Summary
Spoofed emails may bypass DMARC authentication, even with IPv6, due to a combination of factors. These include misconfigured SPF records, especially regarding IPv6 addresses; failures in SPF lookups over IPv6 by some resolvers; issues with email forwarding services not properly handling authentication, often lacking header rewriting or Sender Rewriting Scheme (SRS); and alignment failures between SPF/DKIM domains and the From: header. Invalid DKIM signatures due to key rotation or tampering also contribute. The interaction and correct implementation of SPF, DKIM, and DMARC is crucial, and the Authentication-Results header can provide diagnostic information. Properly configured DMARC records and tools like MXToolbox can aid in validation and troubleshooting.
Key findings
- SPF Configuration Issues: Misconfigured SPF records, especially concerning IPv6 addresses, or IPv6 lookup failures by some resolvers, can lead to DMARC bypass.
- Forwarding Problems: Email forwarding services that fail to rewrite headers or use SRS break SPF and DKIM, causing DMARC to be bypassed.
- Alignment Requirements: For DMARC to pass, SPF or DKIM must pass, and their domains must align with the From: header domain. Failures in alignment can cause DMARC to fail.
- DKIM Signature Validity: Invalid DKIM signatures, due to key rotation issues or tampering, can result in DMARC failures.
- Authentication-Results Header: The Authentication-Results header can be analyzed to understand the outcome of SPF and DKIM checks, aiding in diagnosing DMARC failures.
- DMARC Policy Implementation: Incomplete or incorrect DMARC policy implementation can render protections ineffective.
Key considerations
- Review SPF Records: Carefully configure SPF records, including IPv6 addresses of sending servers, and ensure they are up-to-date.
- Update Forwarding Practices: Utilize forwarding services that properly handle authentication via header rewriting or SRS.
- Ensure Domain Alignment: Verify that SPF and DKIM domains are aligned with the From: header domain for effective DMARC authentication.
- Implement DKIM Properly: Ensure correct DKIM implementation, including key management and signature validity.
- Utilize Authentication Results: Analyze the Authentication-Results header to understand the outcome of authentication checks.
- Validate DMARC Configuration: Use tools like MXToolbox to validate the DMARC record and verify its correct configuration.
- Correct Authentication Method Interplay: Ensure correct interplay of SPF, DKIM and DMARC implementation to stop spoofed emails passing authentication.
What email marketers say
11 marketer opinions
Spoofed emails can pass DMARC authentication despite using IPv6 due to a combination of factors, including misconfigured SPF records (especially with IPv6 addresses), issues with email forwarding services not properly handling authentication, and alignment failures between SPF/DKIM domains and the From: header. Additionally, some resolvers may not handle IPv6 SPF lookups correctly. Examining the Authentication-Results header can help diagnose the specific reason for DMARC's pass or fail status.
Key opinions
- SPF Misconfiguration: Incorrectly configured SPF records, particularly regarding IPv6 addresses of sending servers, can lead to SPF failures, subsequently affecting DMARC.
- Forwarding Issues: Email forwarding services that do not rewrite headers or use SRS can break SPF and DKIM, leading to DMARC bypass.
- Alignment Problems: Even if SPF or DKIM pass individually, DMARC can fail if the domains used for authentication do not align with the domain in the From: header.
- IPv6 Lookup Failures: Some resolvers might not properly retry SPF lookups over IPv4 if the IPv6 lookup fails, causing SPF to fail.
- Authentication Results Header: The Authentication-Results header provides valuable insights into the specific SPF and DKIM checks performed, aiding in diagnosing DMARC outcomes.
Key considerations
- Review SPF Records: Ensure SPF records are correctly configured to include all authorized sending IP addresses, especially IPv6 addresses.
- Update Forwarding Services: Use forwarding services that properly handle authentication via header rewriting or SRS.
- Domain Alignment: Verify that SPF and DKIM domains align with the From: header domain for successful DMARC authentication.
- DMARC Record Validation: Regularly validate the DMARC record to confirm it's correctly configured and reflects the desired policy.
- Monitor Authentication Results: Analyze Authentication-Results headers to understand why emails pass or fail DMARC and identify areas for improvement.
Marketer view
Email marketer from StackOverflow explains that you can use the Authentication-Results header to see why DMARC passed and view the results of the SPF and DKIM tests performed by the email receiver. This will show you the IPv6 that was checked against.
9 Jan 2023 - StackOverflow
Marketer view
Email marketer from Mailhardener Blog explains that SPF has some issues with IPv6. Most resolvers do not retry SPF lookups over IPv4 if the IPv6 lookup fails, potentially leading to SPF failures and impacting DMARC.
28 Feb 2023 - Mailhardener Blog
What the experts say
3 expert opinions
Spoofed emails sometimes pass DMARC authentication due to a multitude of authentication and configuration failures. SPF records are often misconfigured, with missing IP addresses (particularly IPv6 addresses) of sending servers, or general DNS misconfigurations. DKIM signatures can be invalidated by key rotation issues or tampering, and forwarding practices can also circumvent DMARC. Correct implementation and interplay of SPF, DKIM, and DMARC are crucial to prevent spoofed emails from being authenticated.
Key opinions
- SPF Failures: SPF records may be missing necessary IP addresses (including IPv6) or contain other DNS configuration errors, leading to authentication failure.
- DKIM Invalidity: DKIM signatures can become invalid due to key rotation problems or alterations during email transit.
- Forwarding Issues: Improper email forwarding practices can lead to DMARC failure.
- Interplay of Authentication Methods: The combined effectiveness of SPF, DKIM, and DMARC relies on their proper implementation and interaction.
Key considerations
- Audit SPF Records: Regularly review and update SPF records to ensure they accurately list all authorized sending IP addresses, paying attention to IPv6 configurations.
- Manage DKIM Keys: Implement a secure DKIM key management process to prevent key rotation problems and ensure signature validity.
- Review Forwarding Practices: Examine and update email forwarding practices to maintain DMARC compliance.
- Implement Authentication Protocols Correctly: Ensure correct implementation and proper interplay of SPF, DKIM, and DMARC for effective email authentication.
Expert view
Expert from Spam Resource explains that DMARC failures can occur when SPF fails due to misconfigured DNS records, or when DKIM signatures are invalid due to key rotation issues or tampering during transit. Forwarding is also a common cause.
9 Nov 2021 - Spam Resource
Expert view
Expert from Word to the Wise explains that SPF failures happen if the IP address of the server sending the mail isn't listed in the SPF record, or if the SPF record is misconfigured. With IPv6, this could be because the IPv6 address isn't included or the DNS lookup fails.
16 Sep 2023 - Word to the Wise
What the documentation says
4 technical articles
DMARC leverages SPF and DKIM to authenticate email senders. SPF verifies the sender's authorization, while DKIM ensures email integrity and sender verification. If SPF fails to authenticate the sender, DMARC relies on its policy ('p=' tag) to instruct receivers on handling the email (quarantine, reject, or none). For DKIM, the signature must be valid and aligned with the domain in the From: header for DMARC to pass. Spoofing involves disguising the email's origin for malicious purposes like phishing. DMARC policies guide mail receivers on managing emails that fail these authentication checks.
Key findings
- SPF Authentication: DMARC uses SPF to authenticate if the sender is authorized to send emails on behalf of the domain.
- DKIM Verification: DMARC uses DKIM to verify the integrity of the email and ensure it was sent by the claimed sender, requiring a valid signature and domain alignment.
- DMARC Policies: DMARC policies (specified by the 'p=' tag) dictate how email receivers should handle emails that fail authentication checks.
- Spoofing Definition: Spoofing is when an email is disguised to appear as if it originates from a different source, often used for phishing and spam.
Key considerations
- Proper SPF Setup: Ensure SPF records are correctly configured to accurately represent authorized sending sources.
- Maintain Valid DKIM Signatures: Regularly check and maintain DKIM signatures to ensure they are valid and properly aligned with the From: header domain.
- Implement DMARC Policy: Set a DMARC policy (quarantine or reject) to instruct receivers on how to handle unauthenticated emails effectively.
- Educate on Spoofing: Educate users about spoofing techniques to help them identify and avoid phishing attacks.
Technical article
Documentation from DMARC.org specifies that DMARC policies are designed to instruct mail receivers on how to handle emails that fail authentication checks. Receivers should follow the specified policy (none, quarantine, or reject) based on the DMARC record published by the sending domain.
18 Apr 2022 - DMARC.org
Technical article
Documentation from RFC Editor explains how DMARC uses DKIM to verify the integrity of the email content and sender. The DKIM signature must be valid and align with the domain in the From: header for DMARC to pass based on DKIM.
15 Mar 2024 - RFC Editor
Are there GDPR concerns related to IP addresses in DMARC reporting?
How can a phishing email pass SPF and DKIM authentication checks?
How can I prevent brand and sender profile impersonation in emails and what actions can I take?
How can I resolve DMARC verification failures when using a subdomain for email sending?
How can I use DMARC to prevent spammers from using my domain?
How do I handle spoofing when DMARC reject is set but not enforced on inbound mail server?
