search

nicanorflavier / spf-dkim-dmarc-simplified

Email security is a key part of internet communication. But what are SPF, DKIM, and DMARC, and how do they work? This guide will explain it all in simple terms to make these concepts clearer.
1.11k stars 27 forks source link

Answer to "Can I set up DMARC without SPF?" is wrong #2

Open link2xt opened 2 weeks ago

link2xt commented 2 weeks ago

If you set up DMARC without SPF, it's like the security guard is missing one of its tools. It can still use DKIM to check emails, but it won't be as effective.

DMARC fails if both SPF and DKIM fail, so if you set up DMARC without SPF, DMARC will always fail if DKIM fails. This will result in more failures than if you set up SPF and DKIM, so it is "more effective".

SPF is a legacy mechanism relying only on source IP addresses and no cryptography, it offers similar security to TCP wrappers. Making SPF always fail and relying only on DKIM is more secure, the only reason to use SPF is when you care about deliverability more than authentication of emails.

If there is no SPF policy, SPF will produce a "none" result and not "pass". DMARC passes if either DKIM or SPF produces a "pass" result, so if you don't setup SPF at all it is more secure according to DMARC RFC.

nicanorflavier commented 2 weeks ago

Hi there, thanks for your review there. What would you suggest in this case to improve the content? Would you want to raise a PR so I can see your changes? If all good then I can merge that to main branch and you listed as contributor, cheers.