3

Google's recommendation for SPF for both GMail and GSuite is

v=spf1 include:_spf.google.com ~all

My concern is that this is the same for both Google and GMail. If I am not mistaken, this means that I can send from the GSuite server as my personal domain and not be marked as spam. However, this also allows anyone with a GMail account to craft an email as if it came from my domain, and as long as they send it via Google's SMTP servers (which would be included in the SPF records) it won't be a violation of SPF.

Isn't this a glaring security hole for folks using GSuite, or am I missing something?

Thanks!

JB.
  • 161
  • 2
  • 6
  • 1
    Gmail's SMTP servers won't let you spoof another user on the service. They won't let you spoof the `From` *at all*, in my experience, unless it's one of your configured and verified aliases in the settings. – ceejayoz Oct 19 '17 at 17:47

1 Answers1

4

The SPF record in itself would mean that any mail sent from the Gmail/Gsuite servers is ok.

However, I firmly believe that the Gmail/Gsuite services do not allow users to use any arbitrarily chosen from-addresses without prior ownership validation.

Ie, it wouldn't be an SPF policy violation that would make such abuse visible after the fact, but the Gmail/Gsuite mail servers which would reject the request for this unrelated user to relay such a message in the first place.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94