jokinen
23.7k23359
edited Feb 23 at 21:18
answered Feb 23 at 21:10
Esa JokinenEsa Jokinen
23.7k23359
answered Feb 23 at 21:10
Esa JokinenEsa Jokinen
23.7k23359
answered Feb 23 at 21:10
Esa JokinenEsa Jokinen
23.7k23359
23.7k23359
I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!
– Gordo2019
Feb 24 at 9:03
It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.
– Esa Jokinen
Feb 24 at 9:13
I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.
– Gordo2019
Feb 24 at 9:43
add a comment |
I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!
– Gordo2019
Feb 24 at 9:03
It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.
– Esa Jokinen
Feb 24 at 9:13
I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.
– Gordo2019
Feb 24 at 9:43
I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!
– Gordo2019
Feb 24 at 9:03
I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!
– Gordo2019
Feb 24 at 9:03
It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.
– Esa Jokinen
Feb 24 at 9:13
It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.
– Esa Jokinen
Feb 24 at 9:13
I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.
– Gordo2019
Feb 24 at 9:43
I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.
– Gordo2019
Feb 24 at 9:43
add a comment |
SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.
DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.
These are not redundant, but complementary.
answered Feb 23 at 19:20
Michael Hampton♦Michael Hampton
175k27320648
By RFC,-allshould means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vsFrom:header).
– shodanshok
Feb 23 at 21:26
@shodanshok You need to read section 8 of that RFC.
– Michael Hampton♦
Feb 23 at 21:41
From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for theFrom:header.
– shodanshok
Feb 23 at 22:33
add a comment |
SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.
DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.
These are not redundant, but complementary.
answered Feb 23 at 19:20
Michael Hampton♦Michael Hampton
175k27320648
By RFC,-allshould means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vsFrom:header).
– shodanshok
Feb 23 at 21:26
@shodanshok You need to read section 8 of that RFC.
– Michael Hampton♦
Feb 23 at 21:41
From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for theFrom:header.
– shodanshok
Feb 23 at 22:33
add a comment |
SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.
DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.
These are not redundant, but complementary.
answered Feb 23 at 19:20
Michael Hampton♦Michael Hampton
175k27320648
SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.
DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.
These are not redundant, but complementary.
answered Feb 23 at 19:20
Michael Hampton♦Michael Hampton
175k27320648
answered Feb 23 at 19:20
Michael Hampton♦Michael Hampton
175k27320648
answered Feb 23 at 19:20
Michael Hampton♦Michael Hampton
175k27320648
answered Feb 23 at 19:20
Michael Hampton♦Michael Hampton
175k27320648
175k27320648
By RFC,-allshould means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vsFrom:header).
– shodanshok
Feb 23 at 21:26
@shodanshok You need to read section 8 of that RFC.
– Michael Hampton♦
Feb 23 at 21:41
From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for theFrom:header.
– shodanshok
Feb 23 at 22:33
add a comment |
By RFC,-allshould means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vsFrom:header).
– shodanshok
Feb 23 at 21:26
@shodanshok You need to read section 8 of that RFC.
– Michael Hampton♦
Feb 23 at 21:41
From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for theFrom:header.
– shodanshok
Feb 23 at 22:33
By RFC,
-all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).– shodanshok
Feb 23 at 21:26
By RFC,
-all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).– shodanshok
Feb 23 at 21:26
@shodanshok You need to read section 8 of that RFC.
– Michael Hampton♦
Feb 23 at 21:41
@shodanshok You need to read section 8 of that RFC.
– Michael Hampton♦
Feb 23 at 21:41
From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the
From: header.– shodanshok
Feb 23 at 22:33
From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the
From: header.– shodanshok
Feb 23 at 22:33
add a comment |
TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.
Here is a scenario, that passes your SPF's -all protection.
Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:
- Extracts domain from
Return-Path: bounce@b.com - Performs DNS lookup of
b.com's SPF record, and getsv=spf1 myserversip -all - Verifies sender's ip(aka my host's IP) against SPF IPs
- Marks email as authenticated and valid
- Congratulations. I have just send an email pretending to be you
So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:
- Checks
FromandReturn-Pathdomains' alignment (b.comagainsta.com) - Marks email as unauthenticated as alignment failed
- Congratulations. DMARC prevented email spoofing.
That's it. Hope my answer make sense.
PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.
answered 1 min ago
EngineerEngineer
1213
add a comment |
TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.
Here is a scenario, that passes your SPF's -all protection.
Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:
- Extracts domain from
Return-Path: bounce@b.com - Performs DNS lookup of
b.com's SPF record, and getsv=spf1 myserversip -all - Verifies sender's ip(aka my host's IP) against SPF IPs
- Marks email as authenticated and valid
- Congratulations. I have just send an email pretending to be you
So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:
- Checks
FromandReturn-Pathdomains' alignment (b.comagainsta.com) - Marks email as unauthenticated as alignment failed
- Congratulations. DMARC prevented email spoofing.
That's it. Hope my answer make sense.
PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.
answered 1 min ago
EngineerEngineer
1213
add a comment |
TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.
Here is a scenario, that passes your SPF's -all protection.
Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:
- Extracts domain from
Return-Path: bounce@b.com - Performs DNS lookup of
b.com's SPF record, and getsv=spf1 myserversip -all - Verifies sender's ip(aka my host's IP) against SPF IPs
- Marks email as authenticated and valid
- Congratulations. I have just send an email pretending to be you
So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:
- Checks
FromandReturn-Pathdomains' alignment (b.comagainsta.com) - Marks email as unauthenticated as alignment failed
- Congratulations. DMARC prevented email spoofing.
That's it. Hope my answer make sense.
PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.
answered 1 min ago
EngineerEngineer
1213
TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.
Here is a scenario, that passes your SPF's -all protection.
Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:
- Extracts domain from
Return-Path: bounce@b.com - Performs DNS lookup of
b.com's SPF record, and getsv=spf1 myserversip -all - Verifies sender's ip(aka my host's IP) against SPF IPs
- Marks email as authenticated and valid
- Congratulations. I have just send an email pretending to be you
So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:
- Checks
FromandReturn-Pathdomains' alignment (b.comagainsta.com) - Marks email as unauthenticated as alignment failed
- Congratulations. DMARC prevented email spoofing.
That's it. Hope my answer make sense.
PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.
answered 1 min ago
EngineerEngineer
1213
answered 1 min ago
EngineerEngineer
1213
answered 1 min ago
EngineerEngineer
1213
answered 1 min ago
EngineerEngineer
1213
1213
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f955445%2fwhy-use-dmarc-when-spf-all-can-do-the-job%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
