3

I am having a hard time understanding the different methods of e-mail verification. I know about DKIM, SPF and DMARC. If I would like to know whether an e-mail I received actually came from the e-mailaddress that is shown to me in my e-mailclient, how would I go about that? For example: I receive an e-mail from [email protected].

If I check the DKIM record I would only know for certain that the e-mail was sent from a @hotmail.com domain, correct? So the e-mail could have been send from [email protected] even though the DKIM records would still show dkim=pass. Is this correct?

How can I confirm whether the e-mail I received was actually sent by the full e-maildress (not just the domain) [email protected]? Can I do that with only DKIM? Do I need DKIM + SPF? Or do I need DKIM + SPF + DMARC?

Improve this question

1 Answer 1

Reset to default
2

How can I confirm whether the e-mail I received was actually sent by the full e-maildress (not just the domain) [email protected]?

You can't do this with SPF, DKIM and DMARC. These mechanism only work at the level of the domain, not the individual address. So you would need to trust the sender domain that in addition to SPF/DKIM it also properly validates that the individual sender as claimed by the From field of the mail actually matches the authentication from the mail dialog.

But even if you trust the domain owner to guarantee this in their own infrastructure, you also have to consider third party infrastructure which is allowed to send mail for the domain, like bulk mail services. These services are either added to the SPF record of the domain and/or get their own DKIM keys valid for the domain. While it is expected that these services will only send mails with the delegated individual addresses, this is not enforced by technical means.

For proper validation of the individual sender you would need the sender to sign the message using S/MIME or PGP with a key you can reliably associate with the sender.

Improve this answer
5
  • Many senders do responsibly use SMTP-AUTH and prohibit sending with a From header that is not verified as the account sending. Combining this with DKIM should be sufficient (though not provably) for those senders. IIRC, Google uses this approach. I'm not sure about Hotmail.
    – Adam Katz
    Commented Dec 19, 2023 at 18:39
  • Thank you both for your detailed answer! You mention the following: "you would need to trust the sender domain that in addition to SPF/DKIM it also properly validates that the individual sender as claimed by the From field of the mail actually matches the authentication from the mail dialog." - how would this apply to for for example Outlook.com or Hotmail.com?
    – LAWYLAWY
    Commented Dec 19, 2023 at 20:01
  • 2
    @LAWYLAWY: This means that you would believe that both do the right thing without being able to verify it. And even if you test it once with some mails and senders you cannot guarantee that it behaves that way for all users, all mails, all time. There might not even be some kind of public promise of the domain owner that their system should behave the way you hope. It is blindly trusting without being able to ensure that the trust is justified.
    – Steffen Ullrich
    Commented Dec 19, 2023 at 20:05
  • I understand. But if it is a domain from a well known provider (i.e. @Outlook or @Microsoft), can I then assume that if the DKIM checks out, there is a very little chance that the e-mailadress is spoofed? The only way to then effecitvely spoof an e-mailadress (and also make the DKIM valid) would be to change the private DKIM key on the server, correct?
    – LAWYLAWY
    Commented Dec 21, 2023 at 13:47
  • 3
    @LAWYLAWY: as I said - you can only blindly trust. You cannot control it by technical means and they likely even promise it publicly.
    – Steffen Ullrich
    Commented Dec 21, 2023 at 15:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .