DMARC Alignment: Enforce messages pass BOTH SPF and DKIM

spf dkim dmarc

Solution 1:

Under the basic assumptions underpinning DMARC, nobody should be able to pass either a DKIM or SPF test as your domain, unless the mail is coming from a server you control. A pass for either of the two is enough to confirm this.

Thus there is no way to force DMARC to require both pass, and there should be no reason to do so.

If third parties are able to pass DKIM tests as you, and you did not authorise them, then you have a security problem, and this is what you need to fix.

First, make sure you haven't just made a mistake interpreting the reports you are seeing. Are they DKIM signed, but with a domain that's not yours? If so, there's nothing you need to do. But if emails not authorised by you are DKIM signed with your domain, this indicates you're doing something wrong.

Steps to take:

  • Generate a new DKIM key, start signing with it, and remove references to the old key from your DNS records (leaving the old DNS records will allow the old key to continue to be used).

  • Keep the private part of your DKIM key secure. By default, it should be hidden to all except root on your server. Keep it this way.

  • Make sure you are not signing mail that is coming in from untrusted sources. You should be only adding DKIM signatures to mail that originates with you and your users.

    If using OpenDKIM this is controlled by the InternalHosts option, and you should also make sure that you are not re-running OpenDKIM after passing mail through a local filter or proxy which would make it look like the mail originated internally.

Solution 2:

DMARC is working as designed; if at least one of SPF or DKIM passes (and is aligned), the message passes DMARC and is delivered. Most likely, the messages that are failing SPF but passing DKIM (signature valid and aligned) are messages that have been forwarded. (Forwarded messages will fail SPF, while a DKIM signature can survive forwarding.)

Solution 3:

No, DMARC is designed to only require either DKIM + ADKIM or SPF + ASPF to pass.

There is no requirement to make it require both.

I find it hard to understand how DKIM passes the alignment test, if the d= key doesn't match the from then it will fail the ADKIM test.

Take a look on how the identifiers must match up here: DMARC Email Identifiers

Even if you didn't specify adkim in your DMARC record, it's defaulted to "Relaxed" which still wouldn't line up.

Related

Fiber multipath fails: Result: hostbyte=DID_ERROR driverbyte=DRIVER_OK
Linux : Ping all the host in the subnet
Can't Install Nginx on Linux
Windows Server virtual disk cache settings
SQL on Server Core pitfalls [closed]
write hole: which RAID levels are affected?
What to put as hostname in VPS setup?
Where does Windows store DNS entry list?
Understanding the Difference Between DNS Resolvers
How to use existing Vault files in Ansible Tower?
Lost Permissions to Google Cloud Storage Bucket
Debian Wheezy outdated root certificates