SPF, DKIM, DMARC in a nutshell

I have just learnt something new about how SPF and DMARC interact with each other and the unexpected behaviour that might result from it. I find that most articles tend to cover SPF and DMARC separately and hence I will attempt to document the interaction in this article.

Before we can proceed, here is a quick explanation of SPF, DKIM and DMARC.

SPF: SPF records specify which IP address is allowed to send out mail for that particular domain. You would set it to your mail server's public IP address. If you are using cloud based email service like O365, you will set it to include all O365's mail server's IP. Within the policy, you can specify how to treat emails coming from other IP addresses. There is neutral (?all), soft fail (~all) and hard fail (-all). Most notably, there is no guarantee on what actions would be taken, some mail providers may send soft fail emails to spam, others might reject soft fail emails.

DKIM: DKIM records allow the receiving mail server to verify the digital signature on the email. It is possible to bypass SPF checks by using a different sender recipient address in the envelope (MAIL FROM:) as compared to the email header (FROM:). Hence, the need for DKIM. Again, there is no guarantee on what actions would be taken on emails which fail DKIM verification, it differs depending on email provider.

DMARC: DMARC policy allows you to specify what actions should be taken on email that have failed SPF or DKIM. There is no action (p=none), quarantine (p=quarantine) and reject (p=reject). DMARC also allows you to specify an email address to receive reports on the number of emails that have failed. The most important thing to note, which is the unexpected behaviour I mentioned, is that DMARC will supercede SPF. If you have a hard fail set up on SPF but a no action policy configured on DMARC, the spoof email will still go through. Thus, do adequate research before setting up DMARC. A newly implemented weak DMARC policy might invalidate the protection that SPF records used to offer.

In summary, you can expect the following results if SPF/DKIM/DMARC is configured in this manner.

SPF DKIM DMARC Result
~all or -all FROM spoof emails will be spammed or rejected
MAIL FROM: spoof emails will get through
~all or -all Yes All spoof emails will be spammed or rejected
~all or -all (p=none) All spoof emails will get through
Surprise! Weak policy
~all or -all Yes (p=none) All spoof emails will get through
Surprise! Weak policy
~all or -all Yes (p=quarantine) All spoof emails will be spammed
~all or -all Yes (p=reject) All spoof emails will be rejected