In continuation of the previous article, we will discuss the DMARC alignment test and dissect its most important aspects to prevent spoofing.
DMARC Alignment Test
DMARC alignment test is another important aspect of implementing a proficient DMARC record on your servers. The purpose of DMARC alignment is mainly to prevent spoofing by matching return path and from address.
DMARC alignment test is performed by checking the email header. There are several segments of this test. We will look into them one by one.
SPF Alignment Test
Look at the header and check if,
From address matches/does not match Return path
- if it matches, then PASS
- if it does not match, then FAILED
By default, DMARC uses relaxed mode during this test that means, if
From address = example.com
Return Path = mail.example.com
Not exact match
the test will result in as PASS.
But if you set the mode strict, then the result will lead to FAILED.
The tag used for this mode change is:
aspf = r; (Relaxed)
aspf = s; (Strict)
In some cases, Return Path can be null <>, like during Out Of Office (OOO) mails
then DMARC will check and match,
From address & EHLO address
So the DMARC record will look like this,
Domain: example.com
Hostname = _dmarc.example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; sp=none; fo=1; aspf=s;DKIM Alignment Test
look at the header and check if,
d = example.com matches/does not match with From address
- if it matches, then PASS
- if it does not match, then FAILED
By default, DMARC uses relaxed mode during this test that means, if
d = example.com
From = mail.example.com
Not exact match
the test will result as PASS.
But if you set the mode strict, then the result will lead to FAILED.
The tag used for this mode change is:
adkim = r; (Relaxed)
adkim = s; (Strict)
So the DMARC record will look like this,
Domain: example.com
Hostname = _dmarc.example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; sp=none; fo=1; aspf=s; adkim=s;
Now letβs analyze a table with all of these combinations:
| SPF | SPF Alignment | DKIM | DKIM Alignment | DMARC Alignment | DMARC Policy |
|---|---|---|---|---|---|
| π©Pass | π©Pass | π©Pass | π©Pass | π©Pass | None |
| π©Pass | π©Pass | π©Pass | π₯Fail | π©Pass | None |
| π©Pass | π©Pass | π₯Fail | π₯Fail | π©Pass | None |
| π©Pass | π₯Fail | π©Pass | π©Pass | π©Pass | None |
| π₯Fail | π₯Fail | π©Pass | π©Pass | π©Pass | None |
| π©Pass | π₯Fail | π©Pass | π₯Fail | π₯Fail | π§Reject |
| π₯Fail | π₯Fail | π₯Fail | π₯Fail | π₯Fail | π§Reject |
The recipient Server matches the table and takes the decision based on the policy set in the DMARC.
[This test will be performed by the remote end]
Letβs take a look at an example keeping the table in mind.
Domain example.com sent an email to the remote end. Remote end analysis is as follows:
| <Header of received email> Email received from example.com Return path: test@example.com From address: test@example.com spf = pass ; dkim = pass ; d = example.com |
Now after comparing the header information with all our previous information. remote end found that,
spf = PASS,
spf alignment = PASS,
dkim = PASS,
dkim alignment = PASS,
dmarc alignment = PASS,
So it will look for the exact instruction that is stated in the DMARC policy. Based on that policy it will accept/quarantine/reject the message from example.com.
That’s it .
π