Should we enhance DMARC to allow aligned DKIM enforcement?

Question

Currently, DMARC only requires aligned DKIM or SPF.

However spoofing SPF is relatively simple for an experienced hacker:

• You should only control a single IP address in the often large SPF range of e-mail service providers (Microsoft, Google, Mailchimp, ...). It may be even possible to legally do so if the list contains out of date IP addresses.
• Or you can try to use a bug/hole in the sender verification performed by those service providers. At least some providers do not perform a very secure sender domain verification.

The essential problem with SPF is that it whitelists an IP that is shared by many clients of such a service providers.

At the other hand, the DKIM key is probably secured much better by those service providers and it is (often) linked to a single customer. Or at least, it should be much easier to secure a DKIM key than to ensure that a hacker could not send an e-mail from one of the allowed SPF IP addresses with a sender address chosen by the hacker.

So, wouldn't it be beneficial that DMARC is extended to allow specifying that DKIM should be aligned? Or does a successor of DMARC exists to enforce DKIM alignment?

Partially related questions:

• DMARC Alignment: Enforce messages pass BOTH SPF and DKIM (It's not a duplicate as my question is whether it is a good DMARC design that we couldn't enforce DKIM).
• Can DMARC's SPF alignment be spoofed? (About the possibility of spoofing aligned SPF: spoofing SPF is easier than spoofing DKIM).

Answer 1

wouldn't it be beneficial to allow specifying that DKIM should be aligned

This is already the default behaviour, if there is no way to achieve an aligned SPF match. What then remains of the DMARC alternatives is the requirement to get an aligned & valid DKIM signature.

In the simplest - though by no means ideal, see here form - you could just not opt in to SPF, or expressly opt out (v=spf1 ?all). You do not have to use SPF.

Note that this will impose some limitations on how you can authorize 3rd parties to send in your name. Some but not all senders will be able to sign, or relay to your machine holding a published key for signing.

Answer 2

Accepting either of the authentication mechanisms is well rooted in the key concepts of the DMARC specification (RFC 7489, 4.2). Changing it at this point would require major modifications to every implementation.

However, a domain could be protected in a way that only a passing & aligned DKIM would let the DMARC pass. Furthermore, this can be done in a way that does not allow just anyone use the domain as the envelope sender, unlike suggested in the answer from @anx.

This is possible with the strict alignment available for both DKIM- and SPF-Authenticated Identifiers.

In relaxed mode, the [SPF]-authenticated domain and RFC5322.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce Identifier Alignment.

Knowing this,

1. Disallow using the apex of the domain as an envelope sender.

   example.com TXT "v=spf1 -all"
   

2. Pick a subdomain to be used for the envelope addresses, and allow SPF as required, e.g.,

   mailer.example.com TXT "v=spf1 +ip4:192.0.2.100 -all"
   

3. Require strict SPF alignment mode with aspf=s, e.g.,

   _dmarc.example.com. IN TXT "v=DMARC1; p=reject; aspf=s; adkim=r;"
   

4. Set up a passing DKIM signing aligned with the From address, either in strict or in relaxed mode.