Why people send emails pretending to be someone else. I can think of three circumstances:
1. TheBadGuys.com
2. I, the owner, requested gmail to send my emails on behave of riowing.net, so that mail.riowing.net only handles incoming email.
3. rioFriend@aWorkMailClient.com requests aws to “redirect”, instead of “forward”, his emails to gmail.com so that rioFriend can process emails on gmail.com.
In this case, workmail have to send the email to gmail with sender shown as rio@riowing.net instead of rioFriend@aWorkMailClient.com
Three technologies, SPF, DKIM and DMARC, discussed with the following assumptions:
email sender shown as: rio@riowing.net
email sent by: gmail.com
email received by: rioFriend@aWorkMailClient.com thru email-smtp.us-west-2.amazonaws.com which is AWS workMail
- SPF Sender Policy Framework:
riowing.net publishes on DNS who is allowed to send emails with sender shown as *@riowing.net. e.g. gmail.com is allowed.
2. DKIM: Domain Keys Identified Mail.
riowing.net signs its outgoing emails and insert the signature as a header.
workmail can verify the signature with riowing.net’s public key.
The header is parallel to “From”, inside smtp DATA, which is after “MAIL TO” , like this:
RCPT TO: rioFriend@aWorkMailClient.com>
DATA
DKIM-Signature: v=1; a=rsa-sha256; d…
From: Riorio@riowing.net
3. DMARC: Domain-based Message Authentication, Reporting and Conformance
is a DNS TXT record to publish if SPF/DKIM is used, and what to do if checking failed.
it looks like this: v=DMARC1; p=none; rua=mailto:admin@riowing.net;aspf=s
meaning: failure report to admin@riowing.net, SPS is strict
All discussed above only verify domain only, like riowing.net, instead of an individual such as rio@riowing.net, which is taken care by PGP and S/MIME