什么被认为是 DMARC 失败?

【问题标题】:What is considered a DMARC failure?什么被认为是 DMARC 失败?
【发布时间】:2019-08-07 13:20:25
【问题描述】:

我正在尝试了解 DMARC 的工作原理以及如何处理生成的电子邮件。

据我了解,DMARC 具有三个关键功能:

  1. SPF 验证
  2. DKIM 验证
  3. 域对齐。

但我不确定何时考虑 DMARC 失败/通过。

例如,如果 DKIM 和 DKIM 的域对齐正确,但 SPF 失败。 DMARC 是通过还是失败?

只有当三个键都通过(SPF 很好,DKIM 很好并且 SPF 和 DKIM 的域对齐都很好)时,才认为 DMARC 是通过?还是仅适用于(SPF + SPF 的域对齐)或(DKIM + DKIM 的域对齐)?

【问题讨论】:

  • 简而言之,如果 SPF OR DKIM 检查 ANDHeader.From 字段中的域对齐,则 DMARC 将通过。
  • 简而言之,如果 SPF OR DKIM 检查 ANDHeader.From 字段中的域对齐,则 DMARC 将通过。

标签: spf dkim dmarc


【解决方案1】:

我会在这里回答自己,RFC7489 声明如下:

6.6.2.  Determine Handling Policy

   To arrive at a policy for an individual message, Mail Receivers MUST
   perform the following actions or their semantic equivalents.
   Steps 2-4 MAY be done in parallel, whereas steps 5 and 6 require
   input from previous steps.

   The steps are as follows:

   1.  Extract the RFC5322.From domain from the message (as above).

   2.  Query the DNS for a DMARC policy record.  Continue if one is
       found, or terminate DMARC evaluation otherwise.  See
       Section 6.6.3 for details.

   3.  Perform DKIM signature verification checks.  A single email could
       contain multiple DKIM signatures.  The results of this step are
       passed to the remainder of the algorithm and MUST include the
       value of the "d=" tag from each checked DKIM signature.

   4.  Perform SPF validation checks.  The results of this step are
       passed to the remainder of the algorithm and MUST include the
       domain name used to complete the SPF check.

   5.  Conduct Identifier Alignment checks.  With authentication checks
       and policy discovery performed, the Mail Receiver checks to see
       if Authenticated Identifiers fall into alignment as described in
       Section 3.  If one or more of the Authenticated Identifiers align
       with the RFC5322.From domain, the message is considered to pass
       the DMARC mechanism check.  All other conditions (authentication
       failures, identifier mismatches) are considered to be DMARC
       mechanism check failures.

   6.  Apply policy.  Emails that fail the DMARC mechanism check are
       disposed of in accordance with the discovered DMARC policy of the
       Domain Owner.  See Section 6.3 for details.

【讨论】:

    【解决方案2】:

    这是 DMARC 身份验证的公式:

    DMARC auth pass = (SPF auth pass AND SPF identifier alignment) OR (DKIM auth pass AND DKIM identifier alignment)

    或者换一种说法:

    DMARC 身份验证失败 =(SPF 身份验证失败或 SPF 标识符未对齐)AND(DKIM 身份验证失败或 DKIM 标识符未对齐)

    这篇文章详细介绍了这个主题:https://dmarcly.com/blog/how-to-implement-dmarc-dkim-spf-to-stop-email-spoofing-phishing-the-definitive-guide#dmarc-alignment-authentication-hardened

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2020-10-31
      • 2021-04-10
      • 1970-01-01
      • 2014-11-27
      • 2017-10-21
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode