• Home
    • Zextras Carbonio
    • Admin Guide
    • DMARC Alignment Test and How It Helps You Prevent Spoofing on Your E-mail Servers in Carbonio Community Edition | Carbonio CE

DMARC Alignment Test and How It Helps You Prevent Spoofing on Your E-mail Servers in Carbonio Community Edition | Carbonio CE

In continuation of the previous article, we will discuss the DMARC alignment test and dissect its most important aspects to prevent spoofing.

DMARC Alignment Test

DMARC alignment test is another important aspect of implementing a proficient DMARC record on your servers. The purpose of DMARC alignment is mainly to prevent spoofing by matching return path and from address.

DMARC alignment test is performed by checking the email header. There are several segments of this test. We will look into them one by one.

SPF Alignment Test

Look at the header and check if,

From address matches/does not match Return path

  • if it matches, then PASS
  • if it does not match, then FAILED

By default, DMARC uses relaxed mode during this test that means, if

From address = example.com
Return Path = mail.example.com
Not exact match

the test will result in as PASS.

But if you set the mode strict, then the result will lead to FAILED.

The tag used for this mode change is:

aspf = r; (Relaxed)
aspf = s; (Strict)

In some cases, Return Path can be null <>, like during Out Of Office (OOO) mails
then DMARC will check and match,
From address & EHLO address

So the DMARC record will look like this,

Domain: example.com

Hostname = _dmarc.example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; sp=none; fo=1; aspf=s;

DKIM Alignment Test

look at the header and check if,

d = example.com matches/does not match with From address

  • if it matches, then PASS
  • if it does not match, then FAILED

By default, DMARC uses relaxed mode during this test that means, if

d = example.com

From = mail.example.com

Not exact match

the test will result as PASS.

But if you set the mode strict, then the result will lead to FAILED.

The tag used for this mode change is:

adkim = r; (Relaxed)
adkim = s; (Strict)

So the DMARC record will look like this,

Domain: example.com 

Hostname = _dmarc.example.com
v=DMARC1; p=none; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; sp=none; fo=1; aspf=s; adkim=s;

Now let’s analyze a table with all of these combinations:

SPFSPF AlignmentDKIMDKIM AlignmentDMARC AlignmentDMARC Policy
🟩Pass🟩Pass🟩Pass🟩Pass🟩PassNone
🟩Pass🟩Pass🟩PassπŸŸ₯Fail🟩PassNone
🟩Pass🟩PassπŸŸ₯FailπŸŸ₯Fail🟩PassNone
🟩PassπŸŸ₯Fail🟩Pass🟩Pass🟩PassNone
πŸŸ₯FailπŸŸ₯Fail🟩Pass🟩Pass🟩PassNone
🟩PassπŸŸ₯Fail🟩PassπŸŸ₯FailπŸŸ₯Fail🟧Reject
πŸŸ₯FailπŸŸ₯FailπŸŸ₯FailπŸŸ₯FailπŸŸ₯Fail🟧Reject

The recipient Server matches the table and takes the decision based on the policy set in the DMARC.

[This test will be performed by the remote end]

Let’s take a look at an example keeping the table in mind.

Domain example.com sent an email to the remote end. Remote end analysis is as follows:

<Header of received email>
Email received from example.com
Return path: test@example.com
From address: test@example.com
spf = pass ; dkim = pass ;
d = example.com

Now after comparing the header information with all our previous information. remote end found that,

spf = PASS,
spf alignment = PASS,
dkim = PASS,
dkim alignment = PASS,
dmarc alignment = PASS,

So it will look for the exact instruction that is stated in the DMARC policy. Based on that policy it will accept/quarantine/reject the message from example.com.

That’s it .
😊

Migrate Zimbra From One Server To Another Server | Method-3 | Zimbra
Monitor Mail Queue of Carbonio Community Edition | Carbonio CE