SPF and DKIM are the two main ways we associate a domain name with a stream of email in an authenticated way. We can choose the DKIM signing domain fairly freely – we can choose any domain or subdomain we control and put it in the d= field of the DKIM signature. But our choice for the SPF domain is more constrained.
SPF doesn’t really have the concept of authenticating with a domain at all. Rather it adds some authentication around a domain that’s already in the email – the return path, or bounce domain. That domain is already being used for other things – it’s where asynchronous bounce messages are sent, so it has to be hooked up with our ESPs bounce handling infrastructure. While some ESPs do offer the ability to “white label” the bounce domain – by using a subdomain of the customer domain that’s a CNAME pointing to their bounce handler – some don’t, and there the bounce domain belongs to the ESP. That’s normal, and fine, and SPF authentication of that domain / sending IP combination works perfectly. But it’s not aligned (“in the same domain as”) with the domain in the From: header.
Until DMARC came along nobody really cared about alignment between authentication domains and the From: header. But to pass DMARC an emails From: header must align with either the DKIM d= domain or the SPF (bounce address) domain. Or both.
Both DKIM and SPF can be broken in transit – so a mail that passes SPF and DKIM when it’s sent may not pass them when it’s received. They break in different ways, though. Pretty much any forwarding of mail – whether through a vanity domain, internal handoffs, mailing lists, anything – will break SPF. The main thing that breaks DKIM is an intermediate server making “non-trivial” modifications to the headers or body of the message.
Because of that it’s been good practice to have both SPF and DKIM align, so that if one of them is broken in transit DMARC will still pass.
But how important is that really?
SPF is much more fragile than DKIM. It’s fairly common for SPF to be broken in delivery, so if you want DMARC to pass reliably it’s critical to have DKIM alignment.
Any mail delivery path that manages to break DKIM will almost certainly break SPF too. So if you have DKIM alignment having the SPF alignment too doesn’t add much, if any, robustness. Sure, SPF alignment is still a nice-to-have, and if it’s reasonably easy to have your SPF align you should do that. But if it’s complex or expensive or tricky to set up then you can just not do it, and rely on your DKIM being aligned..
If you don’t have aligned DKIM then having aligned SPF will help DMARC pass – but you shouldn’t rely on that, and should spend the effort to get your mail DKIM signed with an aligned d= domain.
RSS - Posts