Skip to main content

Why use DMARC when SPF -all can do the job? [Resolved]

With DMARC I can set the policy to rejct mail. But isn’t it the same I can do with -all from within a SPF?

Same goes for quarantine and a softfail ~all.

Beside the reporting where is the benefit using DMARC on top of SPF?


Question Credit: Gordo2019
Question Reference
Asked April 14, 2019
Posted Under: Network
82 views
3 Answers

SPF only specifies which addresses are authorized to send mail for your domain. It is up to the recipient to decide what to do with that information.

DMARC allows you to indicate exactly what actions you would like recipients to take when the SPF check fails.

These are not redundant, but complementary.


credit: Michael Hampton
Answered April 14, 2019

TL;DR SPF alone can't protect you against exact-domain email spoofing. The DMARC is a must.

Here is a scenario, that passes your SPF's -all protection.

Let's assume you have a.com domain, and I own the b.com. I set up v=spf1 {myserversIP} -all TXT SPF record in b.com's DNS, and additionally install mail server on {myserversIP} host to use SMTP protocol to send emails. I use bounce@b.com as my envelope from address (which is Return-Path header on receiving side) and send email to someone by putting From: you@a.com in email's body. MDA receives my email and performs the following pseudo actions:

  1. Extracts domain from Return-Path: bounce@b.com
  2. Performs DNS lookup of b.com's SPF record, and gets v=spf1 {myserversip} -all
  3. Verifies sender's ip(aka my host's IP) against SPF IPs
  4. Marks email as authenticated and valid
  5. Congratulations. I have just send an email pretending to be you

So how to prevent this situation? The DMARC comes to rescue. DMARC adds an important new mechanism: alignment. With DMARC enabled, basically MDA performs the following pseudo actions after 3rd step:

  1. Checks From and Return-Path domains' alignment (b.com against a.com)
  2. Marks email as unauthenticated as the alignment failed
  3. Congratulations. DMARC prevented email spoofing.

That's it. Hope my answer make sense.

PS: I am a co-founder of all-in-1 DMARC deployment system. Every day I am dealing with lots of customers to explain the importance of DMARC, how it is the best industry standard nowadays to protect your domain against email spoofing and phishing.


credit: Engineer
Answered April 14, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA