How can SPF/DKIM pass, and yet DMARC fail?
DMARC introduces the concept of “Identifier Alignment” to the world of email. The concept is needed as SPF and DKIM are stand-alone technologies capable of associating a domain with a piece of email.
When a receiver uses SPF, the receiver looks at the domain found in the RFC5321.MailFrom to figure out where to look for an SPF record. The RFC5321.MailFrom address is the entity that is passed along as part of the “MAIL FROM” command during the SMTP conversation. To make matters worse, this address is also called the “bounce address,” the “envelope address,” the “SPF address,” or the “ReturnPath” address (as it is copied into the content of the email messages as the ReturnPath: header by the email receiver!). When an SPF check successfully completes, the receivers ends up with an “Authenticated Identifier” that is the domain of the RFC5321.MailFrom.
DKIM is similar in that it also generates an “Authenticated Identifier.” However, DKIM’s identifier comes from the “d=” tag that is part of every DKIM signature.
In the DMARC world, any Authenticated Identifier has to be relevant to the domain that DMARC is looking at, and that is always the domain found in the From: header of an email.
Identifier Alignment is therefore the process of checking to make sure the domains that are authenticated by SPF and DKIM are relevant to the domain found in an email’s From: header.
Those who are new to DMARC often find this concept confusing.
Identifier Alignment is required as anyone can deploy SPF and DKIM for any piece of email today. If a criminal is trying to spoof bank.com and sets up a domain criminal.net to get SPF and DKIM into place, just because SPF and DKIM both pass doesn’t mean the authentication has anything to do with bank.com.
Similarly, email receivers cannot maintain huge lists that associate email domains together—they have to process email as quickly as possible without trying to tease out the subtle nuances between domains. For example, if your Email Service Provider is using “banknewsletter.com” for both SPF and DKIM while sending on behalf of bank.com, the internet’s email receiving infrastructure has no idea if banknewsletter.com is legitimate, a carefully created phishing site, or owned and operated by the same entity as bank.com.
Identifier Alignment is how existing email authentication technologies are made relevant to the content of an email.
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.
Want to continue the conversation? Head over to the dmarcian Forum.