What additional protection does DMARC provide when using SPF?
I am evaluating this report of a vulnerability on my website:
I just checked for DMARC records and DMARC policy for XXXXXX domain and there are none.
Effectively allowing for spam to originate from that domain.
However our domain already uses SPF. Is there any additional security provided by DMARC when already using SPF?
DMARC tells receiving mail servers what to do when they get a message that appears to be from your organization, but doesn't pass authentication checks, or doesn’t meet the authentication requirements in your DMARC policy record. Messages that aren't authenticated might be impersonating your organization, or might be sent from unauthorized servers.
DMARC is always used with these two email authentication methods or checks:
Sender Policy Framework (SPF) lets the domain owner authorize IP addresses that are allowed to send email for the domain. Receiving servers can verify that messages appearing to come from a specific domain are sent from servers allowed by the domain owner.
Domain Keys Identified Mail (DKIM) adds a digital signature to every sent message. Receiving servers use the signature to verify messages are authentic, and weren't forged or changed during transit.
SPF has a known weakness. Mail servers applying SPF policies check the RFC5321.Mailfrom header (commonly called the ‘envelope from header’) while email clients typically display the RFC5322.Mailfrom header (commonly called the ‘message/letter from header’) to the users as the source of an email.
Adversaries are aware of this weakness and use it to bypass SPF checks by using a domain they control in the envelope from header, and the domain they wish to spoof (but don’t control) in the message/letter from header.
DMARC addresses this weakness by checking that these two headers align.
DMARC enables domain owners to advise recipient mail servers of policy decisions that should be made when handling inbound emails claiming to come from the owner’s domain. Specifically, domain owners can request that recipients:
- allow, quarantine or reject emails that fail SPF and DKIM verification
- collect statistics and notify the domain owner of emails falsely claiming to be from their domain
- notify the domain owner how many emails are passing and failing email authentication checks
- send the domain owner data extracted from a failed email, such as header information and web addresses from the email body.
Notifications and statistics resulting from DMARC are sent as aggregate reports and forensic reports:
- aggregate reports provide regular high-level information about emails, such as which Internet Protocol (IP) address they come from and if they failed SPF and DKIM verification
- forensic reports are sent in real time and provide detailed information on why a particular email failed verification, along with content such as email headers, attachments and web addresses in the body of the email.