2

I used to think that SPF records for subdomains were completely independent from the parent domain.

I'm trying out a domain email service provider that advises:

Using a subdomain you will still be able to send emails from your root domain e.g. “you@mydomain.com”.`

Thus, I've setup SPF for a particular subdomain as v=spf1 include:mailgun.org ~all

I've tried sending a test message with it to a well known webmail provider, and, to my surprise, SPF passed. 

Here are the relevant email headers:

Delivered-To: myotheremail@gmail.com
Return-Path: <bounce+7e6474.bcb15-myotheremail=gmail.com@mailgun.mydomain.tld>
Received: from rs224.mailgun.us (rs224.mailgun.us. [209.61.151.224])
        by mx.google.com {...}
Received-SPF: pass (google.com: domain of bounce+7e6474.bcb15-myotheremail=gmail.com@mailgun.mydomain.tld designates 209.61.151.224 as permitted sender) client-ip=209.61.151.224;
Sender: myusername=mydomain.tld@mailgun.mydomain.tld
From: myusername@mydomain.tld
To: myotheremail@gmail.com

The Received-SPF line has me worried that, for some twisted reason, SPF can succeed just based on the domain of the bounce address - is that the case?

I've also noticed that Sender is actually set to be from the subdomain, but that is not shown in any way in the webmail interface - does that mean that subdomains can basically get away with impersonating emails for the parent domain? Or even for other domains?

loopbackbee
  • 1,395
  • 1
  • 10
  • 21
  • 2
    `mydomain.tld` doesn't appear to be a valid domain. Other than that everything looks OK here. If you want a conclusive answer, edit your question to remove the obfuscation and supply the real information. – Michael Hampton Oct 29 '15 at 01:27

1 Answers1

3

SPF is based mail from syntax during the identification phase of an email.

ehlo mail.example.com
mail from:user@example.com
rcpt to:example@gmail.com
data
Subject:This is the Subject
From:user@example.org
body Content

So the email may be FROM your domain but the spf is based on mail from syntax.

Typically you'll see a 'on behalf of user@example.org' for this method, some require a Sender:example.com to be added to these emails, see: whats-the-difference-between-sender-from-and-return-path

IF you included the actual domain, we can give more accuracy.

Community
  • 1
Jacob Evans
  • 7,886
  • 3
  • 29
  • 57