Skip to content
Splitjar

Sender authentication

Inbound receipt emails arrive from any mailbox in the world. Without authentication, an attacker can send From: ceo@victim.example and we’d happily file the receipt under the victim’s account. The sender-auth gate exists to make that impossible.

Why DMARC, not DKIM

dkim=pass only proves “some signer signed this”. An attacker can DKIM-sign a forged email with d=attacker.com while wearing From: ceo@victim.example and that satisfies bare DKIM.

DMARC (RFC 7489) is the only common verdict that requires the authenticated identifier (DKIM header.d= or SPF MAIL FROM) to align with the visible RFC5322.From domain. Bare DKIM doesn’t.

The gate parses Authentication-Results and ARC-Authentication-Results headers, and only accepts dmarc=pass from the trusted authserv-id (mx.cloudflare.net).

What “fail” means

A receipt whose sender failed DMARC isn’t rejected outright — it’s held for review with reason unsigned_sender. The recipient sees:

The email didn’t pass sender authentication. Holding it until you confirm it’s really from you.

If the user confirms (“yes, this is mine, my mail provider is just unusual”), the receipt finalises. If they don’t, it sits in needs_review indefinitely.

What “none” means

Some senders publish no DMARC policy. The verdict comes back as none, and we route to the same unsigned_sender review hold. From a security standpoint, “policy not published” is the same as “could be anyone”.

Defence in depth

Two extra layers harden the gate beyond DMARC:

  1. Authserv-id strict match. Only entries whose authserv-id is exactly mx.cloudflare.net count. An attacker can’t ship Authentication-Results: attacker.com; dmarc=pass and have it counted.

  2. Duplicate trusted entry → fail-closed. Real Cloudflare emits at most one trusted entry per header type. Two mx.cloudflare.net entries on Authentication-Results (one real, one forged) collapse to a fail verdict — the parser can’t tell which is real, so neither is trusted.

Residual

If Cloudflare ever fails to stamp at all and only an attacker entry is present, the gate has no cryptographic way to detect the forgery. Closing this case requires ARC-Seal verification, which is on the roadmap.

What you do

Nothing. Use a normal email account from a normal mail provider (Gmail, Outlook, Fastmail, your own work email). They publish DMARC, the gate passes, and you never notice it ran.