8

i'm wondering: after we received a boss-scam mail that was showing the faked From in the webinterface, i read a bit about how SPF is checked, and apparently it is checked against the Return-path and not the From header. (This reddit was good summary https://www.reddit.com/r/sysadmin/comments/20rnt6/smtp_question_does_spf_only_validate_the/ ) Whats the benefit of this? As far as i can see, this renders the whole idea almost useless, as it doesnt prevent spammers from sending spam with faked From headers at all. What am i missing here?

(This is just because i'm wondering, i'am aware that DKIM + DMARC will solve this spam problem :) )

leberknecht
  • 1,526
  • 15
  • 27

2 Answers2

2

Don't try to make SPF responsible for something it's not. SPF simply lists which servers can send mail for your domain. It checks the envelope sender (MAIL FROM) at the SMTP level, which is the value that ends up in the return-path header, but only after it's passed SPF checks. What you're saying is that (assuming you have a strict SPF policy) you're allowing someone to send fake mail from one of your own mail servers, which is a problem much further up the chain than the From header, and one that would not be solved by DKIM. Perhaps your SPF record is not strict enough? We can't tell from the information you posted.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • Actually i think this already answers the question somehow. My mistake was that i understood SPF as an mechanism to validate on the receivers mailer if the sender is eligible to send mails for domain X, where (if i got it right now?) its actual purpose is to validate the part "senders client to senders mailer". ..? Our SPF is `v=spf1 include:spf.mandrillapp.com include:_spf.google.com -all` but a spammer managed to send a mail with faked `FROM` from a domain without SPF record, so gmail let it through. – leberknecht Nov 30 '17 at 13:02
  • Even if you tell the ISP's it's cool to reject, you don't have a DMARC policy overarching, meaning Google can decide how strict they want to be. Things in the email world get stricter all the time (a good thing) but we're still not all the way there. I was also wondering are you sure that SPF record does the job in under 10 DNS lookups? I'd make sure per the RFC. Here's a good tool: https://dmarcian.com/spf-survey/ (make sure your SPF validates and check DKIM while you're at it). So if you want ISP's to actually reject, you're gonna have to set up DKIM and DMARC. Are all aligned? – Neil Anuskiewicz Jan 05 '18 at 05:17
  • Try DMARC but set it in reporting mode for a while then move to rejecting mode when you feel confident. SPF is to help mitigate spoofing the friendly from. It's a necessary but not sufficient step. – Neil Anuskiewicz Jan 05 '18 at 05:34
  • SPF was most before DMARC existed. And SPF has a parameter to say if mails fail to fullfill the SPF should go to spam or not acepted. Check the parameter -all of SPF syntax. – NetVicious May 29 '19 at 07:27
  • 1
    SPF validates the `envelope-from` field (the mail from command issued before the `DATA` command of SMTP). The `from` field we usually see on email clients it's another from field issued after the `DATA` command of SMTP protocol). Spammers spoof usually the `from` field, not the `envelope-from`. So that's why SPF usually does nothing – NetVicious May 29 '19 at 07:32
  • The OP is already using `-all`, and the rest has already been said. If you're using DMARC, you should usually set `~all` in preference to `-all`, allowing DMARC to deal with From header misalignment and rejection policy. Each of SPF, DKIM, and DMARC have a separate role to play, but they all work together. – Synchro May 29 '19 at 07:38
2

SPF validates the envelope sender (AKA SMTP MAIL FROM, Return-Path,Bounce Address henceforth sender). it's purpose is to deny the use of forged senders, by disallowing the sender to be used from unauthorized servers. stopping the generation of mail with forged senders (where SPF is supported)

BATV, (and other types of VERP) can be used to reject backscatter from those systems that do not check SPF and reject forged senders. SRS (another type of VERP) is required if you do a mailing list - you can't retain the original sender because the list server will (most likely) not be included in the originators SPF

DKIM is the one that deals with email headers. it allows you to cryptographically sign selected email headers and full or partial content (but don't do partial signatures on MIME Multipart-Alternative messages - that will end badly)

Jasen
  • 11,837
  • 2
  • 30
  • 48