Why use DMARC when SPF -all can do the job? The 2019 Stack Overflow Developer Survey Results Are InDMARC failed, but SPF passSPF, DKIM and DMARC header orderCan I use DMARC if SPF failsSPF, DKIM and DMARC all set but dmarc-reports keep saying the oppositeDMARC report: SPF fails with mx-domain as spf-domain in auth_resultHow to setup SPF and DMARC for satellite hosts?DMARC failing on Mailgun when forwarding occursSPF and DMARC - is spf policy used?Does an SPF SoftFail trigger DMARC rejectDMARC <policy_evaluated> SPF fails when using PostSRSD

Is Cinnamon a desktop environment or a window manager? (Or both?)

Variable with quotation marks "$()"

How can I define good in a religion that claims no moral authority?

How did passengers keep warm on sail ships?

Correct punctuation for showing a character's confusion

How to fill page vertically?

How to add class in ko template in magento2

How to notate time signature switching consistently every measure

Word to describe a time interval

Why is this recursive code so slow?

How to read αἱμύλιος or when to aspirate

What does もの mean in this sentence?

Accepted by European university, rejected by all American ones I applied to? Possible reasons?

How to type a long/em dash `—`

different output for groups and groups USERNAME after adding a username to a group

The following signatures were invalid: EXPKEYSIG 1397BC53640DB551

Will it cause any balance problems to have PCs level up and gain the benefits of a long rest mid-fight?

Keeping a retro style to sci-fi spaceships?

What am I suppose to use instead of Unity Resources if I have to load and unload sprites at runtime?

What force causes entropy to increase?

Hello, Goodbye, Adios, Aloha

Can a flute soloist sit?

How do you keep chess fun when your opponent constantly beats you?

How can I have a shield and a way of attacking at distance at the same time?



Why use DMARC when SPF -all can do the job?



The 2019 Stack Overflow Developer Survey Results Are InDMARC failed, but SPF passSPF, DKIM and DMARC header orderCan I use DMARC if SPF failsSPF, DKIM and DMARC all set but dmarc-reports keep saying the oppositeDMARC report: SPF fails with mx-domain as spf-domain in auth_resultHow to setup SPF and DMARC for satellite hosts?DMARC failing on Mailgun when forwarding occursSPF and DMARC - is spf policy used?Does an SPF SoftFail trigger DMARC rejectDMARC <policy_evaluated> SPF fails when using PostSRSD



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








2















With DMARC I can set the policy to rejct mail.
But isn’t it the same I can do with -all from within a SPF?



Same goes for quarantine and a softfail ~all.



Beside the reporting where is the benefit using DMARC on top of SPF?










share|improve this question




























    2















    With DMARC I can set the policy to rejct mail.
    But isn’t it the same I can do with -all from within a SPF?



    Same goes for quarantine and a softfail ~all.



    Beside the reporting where is the benefit using DMARC on top of SPF?










    share|improve this question
























      2












      2








      2


      1






      With DMARC I can set the policy to rejct mail.
      But isn’t it the same I can do with -all from within a SPF?



      Same goes for quarantine and a softfail ~all.



      Beside the reporting where is the benefit using DMARC on top of SPF?










      share|improve this question














      With DMARC I can set the policy to rejct mail.
      But isn’t it the same I can do with -all from within a SPF?



      Same goes for quarantine and a softfail ~all.



      Beside the reporting where is the benefit using DMARC on top of SPF?







      email-server dmarc






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Feb 23 at 19:03









      Gordo2019Gordo2019

      132




      132




















          3 Answers
          3






          active

          oldest

          votes


















          2














          With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.



          SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.



          Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.






          share|improve this answer

























          • I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!

            – Gordo2019
            Feb 24 at 9:03











          • It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.

            – Esa Jokinen
            Feb 24 at 9:13











          • I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.

            – Gordo2019
            Feb 24 at 9:43


















          4














          SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.



          DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.



          These are not redundant, but complementary.






          share|improve this answer























          • By RFC, -all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).

            – shodanshok
            Feb 23 at 21:26












          • @shodanshok You need to read section 8 of that RFC.

            – Michael Hampton
            Feb 23 at 21:41











          • From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the From: header.

            – shodanshok
            Feb 23 at 22:33



















          0














          TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.



          Here is a scenario, that passes your SPF's -all protection.



          Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:



          1. Extracts domain from Return-Path: bounce@b.com

          2. Performs DNS lookup of b.com's SPF record, and gets v=spf1 myserversip -all

          3. Verifies sender's ip(aka my host's IP) against SPF IPs

          4. Marks email as authenticated and valid

          5. Congratulations. I have just send an email pretending to be you

          So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:



          1. Checks From and Return-Path domains' alignment (b.com against a.com)

          2. Marks email as unauthenticated as alignment failed

          3. Congratulations. DMARC prevented email spoofing.

          That's it. Hope my answer make sense.



          PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.





          share























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f955445%2fwhy-use-dmarc-when-spf-all-can-do-the-job%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            2














            With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.



            SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.



            Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.






            share|improve this answer

























            • I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!

              – Gordo2019
              Feb 24 at 9:03











            • It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.

              – Esa Jokinen
              Feb 24 at 9:13











            • I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.

              – Gordo2019
              Feb 24 at 9:43















            2














            With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.



            SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.



            Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.






            share|improve this answer

























            • I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!

              – Gordo2019
              Feb 24 at 9:03











            • It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.

              – Esa Jokinen
              Feb 24 at 9:13











            • I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.

              – Gordo2019
              Feb 24 at 9:43













            2












            2








            2







            With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.



            SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.



            Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.






            share|improve this answer















            With DMARC you can tell how the recipient should handle for both DKIM and SPF. It's also the only way to tell that DKIM is available and required, as DKIM in itself only applies to mail already signed with it.



            SPF protects your domain from being used on the SMTP protocol level as the envelope sender, but the recipient only sees the headers the SPF doesn't protect. The envelope sender might get recorded in the Return-Path header, but most users only ever sees the From: and thinks the email is coming from that address. Only DKIM enforced with DMARC can protect the From header.



            Because SPF+DMARC and DKIM+DMARC protects against different kind of forgery, you should have them both. Also, your DMARC alignment can tell that the message can be unsigned with DKIM as long as the SPF passes and that the SPF doesn't need to pass for DKIM signed messages. This becomes handy when you have more than one use cases for a single mail domain.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Feb 23 at 21:18

























            answered Feb 23 at 21:10









            Esa JokinenEsa Jokinen

            23.7k23359




            23.7k23359












            • I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!

              – Gordo2019
              Feb 24 at 9:03











            • It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.

              – Esa Jokinen
              Feb 24 at 9:13











            • I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.

              – Gordo2019
              Feb 24 at 9:43

















            • I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!

              – Gordo2019
              Feb 24 at 9:03











            • It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.

              – Esa Jokinen
              Feb 24 at 9:13











            • I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.

              – Gordo2019
              Feb 24 at 9:43
















            I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!

            – Gordo2019
            Feb 24 at 9:03





            I thought SPF is checking the header from. Didn’t know it is checking the envelop from. Now it makes a little bit more sense, even if I haven’t fully understood yet. Will read more. Thanks!

            – Gordo2019
            Feb 24 at 9:03













            It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.

            – Esa Jokinen
            Feb 24 at 9:13





            It's good to configure these all on both ends, at least as a practice. Then you'll see and learn in detail what really happens and what problems may arise from misconfiguration.

            – Esa Jokinen
            Feb 24 at 9:13













            I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.

            – Gordo2019
            Feb 24 at 9:43





            I am just a web developer with a manged server. No IT guy. Unfortunately I can’t do this on my server. DKIM hasn’t much spread sadly.

            – Gordo2019
            Feb 24 at 9:43













            4














            SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.



            DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.



            These are not redundant, but complementary.






            share|improve this answer























            • By RFC, -all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).

              – shodanshok
              Feb 23 at 21:26












            • @shodanshok You need to read section 8 of that RFC.

              – Michael Hampton
              Feb 23 at 21:41











            • From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the From: header.

              – shodanshok
              Feb 23 at 22:33
















            4














            SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.



            DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.



            These are not redundant, but complementary.






            share|improve this answer























            • By RFC, -all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).

              – shodanshok
              Feb 23 at 21:26












            • @shodanshok You need to read section 8 of that RFC.

              – Michael Hampton
              Feb 23 at 21:41











            • From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the From: header.

              – shodanshok
              Feb 23 at 22:33














            4












            4








            4







            SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.



            DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.



            These are not redundant, but complementary.






            share|improve this answer













            SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.



            DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.



            These are not redundant, but complementary.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Feb 23 at 19:20









            Michael HamptonMichael Hampton

            175k27320648




            175k27320648












            • By RFC, -all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).

              – shodanshok
              Feb 23 at 21:26












            • @shodanshok You need to read section 8 of that RFC.

              – Michael Hampton
              Feb 23 at 21:41











            • From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the From: header.

              – shodanshok
              Feb 23 at 22:33


















            • By RFC, -all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).

              – shodanshok
              Feb 23 at 21:26












            • @shodanshok You need to read section 8 of that RFC.

              – Michael Hampton
              Feb 23 at 21:41











            • From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the From: header.

              – shodanshok
              Feb 23 at 22:33

















            By RFC, -all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).

            – shodanshok
            Feb 23 at 21:26






            By RFC, -all should means to drop/discard the incoming email which does match it. The real difference mainly is what @EsaJokinen described (ie: envelope sender vs From: header).

            – shodanshok
            Feb 23 at 21:26














            @shodanshok You need to read section 8 of that RFC.

            – Michael Hampton
            Feb 23 at 21:41





            @shodanshok You need to read section 8 of that RFC.

            – Michael Hampton
            Feb 23 at 21:41













            From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the From: header.

            – shodanshok
            Feb 23 at 22:33






            From 8.4: A "fail" result is an explicit statement that the client is not authorized to use the domain in the given identity. Disposition of SPF fail messages is a matter of local policy. So yes, an SMTP server can choose how to treat a matching fail (I used should for that reason, maybe it wasn't the best word...), but it give a very clear warning that often results in a) 550 error or b) an higher spam score (see appendix G). Its main drawback is that it only protect the envelope address; on the other hands, DMARC enable you to specify the policy for the From: header.

            – shodanshok
            Feb 23 at 22:33












            0














            TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.



            Here is a scenario, that passes your SPF's -all protection.



            Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:



            1. Extracts domain from Return-Path: bounce@b.com

            2. Performs DNS lookup of b.com's SPF record, and gets v=spf1 myserversip -all

            3. Verifies sender's ip(aka my host's IP) against SPF IPs

            4. Marks email as authenticated and valid

            5. Congratulations. I have just send an email pretending to be you

            So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:



            1. Checks From and Return-Path domains' alignment (b.com against a.com)

            2. Marks email as unauthenticated as alignment failed

            3. Congratulations. DMARC prevented email spoofing.

            That's it. Hope my answer make sense.



            PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.





            share



























              0














              TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.



              Here is a scenario, that passes your SPF's -all protection.



              Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:



              1. Extracts domain from Return-Path: bounce@b.com

              2. Performs DNS lookup of b.com's SPF record, and gets v=spf1 myserversip -all

              3. Verifies sender's ip(aka my host's IP) against SPF IPs

              4. Marks email as authenticated and valid

              5. Congratulations. I have just send an email pretending to be you

              So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:



              1. Checks From and Return-Path domains' alignment (b.com against a.com)

              2. Marks email as unauthenticated as alignment failed

              3. Congratulations. DMARC prevented email spoofing.

              That's it. Hope my answer make sense.



              PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.





              share

























                0












                0








                0







                TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.



                Here is a scenario, that passes your SPF's -all protection.



                Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:



                1. Extracts domain from Return-Path: bounce@b.com

                2. Performs DNS lookup of b.com's SPF record, and gets v=spf1 myserversip -all

                3. Verifies sender's ip(aka my host's IP) against SPF IPs

                4. Marks email as authenticated and valid

                5. Congratulations. I have just send an email pretending to be you

                So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:



                1. Checks From and Return-Path domains' alignment (b.com against a.com)

                2. Marks email as unauthenticated as alignment failed

                3. Congratulations. DMARC prevented email spoofing.

                That's it. Hope my answer make sense.



                PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.





                share













                TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.



                Here is a scenario, that passes your SPF's -all protection.



                Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 myserversIP -all TXT SPF record in b.com's DNS, and additionally installed mail server on myserversIP host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:



                1. Extracts domain from Return-Path: bounce@b.com

                2. Performs DNS lookup of b.com's SPF record, and gets v=spf1 myserversip -all

                3. Verifies sender's ip(aka my host's IP) against SPF IPs

                4. Marks email as authenticated and valid

                5. Congratulations. I have just send an email pretending to be you

                So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:



                1. Checks From and Return-Path domains' alignment (b.com against a.com)

                2. Marks email as unauthenticated as alignment failed

                3. Congratulations. DMARC prevented email spoofing.

                That's it. Hope my answer make sense.



                PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.






                share











                share


                share










                answered 1 min ago









                EngineerEngineer

                1213




                1213



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f955445%2fwhy-use-dmarc-when-spf-all-can-do-the-job%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Куамањотепек (Чилапа де Алварез) Садржај Становништво Види још Референце Спољашње везе Мени за навигацију17°19′47″N 99°1′51″W / 17.32972° СГШ; 99.03083° ЗГД / 17.32972; -99.0308317°19′47″N 99°1′51″W / 17.32972° СГШ; 99.03083° ЗГД / 17.32972; -99.030838877656„Instituto Nacional de Estadística y Geografía”„The GeoNames geographical database”Мексичка насељапроширитиуу

                    How to make RAID controller rescan devices The 2019 Stack Overflow Developer Survey Results Are InLSI MegaRAID SAS 9261-8i: Disk isn't recognized after replacementHow to monitor the hard disk status behind Dell PERC H710 Raid Controller with CentOS 6?LSI MegaRAID - Recreate missing RAID 1 arrayext. 2-bay USB-Drive with RAID: btrfs RAID vs built-in RAIDInvalid SAS topologyDoes enabling JBOD mode on LSI based controllers affect existing logical disks/arrays?Why is there a shift between the WWN reported from the controller and the Linux system?Optimal RAID 6+0 Setup for 40+ 4TB DisksAccidental SAS cable removal

                    Срби Садржај Географија Етимологија Генетика Историја Језик Религија Популација Познати Срби Види још Напомене Референце Извори Литература Спољашње везе Мени за навигацијууrs.one.un.orgАрхивираноАрхивирано из оригиналаПопис становништва из 2011. годинеCOMMUNITY PROFILE: SERB COMMUNITY„1996 population census in Bosnia and Herzegovina”„CIA - The World Factbook - Bosnia and Herzegovina”American FactFinder - Results„2011 National Household Survey: Data tables”„Srbi u Nemačkoj | Srbi u Njemačkoj | Zentralrat der Serben in Deutschland”оригинала„Vesti online - Srpski informativni portal”„The Serbian Diaspora and Youth: Cross-Border Ties and Opportunities for Development”оригиналаSerben-Demo eskaliert in Wien„The People of Australia – Statistics from the 2011 Census”„Erstmals über eine Million EU- und EFTA Angehörige in der Schweiz”STANOVNIŠTVO PREMA NARODNOSTI – DETALJNA KLASIFIKACIJA – POPIS 2011.(Завод за статистику Црне Горе)title=Présentation de la République de SerbieSerbian | EthnologuePopulation by ethnic affiliation, Slovenia, Census 1953, 1961, 1971, 1981, 1991 and 2002Попис на населението, домаќинствата и становите во Република Македонија, 2002: Дефинитивни податоциALBANIJA ETNIČKI ČISTI SRBE: Iščezlo 100.000 ljudi pokrštavanjem, kao što su to radile ustaše u NDH! | Telegraf – Najnovije vestiИз удаљене Аргентине„Tab11. Populaţia stabilă după etnie şi limba maternă, pe categorii de localităţi”Суседи броје Србе„Srpska Dijaspora”оригиналаMinifacts about Norway 2012„Statistiques - 01.06.2008”ПРЕДСЕДНИК СРБИЈЕ СА СРБИМА У БРАТИСЛАВИСлавка Драшковић: Многа питања Срба у Црној Гори нерешенаThe Spread of the SlavesGoogle Book„Distribution of European Y-chromosome DNA (Y-DNA) haplogroups by country in percentage”American Journal of Physical Anthropology 142:380–390 (2010)„Архивирана копија”оригинала„Haplogroup I2 (Y-DNA)”„Архивирана копија”оригиналаVTS 01 1 - YouTubeПрви сукоби Срба и Турака - Политикин забавникАрхивираноConstantine Porphyrogenitus: De Administrando ImperioВизантиски извори за историју народа ЈугославијеDe conversione Croatorum et Serborum: A Lost SourceDe conversione Croatorum et Serborum: Изгубљени извор Константина ПорфирогенитаИсторија српске државностиИсторија српског народаСрбофобија и њени извориСерска област после Душанове смртиИсторија ВизантијеИсторија средњовековне босанске државеСрби међу европским народимаСрби у средњем векуМедијиПодациууууу00577267