DMARC Record Alignment

PortableTech · July 1, 2015, 2:18pm

Since MiaB takes the time to define a DMARC, DKIM, and SPF record for all subdomains as well as the primary, should we not set the DMARC alignment policy to strict for both of these to help prevent someone spoofing a non-defined subdomain? I realize this is more of a being a good neighbor item rather than a functional item for MiaB, but I do not see where it would hurt us at all.

v=DMARC1; p=quarantine; aspf=s; adkim=s

or honestly, possibly going so far as to set reject as well

v=DMARC1; p=reject; aspf=s; adkim=s

To me the reject method seems best since we define -all in the SPF record indicating a hard fail there.

Anyway, I would love to hear some feedback, if there is interest, I am willing to work on the change.

JoshData · September 8, 2015, 10:43am

Hey. Sorry I lost track of this post.

should we not set the DMARC alignment policy to strict for both of these to help prevent someone spoofing a non-defined subdomain?

I don’t think that’s what strict alignment would do here. As I understand it, relaxed alignment means a message will be accepted if its From: address is a subdomain of the domain that made the DKIM signature (and similarly for SPF). In order to spoof a subdomain, the sender would still need a valid DKIM signature on the parent domain, which can only be made by the box anyway.