9

I have set up an SPF record for my domain, but I still can spoof email-addresses for my domain using fake email services like this one: http://deadfake.com/Send.aspx

The email does arrive to my gmail inbox just fine.

The email does have SPF errors in the header like this: spf=fail (google.com: domain of info@mydomain.com does not designate 23.249.225.236 as permitted sender) but it's still received just fine, which means anyone can spoof my email-address...

My SPF record is: v=spf1 mx a ptr include:_spf.google.com -all

UPDATE In case anyone's interested, I have published a DMARC policy along with my SPF record and now Gmail marks spoof messages correctly (picture)

enter image description here

jitbit
  • 407
  • 2
  • 6
  • 18
  • 3
    Yes, anyone can spoof your domain in an email. The SPF record doesn't prevent this unless the receiving server performs a hard rejection based on the SPF failure, which probably few do. – joeqwerty Mar 12 '15 at 20:10
  • Because you included _spf.google.com your policy is likely to be evaluated `~all` not `-all`. You likely need only one of `MX`, `A`, and `PTR`. – BillThor Mar 13 '15 at 00:11
  • 2
    @BillThor as [the standard makes clear](http://www.openspf.org/SPF_Record_Syntax#include), soft or hard fails from an an `include`d record are ignored when evaluating the final result; or as they put it, "*evaluating a '-all' directive in the referenced record does not terminate the overall processing*". – MadHatter Mar 13 '15 at 05:44
  • @MadHatter Yes I reviewed the revised documentation with that clarification. It wasn't clear in earlier documentation, and I believe I encountered implementations that appeared not to make the distinction. Not all implementations handle edge cases like that in a standard manner. I believe that may be why the clarification was needed. – BillThor Mar 13 '15 at 05:58
  • @BillThor you may well be right! As they acknowledge, `include` wasn't a great name for the policy, because everyone with programming experience immediately made a set of assumptions about how it would work - some of which weren't right! – MadHatter Mar 13 '15 at 06:00

3 Answers3

16

The fact that you advertise an SPF record in no way obliges anyone else to honour it. It is up to the admins of any given mail server what email they choose to accept. I think they're foolish if they don't check SPF records and reject accordingly, but it's up to them. I know some people like DMARC, but I think it's a hideous idea myself, and I won't be reconfiguring my email server to accept/reject based on DMARC; doubtless some people feel the same way about SPF.

What I think SPF does do is allow you to disclaim any further responsibility for email that claimed to be from your domain, but wasn't. Any mail admin coming to you complaining that your domain is sending them spam when they haven't bothered to check the SPF record you advertise that would have told them that the email should be rejected can fairly be sent away with a flea in their ear.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
7

SPF can't prevent this. It gives just an indication to other servers that the mail is spoofed, but most use this only a one of several factors to decide if the mail should be blocked.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • OK, thanks, that's what I suspected... I'm actually surprised Gmail does not "respect" an spf failure as some warning flag :( – jitbit Mar 12 '15 at 20:01
  • @jitbit Gmail does respect SPF, but an SPF-Hardfail does not mean the mail is delivered directly to the spam-folder. It is one of many parameters for spam-detection. – sebix Mar 12 '15 at 22:02
  • @sebix I finally made Gmail treat this as spam/malicious, see update in the question – jitbit Mar 13 '15 at 08:36
2

Yes, that is normal. Anyone can spoof any email address, but SPF (Sender Policy Framework) gives email service providers & clients the ability to better identify & flag as spam or eventually bounce messages entirely if that is part of their process.

morgant
  • 1,470
  • 6
  • 23
  • 33